# CVE-2023-32784 Exploit Demonstration
## Project Overview
This repository provides a demonstration of CVE-2023-32784, a critical vulnerability found in KeePass versions prior to 2.54. The exploit allows the recovery of the master password through memory dumps, exposing stored credentials. This documentation outlines a step-by-step guide for setting up the exploit environment, executing the PoC tool, and understanding the mitigation strategies.
Vulnerability Details
### Description
CVE-2023-32784 is a memory leakage vulnerability in KeePass versions 2.0 through 2.53, stemming from improper handling of strings within KeePass's Secure Textbox EX component. Each entered character of the master password leaves traces in memory, making it recoverable through memory dumps.
#### Key Characteristics:
- Severity: High
- Exploitability: Physical or local access to memory dumps is required; no remote code execution is involved.
- Impact: Extraction of master password (excluding the first character) from memory allows unauthorized access to stored credentials.
## Exploit Details
### Tools and Techniques
The exploit leverages the KeePass Master Password Dumper tool, which uses memory pattern recognition to extract characters from memory dumps.
- Limitations: The first character of the password is not recovered, but this is not a significant hindrance as the rest of the password can be easily reconstructed or guessed.
- Threat Model: This vulnerability highlights risks on shared or unattended systems, where access to memory dumps (e.g., `pagefile.sys` or `hiberfil.sys`) is possible.
---
## Exploitation Plan
### Prerequisites
To successfully execute this exploit, the following environment and tools are necessary:
1. **Virtualization Software**: VMware or an equivalent tool for isolating the test environment.
2. **Windows 10 ISO**: The operating system for the vulnerable KeePass installation.
3. **KeePass 2.x**: A version prior to 2.54.
4. **.NET 7 Runtime**: Required for running the PoC tool.
5. **PoC Tool**: KeePass Password Dumper, available on GitHub.
### Steps with Justifications
#### 1. **Environment Setup**
- **Why a VM?**
Virtual machines offer a safe and controlled environment to test vulnerabilities without risking production systems.
- **Steps**:
- Install VMware and create a new VM instance with Windows 10.
- Install KeePass 2.x (e.g., version 2.53) and set a master password.
- Example Master Password: `user`.
#### 2. **Install Dependencies**
- **Why .NET 7?**
The PoC tool is built on the .NET 7 framework. Using the correct runtime ensures compatibility.
- **Steps**:
- Download and install `.NET 7` from the official Microsoft website.
- Confirm installation using:
```bash
dotnet --version
```
#### 3. **Memory Dump Creation**
- **Why Dump KeePass Process Memory?**
The vulnerability lies in KeePass's memory handling. Capturing a dump allows analysis of the memory footprint, where password traces reside.
- **Steps**:
- Open KeePass and unlock the database using the master password.
- Use Task Manager to create a `.DMP` file for the KeePass process:
- Locate KeePass in Task Manager.
- Right-click and select **Create Dump File**.
- Note the location of the `.DMP` file (typically in the `%TEMP%` directory).
#### 4. **Run the PoC Tool**
- **Why Copy the Dump to the PoC Directory?**
The PoC tool processes dump files within its working directory. This step ensures the correct file is analyzed.
- **Steps**:
- Move the `.DMP` file to the extracted PoC folder.
- Rename the file to `KeePass.DMP` for consistency.
- Open a terminal, navigate to the PoC directory, and execute the tool:
```bash
cd Downloads/keepass-password-dumper-main
dotnet run KeePass.DMP
```
- **Expected Outcome**:
The tool will output the password characters except for the first one.
### Example Command Sequence
```bash
cd Downloads/keepass-password-dumper-main
dir
dotnet run KeePass.DMP
```
---
## Mitigation Strategies
### Recommended Fixes
1. **Update KeePass**:
Upgrading to **KeePass 2.54** addresses the vulnerability by introducing the following improvements:
- Enhanced memory handling for sensitive data.
- Randomized string insertions to reduce predictability in memory.
2. **Secure Memory Dumps**:
- Regularly clear or overwrite sensitive files such as `pagefile.sys` and `hiberfil.sys`.
- Restart systems periodically to flush sensitive data from memory.
3. **Practice Secure Memory Management**:
Developers should adopt best practices for handling sensitive strings, such as using mutable data structures or clearing memory buffers after use.
---
## Important Notes
- **Use Case for Demonstration Only**:
This exploit is intended for educational purposes in a controlled environment. Do not use this information maliciously.
- **Impact Awareness**:
Organizations should evaluate the implications of this vulnerability on shared or multi-user systems and implement mitigations accordingly.
## CHECK MY YOUTUBE VIDEO FOR LIVE EXPLOITATION OF THE CVE
https://youtu.be/o855F0RvI30?si=WXOtPu-jgtC31O-5
## References
- [NVD CVE-2023-32784](https://nvd.nist.gov/vuln/detail/cve-2023-32784)
- [KeePass Master Password Dumper (GitHub)](https://github.com/vdohney/keepass-password-dumper)
- [Cyberis Analysis](https://www.cyberis.com/article/exploiting-keepasscve202332784)
- [Sysdig Blog on CVE-2023-32784](https://sysdig.com/blog/keepass-cve-2023-32784-detection/)
---
## Author
**Bhargav Raj Dutta**
*Bachelor of Information Technology in Cyber Security and Digital Forensics (Murdoch University)*
For any questions or collaboration inquiries, feel free to connect on [LinkedIn www.linkedin.com/in/bhargav-raj-dutta-80251a1b4)
[4.0K] /data/pocs/6670c0738a58279e2bed4399e50f1a7344161aad
├── [3.3K] CVE-2023-32784-Exploit-Demo.md
├── [4.0M] CVE2023-32784-PPT.pdf
├── [678K] linkedinproject.pdf
├── [ 175] READ ME
└── [5.8K] README.md
0 directories, 5 files