CVE-2023-32784 - KeePass

CVE-2023-32784 - KeePass

Celia Catalán


In today's post we come to talk about KeePass, a well-known password manager. KeePass Password Safe is a free and open source password manager that is used to manage your passwords securely, thus allowing you to have a password for each service without dying trying. The way KeePass works is based on having a master password, which must be very robust and will need to be remembered, so this key will give us access to our password database, taking into account that we can generate them randomly and not we will need to remember them.

Although we always recommend the use of this tool or similar ones to protect our passwords, in mid-2023 the vulnerability CVE-2023-32784 emerged, which could cause the master password to be compromised if the following conditions are met:

  • The attacker accesses a computer with a KeePass process running (the KeePass session does not need to be unlocked).
  • The victim user has entered the master password manually (not by copying and pasting).

This vulnerability is due to the use of the “SecureTextBoxEx” text box during master password access, since this functionality is also used to recover password content in other sections of KeePass.

To demonstrate the operation of this vulnerability, two public exploits will be verified, which allow the decryption of the master password except for the first character. The fact that the first character is not stored is due to how the “SecureTextBoxEx” functionality works at the .net level, since it masks the previous character and shows the current one, for example, for the word password:

-a, --s, ---s, ----w, -----o, ------r, -------d.

For this exercise, the first thing we will do is create a test database, and we will assign the password: sup3r$3cr3tP4ssw0rd!


After having created our new database and having blocked the session to “protect” it, it is necessary to dump the memory of the KeePass process. It is possible to perform crash dumps using different techniques, but for this proof of concept, it is enough to be able to use the task manager without any administrative privileges.


Once we have the memory dump of the KeePass process, we will proceed to use the following exploits:


As we can see, both exploits allow us to decrypt the master password without any difficulty, since it will only be necessary to guess the first character of the password.
This does not mean at all that we should distrust password managers, simply like any other application, they are susceptible to containing vulnerabilities, so it is necessary to always keep them updated to have the latest security patches. Below, we offer a series of recommendations to follow in case you have been affected by this vulnerability:
  • Update KeePass 2.54 or higher.
  • Change your KeePass master password in case it has been compromised.
  • Delete files that may contain KeePass passwords in memory such as the crash dumps (usually located in C:\Windows\memory.dmp for Windows), the hibernation file (hiberfil.sys) and the paging/swap file (pagefile.sys ).


Ignacio Sánchez , Cybersecurity Analyst at Zerolynx .
return to blog

Leave a comment

Please note that comments must be approved before they are published.