No replies to this topic

[remove]

The Vulnerability Laboratory Research Team disovered tonight a vulnerability with medium(+) severity in the keypass password manager software of Domenic Reichl. Keypass is a well known, free and very popular password manager software for Microsoft Windows, with unofficial ports for Linux, Mac OS X, and a variety of other systems. The vulnerability has been identified by Benjamin Kunz Mejri the Founder of the Vulnerability-Lab.

The bug allows an attacker (local) to implement/inject malicious script code when processing to export a manipulated KeyPass Password Manager database. The vulnerability is located in the filter/validation of the html/xml export function/module & the bound vulnerable domain/url (listing) parameter. Exploitation of the vulnerabilitiy requires a manipulated url with malicious script code, a logging server with chmod 777, a listing file (random) & an keypass v1.22 user. The bug will be injected on the remote way, affects the local validation (html/xml) and change the technic back when remote transfering the password lists. The injection of the malicious url/domain context can be done via auto save of urls (victim) or manually (reproduce).

Normally KeyPass Password Manager exports the html backup with a secure clean template like ...

<th>URL</th><th>Password</th><th>Notes</th><th>UUID</th><th>Icon</th><th>Creation Time</th><th>Last Access</th>
<th>Last Modification</th><th>Expires</th><th>Attachment Description</th><th>Attachment</th></tr>
<tr><td>mypass category</td><td>my keypass test</td><td>asdfas</td><td>h3ll0</td>

The local attacker manipulate the database with malicious strings (script code) in the category item profile name input fields.
KeyPass Password Manager generates the clean html template but after the persistent script code inject in the database
profile domain/url item, the persistent code is getting execute direct out the clean exported html template file.

<tr class=``MyAccountNameRow``>
<td align=``right`` width=``150px``>Name des Benutzerkontos: </td>
<td><b>``><[PERSISTENT SCRIPT CODE]`) <<=`` b=``></td>
</tr>

Successful exploitation of the vulnerability lead to stable (persistent) context manipulation, persistent phishing or stealing plain password lists. Low or medium user inter action is required to exploit the vulnerability.
After we saw the vulnerability report and some of the advisory details, we asked Benjamin to provide us the remote exploitation scenario ...

Exploitation (Remote>Local > Local > Remote) Scenario:
The Attacker is sending the victim a manipulated login page with script code in the url parameters. The script code impacts an easy html or js script which responds to a url with chmod 777 (other server) to exchange of the file when processing a local request. The victim with keypass save the url via auto type engine function/module of the software. After some time the victim is exporting the file as html plain file with the keypass template. The script code of the url gets executed and transfers the context of the listed plain file directly to the attacker.

Fix/Patch
After Domenic Reichl has been notified about the vulnerability in his product he fixed the issue 1 day later by parsing the url/domain output with entities when processing to generate the plain password file with the keypass template (xml/html). The new version of Keypass v1.23 will be soon available for users or customers.

2012-06-13: Researcher Notification & Coordination
2012-06-14: Vendor Notification
2012-06-20: Vendor Response/Feedback
2012-06-25: Vendor Fix/Patch - Keypass v1.23
2012-06-26: Public or Non-Public Disclosure

Update - Keypass v1.23
Vulnerability Laboratory recommends to all keypass users to upgrade to version 1.23 as soon as the update is available. The bug affects the version 1.22 and all older versions of the Keypass software.


Reference(s):
http://news.hitb.org...rd-manager-v122