KeeFarce: extract KeePass secrets at runtime

security_compWe wrote about the risks of using cloud based password managers in an earlier article. To speak the truth, password managers installed locally on your system are not safe either, IF the system is compromised. KeeFarce is a new tool that proves the point. However, the principles of KeeFarce work only when you are allowing it to run on your system.

KeeFarce extracts the information from a KeePass database. No, it can’t break the encryption for that matter. However, it uses DLL injection at runtime to run its code in KeePass’s address space on Windows. Note that both KeeFarce and KeePass should be running to achieve this. KeeFarce gets hold of the passwords (and all other info) when it is extracted as cleartext by KeePass at runtime (in memory) and exports it to a CSV file in %AppData%.

KeePass is a very popular password vault with ports for numerous devices and operating systems, including Linux (KeePassX). However, KeePass is not the only software susceptible to this. Almost any software can be a target of dll injection. For example, a rogue process can hide itself in Windows’ winlogon process address space through dll injection and stay alive across logouts.

Similar mechanism is available on Linux too, using preloaded libraries, where a routine from the library is executed in place of a regular function like printf().

However, these kind of attacks are possible only if your system can be compromised. So keep a tab on what you run on your system, specially files downloaded from unverified sources.

Leave a Reply

Your email address will not be published. Required fields are marked *