Despite the fact that many methods of authentication and access control have been invented in the world, it is the password that is the most common and at the same time the most vulnerable. For security reasons, many Internet portals and services prohibit users from creating simple passwords, which, on the one hand, is good, but on the other hand, it is simply inconvenient. If we multiply this fact by a dozen similar sites, we get a real headache. To bridge the gap between the human factor and data security, password managers come to the rescue by taking charge of organizing user passwords. However, with this approach, it turns out that user security depends on only one thing - the master password.
WARNING
All information is provided for informational purposes only.
Neither the editors nor the author are responsible for any possible harm caused by the materials of this article. The September issue of the magazine (No. 176) contained a brief review and comparison of popular password managers, but today we’ll talk in detail about their security in general. In this article, we will take a critical approach to protecting password managers and consider several options for attacking popular managers in order to obtain the master password or the possibility of partially obtaining data stored in the password database.
The five most popular solutions for Windows OS were selected as examinees:
- Kaspersky Password Manager 5.0.0.176;
- Sticky Password 7.0.2.27;
- 1Password 1.0.9.337;
- KeePass 2.23;
- RoboForm 7.9.2.5.
We will check each of them for vulnerability to the following attacks:
- attack on the master password;
- attack on the contents of the password database;
- DLL Hijacking attack.
And based on the results of the inspection, we will give each of them the appropriate rating: bad, satisfactory or good.
As you know, password managers do not store the master password anywhere on the computer, and each time the manager is used, the user must enter it manually. To intercept such passwords, as a rule, keyloggers are used, plus recording of cursor movement and screenshots if there was a virtual keyboard. However, in our case, we will not write complex shadow drivers to intercept keystrokes and screenshots, since they can put our attack in laboratory conditions and are easily detected by antiviruses. We will look at an interesting, but not new way to get a password directly from the input window through the SendMessage API call with the WM_GETTEXT parameter. This method is remarkable in that many antiviruses do not recognize it as a potentially dangerous action, and it is implemented in literally a couple of lines of code, plus it does not require administrator rights to run it.
In addition, a SendMessage attack can be used to obtain text data from any application window, so even if the master password fails, there is a high probability of partially or completely obtaining the contents of the database itself after opening it.
In addition, we will check the vulnerability of each manager to the DLL Hijacking attack to find out how correctly each of them loads dynamic libraries. And if it is possible to replace the loaded library with our own, this will mean that we will be able to execute arbitrary code on the system. And although a large number of different applications are susceptible to this attack, in the case of password managers it has its own nuance. Many users often work on different computers, and therefore they run password managers from removable devices. If every time such a launch occurs, an unauthorized library is loaded, then in fact the password manager itself turns into a dangerous virus distributor.
It’s ineffective to write your own exploit for each password manager, so let’s write a universal one instead. The advantages of such an exploit are that with its help we can not only “pull out” the master password and passwords stored in the database itself, but also use it for other applications that have a password entry form. In fact, in terms of functionality, we will get a simple and convenient hacktul that allows you to receive passwords and quickly answer a question of interest for any application. Well, now let's move on to the coding itself.
First of all, we need a function that will prepare the memo field to accept new data and determine the handle of the main window under the cursor, after which it will receive the handles of the child windows and pass it to the subsequent function to recognize the contents of the window.
void __fastcall TForm1::Timer1Timer(TObject *Sender) { Memo1->Lines->Clear(); HWND h; POINT Point; GetCursorPos(&Point); h = WindowFromPoint(Point); EnumChildWindows(h,(WNDENUMPROC)EnmWndwsWnd,0); }
The EnmWndwsWnd function will be responsible for displaying the contents of child windows.
BOOL CALLBACK EnmWndwsWnd(HWND h,LPARAM lParam) { if (IsWindowVisible) { char g[255]; GetClassName(h,g,255); std::string text; WPARAM ln = SendMessage(h,WM_GETTEXTLENGTH,0,0); if(ln>0) { char *buf = new char[ln+1]; LRESULT got = SendMessage(h,WM_GETTEXT,ln+1,(LPARAM)buf); if((LRESULT)ln == got) text = buf; delete [] buf; Form1->Memo1->Lines->Add((String)g+":"+text.c_str()); } } return TRUE; }
After launching the program, using a timer, it will track the position of the cursor on the screen and determine the text under it, that is, just move the cursor over the required field to instantly find out the password. In addition, using this tool you can find out the text content of all windows in the application. This function will be useful to instantly scan the contents of the password database after opening the manager.
