[prev in list] [next in list] [prev in thread] [next in thread] 

List:       full-disclosure
Subject:    [FD] MitM Attack against KeePass 2's Update Check
From:       Bogner Florian <Florian.Bogner () kapsch ! net>
Date:       2016-05-30 18:00:38
Message-ID: A22134A7-8051-4E61-8BB6-50838B01EE7A () kapsch ! net
[Download RAW message or body]

MitM Attack against KeePass 2's Update Check

Metadata
===================================================
Release Date: 02-03-2016
Author: Florian Bogner @ Kapsch BusinessCom AG (https://www.kapsch.net/kbc)
Affected versions: all tested version up to the current 2.33
Tested on: Windows 7
CVE : CVE-2016-5119
URL: https://bogner.sh/2016/03/mitm-attack-against-keepass-2s-update-check/
Video: https://youtu.be/gOxcQSbpA-Q
Vulnerability Status: Won't fix

Abstract
===================================================
An attacker can abuse KeePass 2's recommended automatic update check – if enabled – to \
"release" a new version and redirect the user to a malicious download page.

Disclosure Timeline
===================================================
8.2.2016 @ 11:30: Issue privately reported to Dominik Reichl (http://keepass.info/contact.html)
8.2.2016 @ 12:00: CVE number requested
8.2.2016 @ 15:45: Received response from Dominik Reichl: The vulnerability will not be fixed. \
The indirect costs of switching to HTTPS (like lost advertisement revenue) make it a inviable \
solution. 30.5.2016 @ 18:00: MITRE assigned CVE-2016-5119; I reconfirmed that version 2.33 is \
still vulnerable

Technical Details
===================================================
During a recent traffic analysis I stumbled upon an interesting request to \
http://keepass.info/update/version2x.txt.gz. As I had a few hours spare I took a closer look.

It turned out that KeePass 2's automatic update check uses HTTP to request the current version \
information. For that purpose it downloads the following text file from \
http://keepass.info/update/version2x.txt.gz

> 
KeePass:2.31
ArcFour Cipher Plugin:2.0.9
CodeWallet3ImportPlugin:1
DataBaseBackup:2.0.8.6
DataBaseReorder:2.0.8
EnableGridLines:1.1
eWallet Liberated Data Importer:0.12
IOProtocolExt:1.11
ITanMaster:2.28.0.2
KdbxLite:1.1
KeeAutoExec:1.8
KeeOldFormatExport:1
KeeResize:1.7
KPScript - Scripting KeePass:2.31
OnScreenKeyboard2:1.2
OtpKeyProv:2.4
PwGen8U:1
PwGenBaliktad:1.2
QR Code Generator:2.0.12
QualityColumn:1.2
Sample Plugin for Developers:2.0.9
SpmImport:1.2
WinKee:2.28.0.1
> 

If a new version is available a dialog is shown to the user. An attacker can modify – thought \
for example ARP spoofing or by providing a malicious Wifi Hotspot – the server response to \
introduce a new version and thereby force the new version dialog to be shown. (Already heard \
about the new KeePass 9 release?)

If the user now clicks within the update dialog to download the new version, the URL \
http://keepass.info/ is opened to manually download the new release. Guess what, we can also \
intercept that traffic as it again uses HTTP. Thereby an attacker can even indirectly control \
the downloaded "update".

Suggested Solution
===================================================
For any security centric tool – like a password manager – it is essential to not expose its \
users to any additional risks.

Hence, I strongly recommend that all requests should be switch to encrypted HTTPS communication \
– especially version checks and updates! This should be fairly easy to implement and should \
not introduce any compatibility issues. Furthermore a valid certificate should be used for \
https://keepass.info and all unencrypted HTTP requests should be redirected to the encrypted \
version of the site. To provide even more security it is recommended to add the HTTP Strict \
Transport Security (HSTS) headers. As an alternative the update check feature could be removed.

Workaround
===================================================
Until the version check has been switched to HTTPS, update notifications should be taken with a \
grand of salt. To be on the safe side, new releases should be downloaded only directly from \
Keepass's secured Sourceforge page: https://sourceforge.net/projects/keepass/  

Florian Bogner | Security Solutions 
ICT Technology Solutions
Telefon Mobil +43 664 628 5491 | florian.bogner@kapsch.net <mailto:florian.bogner@kapsch.net>
 
Kapsch BusinessCom AG | Wienerbergstrasse 53 | 1120 Wien | Österreich 
www.kapschbusiness.com <http://www.kapschbusiness.com/> | www.kapsch.net \
<applewebdata://0EBE2678-1E1C-4DE6-A91B-7BE040A1AA2E/www.kapsch.net> Firmenbuch HG Wien FN \
178368g | Firmensitz Wien  
 <http://www.kapschbusiness.com/>
 <http://www.kapsch.net/kbc/Events/EventItems/Kapsch-Security-Day-2016>  \
<http://www.kapsch.net/kbc/Events/EventItems/Kapsch-Security-Day-2016> \
<http://www.kapsch.net/kbc/Events/EventItems/Kapsch-Security-Day-2016>  \
<http://www.kapschbusiness.com/>  <http://www.kapschbusiness.com/>


