KeePass Master Password Extraction PoC for Linux# KeePass 2.53< Master Password Dumper PoC ([CVE-2023-32784](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32784)) for Linux
Thanks to [vdohney](https://github.com/vdohney) for finding this vulnerability and responsibly reporting it, and Dominik Reichl for the great open source software and quick acknowledgement/fix of the issue.
## Should I be worried ?
Probably not. This exploit requires access to the `/proc` virtual filesystem. Specifically, `proc/[pid]/mem`.
As per the proc manfile, access to this file is governed by a `ptrace` access mode, `PTRACE_MODE_ATTACH_FSCREDS`, which is limited to the root user in most systems.
If a malicious actor already has access to those files, you should have bigger worries.
## Fix pls ?
Please update to KeePass 2.54 as soon as it is released (~July 2023), for it will somewhat mitigate this issue. ([Forum](https://sourceforge.net/p/keepass/discussion/329220/thread/f3438e6283/#37b9))
## How does it work ?
First it starts by dumping the Keepass' process memory.
The default behaviour will be to scan all `/proc/<pid>/cmdline` files and store the `pid` of ones with the keyword `KeePass` in their commandline argument.
It'll then acquire the adresses of memory maps in `/proc/<pid>/maps` that aren't directly associated with a library, meaning they have an empty file path.
It'll then store the memory of all those maps into a buffer by taking advantage of `/proc/<pid>/mem`. This would be a primitive behaviour to dump the memory of any process on Linux.
It'll parse the memory to try and find leftover strings from when the user typed his master password, strings that look like so `•a, ••s, •••s`, in sequence . The first letter will be missing. You can find some other functionality by looking at the code.
`gcc dump_pwd.c -o dump` and you're ready to go.
[4.0K] /data/pocs/77fc0938cf7d9d960e5ccfba8f1878bd91005293
├── [5.8K] dump_pwd.c
├── [ 71K] dump_pwd.gif
└── [1.9K] README.md
0 directories, 3 files