POC详情: 77fc0938cf7d9d960e5ccfba8f1878bd91005293

来源
https://github.com/CTM1/CVE-2023-32784-keepass-linux
关联漏洞
标题: KeePass 安全漏洞 (CVE-2023-32784)
描述:KeePass是一款开源的密码管理器。 KeePass 2.54之前的2.x版本存在安全漏洞,该漏洞源于即使工作区被锁定或不再运行,也可以从内存转储中恢复明文主密码。
描述
KeePass Master Password Extraction PoC for Linux
介绍
# KeePass 2.53< Master Password Dumper PoC ([CVE-2023-32784](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32784)) for Linux

Thanks to [vdohney](https://github.com/vdohney) for finding this vulnerability and responsibly reporting it, and Dominik Reichl for the great open source software and quick acknowledgement/fix of the issue.

## Should I be worried ?
Probably not. This exploit requires access to the `/proc` virtual filesystem. Specifically, `proc/[pid]/mem`. 
As per the proc manfile, access to this file is governed by a `ptrace` access mode, `PTRACE_MODE_ATTACH_FSCREDS`, which is limited to the root user in most systems.

If a malicious actor already has access to those files, you should have bigger worries.

## Fix pls ?
Please update to KeePass 2.54 as soon as it is released (~July 2023), for it will somewhat mitigate this issue. ([Forum](https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/#37b9))

## How does it work ?
First it starts by dumping the Keepass' process memory.

The default behaviour will be to scan all `/proc/<pid>/cmdline` files and store the `pid` of ones with the keyword `KeePass` in their commandline argument.

It'll then acquire the adresses of memory maps in `/proc/<pid>/maps` that aren't directly associated with a library, meaning they have an empty file path. 

It'll then store the memory of all those maps into a buffer by taking advantage of `/proc/<pid>/mem`. This would be a primitive behaviour to dump the memory of any process on Linux.

It'll parse the memory to try and find leftover strings from when the user typed his master password, strings that look like so `•a, ••s, •••s`, in sequence . The first letter will be missing. You can find some other functionality by looking at the code.

`gcc dump_pwd.c -o dump` and you're ready to go.

![exp_gif](https://github.com/CTM1/CVE-2023-32784-keepass-linux/blob/master/dump_pwd.gif)
文件快照

 [4.0K]  /data/pocs/77fc0938cf7d9d960e5ccfba8f1878bd91005293
├── [5.8K]  dump_pwd.c
├── [ 71K]  dump_pwd.gif
└── [1.9K]  README.md

0 directories, 3 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。