Users of the free, open source KeePass password manager got unwelcome news on Tuesday, after a private security researcher claimed to have discovered a remotely exploitable security hole that could give an attacker access to unencrypted user passwords. However, KeePass’s creator calls the hole minor, and unlikely to be used in an attack.
Researcher Benjamin Kunz Mejri of Vulnerability Lab said in an e-mail to Threatpost that he had discovered the hole in a software filter and validation feature in KeePass Password Manager up to and including v1.22. If exploited, the hole would enable an attacker with access to a machine running the KeePass software to inject malicious script by passing the html/xml export feature a specially crafted file.
A successful attacker would need a manipulated URL with malicious script code, a logging server with read, write and execute (chmod 777) permissions, a listing file and a valid keePass v1.22 user (aka: the victim), Kunz Mejri wrote. Once exploited, the hole gives the attacker the ability to steal plain password lists, among other attacks, Kunz Mejri warned.
The security hole is rated “medium” – a reflection of the need for attackers to obtain local access to a vulnerable system, and fool users into taking certain actions to import malicious content without noticing that its malicious.
“In my opinion the vulnerability is rather minor,” KeePass creator Dominik Riechl wrote to Threatpost. “An attacker would need to make a user import malicious data without noticing it, export the database to an HTML file and open it.” Reichl aid a fix was ready and would be released with KeePass Version 1.23 in a few months. A developer version of KeePass with the fix implemented has been released.
Kunz Mejri said the vulnerability is remotely exploitable. “If i for example manipulate a login website with the malicious script code and you as keypass user save it via for example auto url type … then its definitely remote (sp) exploitable but requires low or medium user interaction,” he wrote.
KeePass is a free and open source password management tool that distributed under the GPL license. The product was first released in 2006 and is designed to prevent password reuse by individuals who must manage access to dozens (or more) different Web sites and applications. It allows users of a variety of operating systems to store passwords for applications and Web sites securely, then access them using only a single password. It’s not the only password management tool to run into choppy waters on security. KeePass’s main competitor, LastPass, was discovered to be harboring a critical security hole on its Web site that could be used to reveal sensitive account data. In May of 2011, the site advised customers to change their passwords after detecting a larger security breach on its Web site.