Invalid data from password dump - old databases

[pshelling]

I'm on an all US English Windows 10 x64 22H2 system. Installed .NET v7.0.302
Created a Projects folder, copied these files to the folder
keepass_password_dumper.csproj
Program.cs

I also had had a c:\windows\memory.dmp file from two weeks ago. I copied that to the Projects folder. Then ran the following

dotnet run MEMORY.DMP

My password length might be right but the characters and layout are not even close
Is the length of the password an issue? My password is 35 characters long.

I also created a Keepass dump file with Task Manager and copied to the Projects folder and ran it that way too and it was not even close.

dotnet run Keepass.DMP

That one was only about 10 characters found

Am I not running the program correctly or is there something else I should be doing to get the proper results?

[vdohney]

Thanks for reporting the issue! Based on what you are describing, it should be working fine. I assume you are on 2.53.1?

c:\windows\memory.dmpmight contain it, or it might not - depending on what was happening during and before the time system crashed.

The part where you actually try it with the Task manager dump is surprising. Here are a few things to try out:

1. I've updated the script recently, are you on the most recent version?
2. Are you actually typing the password? It might not work when pasting from a cllipboard
3. Does your password contain characters outside ^[\x20-\x7E]+$ (printable ASCII characters)? That's what I hardcoded into the POC.
4. Could you try it a few times? For me it always worked reliably, but there was one other user saying it didn't work for the first time.

Finally, if all fails, could you try it with a dummy database? Create a new DB with a password of similar length and character set, terminate KeePass, open the DB (make sure to type the password), and dump it with the Task manager. Then upload the dump somewhere so that I check it. It shouldn't contain any of your sensitive data and I'd be happy to take a look. If you want to do this, plase send me the link to the dump privately on SourceForge - in case you make a mistake and publicly upload a different dump, that could be bad.

I've just tried it with a 38-character password in Windows 11, and it worked without an issue (screenshot).

[pshelling]

Yes, give me a little while to try other methods. Yes, I have the latest code you posted. I'm going to restart the system and then test again.

[vermi5]

Hey, I've tried your PoC tool on a taskmanager keepass dump where a dummy DB (generated with KeePass 2.5.0) was accessed and that worked flawlessly, on my main DB however it didn't get lenght nor contents right. I've been using KeePass for a long time and this specific DB might have been generated with a different verison than those affected, if that matters

[vdohney]

Hello, yes, this is exactly what @pshelling has messaged me about privately. Thanks for reporting!

Can you figure out what KeePass version have you used to generate your old database? I’d like to get my hands on such a database and dump to test it, but it’s obviously not possible with real DBs due to security concerns.

[vermi5]

Hello, yes, this is exactly what @pshelling has messaged me about privately. Thanks for reporting!

Can you figure out what KeePass version have you used to generate your old database? I’d like to get my hands on such a database and dump to test it, but it’s obviously not possible with real DBs due to security concerns.

Unfortunately I didn't keep a record but it might have been 2.39 portable

[vdohney]

Thanks! Unfortunately, even when I created a database with 2.39 and then opened it with 2.53.1, I was still able to reproduce the attack. The problem must be somewhere else.

[vdohney]

For completeness: there was another user posting in this thread about an issue, but they deleted their comments.

They claimed that for the password daniel.sword.directly.holdings, they weren't able to reproduce the attack. Unfortunately, on my machine it still worked. There were no other clues as to why the issue could be happening.

[OzanAkbay]

Although it's not a very painful vulnerability, it's a disaster that it openly gives away your password.

[wouterVE]

In response to @vdohney on #10
I've tried to create a test DB on the oldest version of Keepass we have (2.19 dating from 2012); and I was still able to retrieve my password. So it seems very old versions of Keepass ware still vulnerable.

[vdohney]

@wouterVE thanks for verifying! This is unfortunate news, I was hoping that old versions like that weren't impacted.

Anyway, the search is still on for those few versions that are allegedly unaffected.