In our case, the well-known Procmon can be used to detect DLL Hijacking. In addition to Procmon, another well-known utility, API Monitor, is also suitable, where in the corresponding settings menu you must first specify the interception of the LoadLibrary and LoadLibraryEx functions. If the library was called without specifying the full path, and only the final file name was specified, then we have every chance of finding a vulnerable DLL file. Now let's write a small code that will signal the presence of a vulnerability and open the calculator as evidence.
#include int WINAPI DllEntryPoint(HINSTANCE hinst, unsigned long reason, void* lpReserved) { WinExec(“calc.exe”, 0); return 1; }
The created library will open the calculator every time the application loads it, so we can clearly judge the presence of DLL Hijacking.
INFO
All the described vulnerabilities in Kaspersky Password Manager and Sticky Password existed three years ago.
Despite the fact that the vendors were warned, as you can see, the problem still remains. Well, now it’s time to start directly assessing the security of password managers. Our first examinee will be Kaspersky Password Manager. Perhaps a virtual keyboard could help him in the case of keyloggers, but in our case the master password was obtained immediately and without any difficulties. The first round is not in favor of Kaspersky Lab.
Obtaining a master password in Kaspersky Password Manager
Other articles in the issue:
Hacker #179. Internet of Things - a new attack vector
- Contents of the issue
- Subscription to "Hacker"
The second round also turned out to be our hack tool. After entering the master password, the saved data was partially retrieved at the time of viewing or editing.
Intercepting saved data in Kaspersky Password Manager
In addition, KMP was susceptible to a third attack (DLL Hijacking). At startup, it tries to load the bthprops.cpl library. This library is located in the system directory and is necessary for working with Bluetooth devices, but KMP tries to launch it without specifying the full path, which was the cause of the vulnerability. Another library, cryptsp.dll, is loaded in the same way. It is enough to place the malicious library, which, for example, may contain an exploit for the previous two attacks, in the same directory as the application and rename it bthprops.cpl, after which it can be loaded every time KMP is launched.
Kaspersky Password Manager opens the calculator every time it starts
To summarize, we can say that Kaspersky Password Manager was far from up to par. The final rating is bad.
Not many people know that Sticky Password is the parent of Kaspersky Password Manager. It was on its basis that Kaspersky Lab at one time developed its own product. Both managers have similar functionality and structure; in fact, their main difference is the version numbers and design. Despite the fact that the latest version of Sticky Password was released quite recently, the program still has not gotten rid of all the problems that it once bestowed on its offspring. The first and second attacks successfully revealed the master password and partially the contents of the password database.
Obtaining a master password in Sticky Password
As in the case of Kaspersky Password Manager, the third round was not in favor of Sticky Password: a number of DLL Hijacking vulnerabilities were identified. When launched, the application tries to load several dynamic libraries from its own directory: fitlib.dll, olepro32.dll, profapi.dll. The overall verdict is the same as Kaspersky Password Manager. The final rating is bad.
1Password from Agile Bits, the first test was successful and did not make it as easy to get the master password as in the previous two cases. I was also very pleased with the presence of the Unlock on Secure Desktop security function, which blocks any access to the application the moment the password is entered. The only moment when we managed to obtain the master password with our attack was the immediate moment of creating the password database. However, this method is of little use in practice, so we do not take its result into account. After opening the database, it became partially possible to obtain the saved data by editing or viewing, as in previous cases.
Intercepting saved data in 1Password
DLL Hijacking also affected 1Password. After opening the database, the application tries to load the midimap.dll library. Despite a number of vulnerabilities, the presence of a password protection function still inclined to a neutral point of view, so the final rating is satisfactory.
The well-known KeePass did a great job with the first attack. Like 1Password, it has in its arsenal the function of controlling access to the application at the time of entering the password. KeePass also held off the second attack with dignity. Data recorded in the database can only be retrieved at the time of editing, while the saved passwords remain undisclosed. The third attack is also in favor of an open source password manager.
KeePass blocks unauthorized access
Although Procmon showed several attempts to unsafely load DLL files, it was not possible to create a working exploit based on them. Credit to the GNU community. The final rating is good.
