Researcher Warns Of Security Hole In KeePass Password Manager

Users of the free, open source KeePass password manager got unwelcome news on Tuesday, after a private security researcher claimed to have discovered a remotely exploitable security hole that could give an attacker access to unencrypted user passwords. However, KeePass’s creator calls the hole minor, and unlikely to be used in an attack.

KeePassUsers of the free, open source KeePass password manager got unwelcome news on Tuesday, after a private security researcher claimed to have discovered a remotely exploitable security hole that could give an attacker access to unencrypted user passwords. However, KeePass’s creator calls the hole minor, and unlikely to be used in an attack.

Researcher Benjamin Kunz Mejri of Vulnerability Lab said in an e-mail to Threatpost that he had discovered the hole in a software filter and validation feature in KeePass Password Manager up to and including v1.22. If exploited, the hole would enable an attacker with access to a machine running the KeePass software to inject malicious script by passing the html/xml export feature a specially crafted file.

A successful attacker would need a manipulated URL with malicious script code, a logging server with read, write and execute (chmod 777) permissions, a listing file and a valid keePass v1.22 user (aka: the victim), Kunz Mejri wrote. Once exploited, the hole gives the attacker the ability to steal plain password lists, among other attacks, Kunz Mejri warned.

The security hole is rated “medium” – a reflection of the need for attackers to obtain local access to a vulnerable system, and fool users into taking certain actions to import malicious content without noticing that its malicious.

“In my opinion the vulnerability is rather minor,” KeePass creator Dominik Riechl wrote to Threatpost. “An attacker would need to make a user import malicious data without noticing it, export the database to an HTML file and open it.” Reichl aid a fix was ready and would be released with KeePass Version 1.23 in a few months. A developer version of KeePass with the fix implemented has been released.

Kunz Mejri said the vulnerability is remotely exploitable. “If i for example manipulate a login website with the malicious script code and you as keypass user save it via for example auto url type  … then its definitely remote (sp) exploitable but requires low or medium user interaction,” he wrote.

KeePass is a free and open source password management tool that distributed under the GPL license. The product was first released in 2006 and is designed to prevent password reuse by individuals who must manage access to dozens (or more) different Web sites and applications. It allows users of a variety of operating systems to store passwords for applications and Web sites securely, then access them using only a single password. It’s not the only password management tool to run into choppy waters on security. KeePass’s main competitor, LastPass, was discovered to be harboring a critical security hole on its Web site that could be used to reveal sensitive account data. In May of 2011, the site advised customers to change their passwords after detecting a larger security breach on its Web site.

Suggested articles


  • H4zzmatt on

    Wow, way to hype Threat Post. Vuln Labs are some of the worst researchers in the business. In this case if the Vendor says the hole is minor I'll take thier word for it and I never believe the effin vendor!

    http : // attrition DOT org/security/rants/vulnerability-lab/


  • Anonymous on

    I would say that their is also a significant difference in the threat posed by the KeePass vulnerability than the one discovered at LastPass. The LastPass flaw allowed accounts to be comprimised en masse where as the KeePass flaw requires an individual user to put in a malicious URL into the program it self which is very unlikely. This is the reason I use KeePass  rather than LastPass. I would never trust my password security to a thrid party website with no way for me to validate the security of their data storage and networks.

  • Anonymous on

    I agree, I prefer KeepPass than LastPass because it's difficult to trust a third party site with all of my credentials.

  • Rick Deckardt on

    Sounds like a combo of social engineering + locally executed malware


    Here's good (better) one:

    "Online Keepass client - Access your keepass database from anywhere"

    Upload your keepass database here: [upload form]

    To gain access, enter your passphrase or keys here [passphrase input] [submit]


    Versions vulnerable to this attack: All.

    Thank you and good night, and no, I don't do childerens parties.

  • Sammy47 on

    I like the works of the vulnerability-lab  and i also like to see that keypass fixed the reported bug within one day. Good work and i will of course continue using keypass as software.

  • Rob on


    Never, EVER believe the vendor. It's at best, a lower limit. They're not going to think of all the possible exploits that can happen, and the severity can depend on system configuration (e.g. NULL pointer dereference, crash on some systems, code execution on others)

  • Leroy1972 on

    I think there is a big difference between a software vulnerability like the keypass one and the lastpass web-service. The vulnerability report is good written and also detailed enough to understand how to reproduce the bug or fix the problem. The victim doesn't need to see the full url when he uses the auto type url function. The display field of keypass itself can not ever show the full url to the logins because they are often to large. Nais work benny and continue your program.

  • Leroy1972 on

    If you watch who are behind the attrition guys then you will fast check that its a attack from the concurrence against the vlabs because they are scared to lose there position. jericho the moderator itself wrote a lot crap about the good idefense vcp program and also about other people. This is a not trustable source but the advisories of the vulnerability laboratory really help the vendors to see the issues since sombody make damage. Alone the model of the vlabs and the design is much better then for example osvdb so i can totally understand why they piss there panties.

  • Anonymous on

    How can you refer to this as a 'remote' vulnerability then later point out that it's a medium threat because local access is required? 

    Shoddy writing.

  • C24_Italy on

    The bug can be exploited by remote attacker via creating a malicious link as login. I have reproduced the bug this morning. Only for the export a low medium user inter action is required. His advisory is in the right way explained and the technic behind is amazing or can you show me another issue with the same type of bug inside of a password manager ?

  • Anonymous1 on

    Thats why you should pay for a your password manager like I do, it's worth the money I spend for security. I use Roboforms and have for years, all these new guys keep poppin up with security flaws and being hacked.

  • Anonymous on

    Leroy1972 and C24_Italy = from vulnerability-lab
  • Michael on

    "The bug can be exploited by remote attacker via creating a malicious link as login"

    Er... no. If they make a malicious link on their own site, that does nothing. The user has to either re-type, or copy and paste, that malicious link into the Keepass "URL" field (or import a password file from someone else, which would be weird) - so you need to convince them to visit your malicious link and do that.

    Then the user has to export their passwords to HTML.

    So there are two steps that require user inter-action. If you have someone that is reasonably technical, that's going to be tough. If you have someone who is not technical, you could probably get them to type their password into your site more easily than pulling this off.

    I don't see how this can be considered a "remote" exploit.

  • NoDominos on

    @Michael, thank you for spelling it out.

    Reading some of these posts -- and the article itself -- implies that somehow just using the autotype function will trigger this "vulnerability."

    I think you are wrong about your statement about it being considered a remote exploit. Wrong in the sense of being incomplete.  How can this be considered a software exploit of any kind?

    It can only work as a social engineering exercise.  If someone is really foolish enough to go through the steps necessary to be compromised, they would be much more easily led to enter their banking credentials into a Nigerian Bank login form -- would that be an "exploit" of the banking software? And face it, if a user is alert enough to be using a tool like KeePass Safe, they are pretty unlikely to be taken in by such a "must-be-fully-conscious-that-I'm-an-idiot" exercise.

    The only threat this post poses is to cause people, through abject fear mongering, to opt for a universal password rather than using a secure password manager.

  • Anonymous on

    What makes anyone so sure the government doesn't have a back door into Roboform, KeePass, and EVERY other popular password manager?

  • ProDev on

    Thank you for posting this information. We need researchers to continue looking for vulnerabilities, and for sites like Threat Post to post the results. This makes software better, and is crucial for security software such as KeePass.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.