Hacking tool swipes encrypted credentials from password manager

"KeeFarce" targets KeePass, but virtually all password managers are vulnerable.

Dan Goodin – Nov 2, 2015 1:16 pm | 208

Using a password manager is one of the biggest ways that average computer users can keep their online accounts secure, but their protection is pretty much meaningless when an end user's computer is compromised. Underscoring this often ignored truism is a recently released hacking tool that silently decrypts all user names, passwords, and notes stored by the KeePass password manager and writes them to a file.

KeeFarce, as the tool has been dubbed, targets KeePass, but there's little stopping developers from designing similar apps that target virtually every other password manager available today. Hackers and professional penetration testers can run it on computers that they have already taken control of. When it runs on a computer where a logged in user has the KeePass database unlocked, KeeFarce decrypts the entire database and writes it to a file that the hacker can easily access.

In fairness to KeePass developers, they have long warned users that no password manager can secure passwords on a compromised computer. Still, KeeFarce generated interest among security professionals and hobbyists over the past week, in large part because of the ease and convenience it provides.

"Indeed, if the operating system is owned, then it's game over," Denis Andzakovic, a researcher at Security Assessment and the creator of KeeFarce, told Ars. "The point of KeeFarce is to actually obtain the contents of the password database. Say a penetration tester has achieved domain admin access to a network but also wants to obtain access to networking hardware, non-domain infrastructure, etcetera. The tester can compromise a sysadmin's machine and use the tool to swipe the password details from the KeePass instance the sysadmin has open."

KeePass provides process memory protection that encrypts master password keys and other sensitive data when stored in computer memory. That system goes a long way to preventing malicious apps from scraping random access memory and retrieving the credentials. KeeFarce obtains passwords using a different technique, known as DLL injection. The injected dynamic link library code calls an existing KeePass export method to copy the contents of a currently open database to a CSV file. The resulting file contains user names, passwords, notes, and URLs all in cleartext.

Again, the ability for one process to inject itself into a second process and execute things in the context of the second process is by no means a KeePass-specific issue. This injection process is one of the things that allows programs to interoperate in useful ways. But in the event of a compromise, it can also streamline the process of gathering sensitive data and sending it to the attacker. Something like KeeFarce could prove to be especially scary if it was folded into Metasploit or other hacker frameworks. Andzakovic said existing features in Metasploit can already be used to manually run KeeFarce on a compromised computer.

KeeFarce will no doubt rekindle the common criticism that when password managers fail, they offer a one-stop destination for hackers to obtain all of a target's passwords. There's no doubt that password managers represent a single point of failure that could be catastrophic. Still, on the whole, they provide more benefit than risk when used correctly. That's because password managers allow average people to generate and store virtually crack-proof passcodes that are unique for every site. Password managers also prevent a breach on one site—say, the recent compromise of 000Webhost—from contributing to account hijacks on other sites because the account holder used the same password.

But it's also important that people recognize that there are some threats that password managers do nothing to mitigate, and chief among them is password theft from an infected computer to begin with. Lest anyone forget, KeeFarce is here to remind them.