RoboForm also didn’t just give up on the first attack and didn’t give up its master password, for which it received a plus. However, the second round was not in his favor. Even in viewing mode, it was easy to get almost the entire contents of the forms.
Intercepting saved data in RoboForm
As in the previous case, Procmon pointed out the theoretical possibility of DLL Hijacking, but it was not possible to create a working exploit. Therefore, the third round is for RoboForm. In terms of points earned, it can be placed somewhere between 1Password and KeePass, but I still wouldn’t use a password manager that explicitly displays them on the monitor, so, in my opinion, the final rating of “satisfactory” is well deserved.
Of all five password managers, only one, KeePass, was able to successfully resist all three attacks. Open source and constant support from enthusiasts have made a truly worthy product. Although RoboForm and 1Password were not without their flaws, they were both able to protect their master password. As for Sticky Password and Kaspersky Password Manager, neither of them could protect against an attack on the master password. In addition, they also open a backdoor in the form of DLL Hijacking, so the use of these password managers on flash drives can be used by a hacker to distribute malicious code and conduct a targeted insider attack. These products really need a major improvement in security. Summing up the testing results, we will not give preference to any one manager, since it would arise from various subjective and personal factors; we simply considered these password managers from the point of view of their security.
All programs and sources mentioned in the article are waiting for you on our disk.
Forewarned is forearmed
- To protect your passwords from the described interception technique, you can configure special software on your computer that will monitor calls to the API functions MARKDOWN_HASH2ab05fbef5eddf2027d7f05bdeac283dMARKDOWN_HASH and MARKDOWN_HASH84ea011a8379b1eb533f68d1d12fe6a6MARKDOWN_HASH c parameter om MARKDOWN_HASHbed4f4e4c653f53c6abf14671add9c05MARKDOWN_HASH. Some antiviruses provide this feature, for example, in the free Firewall from COMODO this function is installed by default, in others you may have to configure it manually. If unauthorized access to application windows occurs, proactive protection will display a window with a warning and a choice of action. However, this method will not help if you often have to use a password manager from a flash drive or on someone else's computer. As a reliable solution, you can use a password manager, which has a security function similar to UAC and blocks unauthorized access to the application. For example, KeePass and 1Password have this function.
- To resolve the problem associated with DLL Hijacking, we use special utilities to restrict write access to the corresponding directories by third-party applications on the computer. As in the previous point, this feature may be available in some antivirus solutions. As for protecting applications on flash drives, not everything is so beautiful, but you can use the next knight move. First, convert the file system of the flash drive to NTFS: convert h: /fs:ntfs /nosecurity /x
This system allows you to set security settings for individual folders and files.
We can immediately create a read-only rule for the directory with the vulnerable MP, but if the file with passwords is located there, we will not be able to edit it while working on someone else’s computer. Therefore, you can simply create dummy files with vulnerable DLL files and set read-only settings for them. 3. As an additional measure of password protection in the password manager, you can use an additional link to a key file or device, but you must understand that now access to saved passwords may be vulnerable to accidental factors, such as loss of a key file and failure of a USB device. Password and security may seem synonymous to many people. But when the question is raised about the security of the passwords themselves, security itself comes first. In the competitive struggle, vendors offer various solutions, whose reliability at first glance is beyond doubt, but behind advertised military ciphers, password managers can hide banal vulnerabilities, which can play a cruel joke on them. There is no need to panic and clearly judge that we cannot put all our eggs in one basket, but if we are still going to do this, then we first need to properly check the reliability of our basket.
Password Manager - Kaspersky Password Manager 9.0.1.447
Kaspersky Password Manager
is a multi-platform password manager that allows you to securely store passwords and automate the process of authorization and entering information on Internet pages and in programs. This program relieves you of the need to come up with and remember a large number of passwords. When using Kaspersky Password Manager to log in to a website or program, you can be confident in the security of your personal information. Passwords created using Kaspersky Password Manager are resistant to hacking attempts and reliably protect your account data from intruders. All confidential information is stored encrypted in a special cloud storage, which allows you to synchronize data across different devices and always use the latest version of the password database.