["smime.p7s" (smime.p7s)]

0	*H
 010	+0	*H
 ;00 j
+gߴ[0
	*H
0 10	UUS10U
VeriSign, Inc.10UVeriSign Trust Network1;09U2Terms of use at \
https://www.verisign.com/rpa (c)081<0:U3VeriSign Class 2 MPKI Individual Subscriber CA - \
G20 150804000000Z
160803235959Z010	UAT10UObj6010U
Kapsch BusinessCom AG1F0DU=www.verisign.com/repository/CPS Incorp. by \
Ref.,LIAB.LTD(c)9910UEmployeeID - 206910UFlorian Bogner1(0&	*H \
	florian.bogner@kapsch.net0"0 	*H
0
A-c#4дAx	:	ZV%DkaDPA,肓;NXtPkv=jf \
X&szl|pjHwybD@+T \
ݣ_Hᚶc#RS-y_tIٴgqL*U%=E'({RD)W}3EZ%ݰwz3}%2Iwֵ= \
00	U00DU \
=0;09`HE0*0(+https://www.verisign.com/rpa0U \
0	`HB0LUE0C0A ? \
=;http://onsitecrl.verisign.com/OnSitePublic/LatestCRL-G2.crl0 	*H
utm O
ey
r}ɞ%%A,ioVjNv;85
VQOlEZ	0.1IG7!	v$^J	u)zaOO|fFp-̔Ȍz<c)T|I<K	2V:'d\4]Tg.k)fk14=ݞ.,`,ߵt>x\rYvTvJe~2C_|5 \
KF?Hw}{X\0>0& cnz\c0 	*H
010	UUS10U
VeriSign, Inc.10UVeriSign Trust Network1:08U1(c) 1999 VeriSign, Inc. - For \
authorized use only1E0CU<VeriSign Class 2 Public Primary Certification Authority - G30 \
080429000000Z 180428235959Z0 10	UUS10U
VeriSign, Inc.10UVeriSign Trust Network1;09U2Terms of use at \
https://www.verisign.com/rpa (c)081<0:U3VeriSign Class 2 MPKI Individual Subscriber CA - \
G20"0 	*H
0
wqv\)M×
t
n!ِĄܹ7ds[
U1?n[1~=8π}(E'*t#`\ x_:rREoX/H%G㊳@f \
<Z$㫡j&k{&mXݶHb0܊#[hgt'> \
XϹa]#>lsH3&4ǤCZㅹ2D[' A8$0 \
0U00pU \
i0g0e`HE0V0(+https://www.verisign.com/cps0*+0https://www.verisign.com/rpa0U0	`HB04U-0+0) \
' %#http://crl.verisign.com/pca2-g3.crl0-U&0$"0 \
10UPrivateLabel4-2048-740U:_\6O>m*?]	0U#0塁Ф010	UUS10U
 VeriSign, Inc.10UVeriSign Trust Network1:08U1(c) 1999 VeriSign, Inc. - For \
authorized use only1E0CU<VeriSign Class 2 Public Primary Certification Authority - \
G3apI_E)簦P[z0 	*H

v̡yS^ScQT._=+H+
"^$N	洚GYGD4Ff?` : AxW|G2ymPTJdwDpv
ho.I6Tf5߃Er1S}G降t`%Lk \
n΅TdrMZOq,OyU%M`	{G#m{d\DՏrKJc[& \
Bm180400 10	UUS10U VeriSign, Inc.10UVeriSign Trust \
Network1;09U2Terms of use at https://www.verisign.com/rpa (c)081<0:U3VeriSign Class 2 \
MPKI Individual Subscriber CA - G2j +gߴ[0	+ 50	*H
	1	*H
0	*H
	1
160530180039Z0#	*H
	1upk`}j&E0	+7100 10	UUS10U
VeriSign, Inc.10UVeriSign Trust Network1;09U2Terms of use at \
https://www.verisign.com/rpa (c)081<0:U3VeriSign Class 2 MPKI Individual Subscriber CA - \
G2j +gߴ[0*H
	1 0 10	UUS10U
VeriSign, Inc.10UVeriSign Trust Network1;09U2Terms of use at \
https://www.verisign.com/rpa (c)081<0:U3VeriSign Class 2 MPKI Individual Subscriber CA - \
G2j +gߴ[0
	*H
g
zq]xBPŭJ(9_$Z	ʴfA|uU&X:Y|&<1|H^D8Ϋ9N8"GeΦP
 b=-xwD ;ޓp7qN(=*NhС߸t5K \
wtIlx50kh@6XcKkFSѲM"h+!ݤp3ЋB0]h4\5/H)



_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
--===============1713519159746530158==--

[prev in list] [next in list] [prev in thread] [next in thread]

Configure | About | News | Add a list | Sponsored by KoreLogic