System requirements:
Processor:
1 GHz or higher.
Random access memory (RAM):
1 GB or higher (for x86) / 2 GB or higher (for x64).
Free hard disk space:
75 MB or higher.
Screen resolution:
1024x768 pixels or higher. Internet connection (for connecting to the My Kaspersky portal, synchronizing data and updating the program). Microsoft Windows 10 (x86 / x64), including Redstone 1 Microsoft Windows 8 (x86 / x64) with updates KB2919355, KB2999226 Microsoft Windows 8.1 (x32 / x64), including Update and with updates KB2919355, KB2999226. Microsoft Windows 7 (x86/x64) Service Pack 1 with update KB2999226
Torrent Password Manager - Kaspersky Password Manager 9.0.1.447 in detail:
Kaspersky Password Manager provides the following features:
·Data storage. You add logins and passwords for websites and applications, contact information, bank card numbers and PIN codes, passport details and other important information to the storage. ·Data protection. You protect the vault with a master password. Only you know the master password. All data is stored encrypted and is decrypted when you enter your master password. ·Data synchronization. Data is synchronized between all your devices that are connected to the My Kaspersky portal using one My Kaspersky account. Synchronization helps restore data if you change or lose your device. ·Online access to data. With your My Kaspersky account, you can manage your data on the My Kaspersky portal. Online access to data is possible from any device with an Internet connection. ·Data import. If you have used other password managers before, you can automatically transfer data from them to Kaspersky Password Manager. ·Data export. You can print your logins and passwords on a printer. ··Data backup. You can back up data to storage. A backup helps restore data if the storage is accidentally deleted. ·Checking passwords. Kaspersky Password Manager finds weak and duplicate passwords in the storage. The use of such passwords may be insecure. ·Saving and replacing login and password on websites. Kaspersky Password Manager can automatically save and substitute your passwords on websites.
Supported Browsers:
·Microsoft Edge (version 40 or higher). ·Microsoft Internet Explorer (versions 10 – 11). ·Mozilla Firefox (version 55 or higher). ·Chrome (version 61 or higher). ·Yandex Browser (version 17.9 or higher).
What's new 9.0.1:
·Complies with European Union legislation and complies with the provisions of the General Data Protection Regulation. ·Implemented support for the Kaspersky Password Manager extension for Microsoft Egde. ·Improved data protection. ·The initial program setup procedure has been simplified. ·Added the ability to use the program without a My Kaspersky account: https://support.kaspersky.ru/14261 ·Limitations in the free version of the program have been changed: you can add 15 records of any data types to the storage. ·New sections are available: Bank cards and Addresses. Data about bank cards and addresses from the Personal Data section have been moved to new sections. Other types of personal data can be found in the Notes section. ·Storing images and scans of documents in encrypted form is available. ·Added the function of scanning your computer for important scans and photographs of documents. ·Added the ability to substitute bank card data and addresses into online forms on websites. ·Added the function of sending feedback on the program’s performance to Kaspersky Lab. ··Added support for the latest versions of Google Chrome, Mozilla Firefox, Internet Explorer and Yandex Browser browsers. ·Added the ability to view records in the form of tiles. ·Improved program interface.
Installation procedure:
Run kpm.exe and follow the installation wizard: https://support.kaspersky.ru/14246#block1
Freemium:
If, when installing Kaspersky Password Manager, you created a new My Kaspersky account or logged into an account that does not contain a license for Kaspersky Password Manager, you have a free version of the program installed. This version does not require activation.
The standard version is free and contains a limitation: you can add no more than 15 records of any type to the storage (sites, programs, bank cards, images, addresses and notes). They are synchronized across all devices.
You can activate the program using activation codes for the products: Kaspersky Password Manager Kaspersky Total Security Kaspersky Small Office Security
To do this, add the activation code to your My Kaspersky account and synchronize:
· Log in using your account on the My Kaspersky portal. ·Select the Licenses section. ·Enter your activation code and click Add.
YQWEJ-YW281-YMGSY -UDW 4BFHZ-EB4HB4HB-VQKWR-BUBEY DTACW-FP1CM-4R284-659DC DT6J5-A7NYP-4YP-4YY9G5-C7V26 C4D6V-35PMM-H9EJN-MEL 1-2F7D1-FBTB1
Screenshots Password Manager - Kaspersky Password Manager 9.0.1.447 torrent:
Download Password Manager - Kaspersky Password Manager 9.0.1.447 via torrent: