The KeePass application is vulnerable to Insecure DLL Hijacking
Vulnerability. Similar terms that describe this vulnerability
have been come up with Remote Binary Planting, and Insecure DLL
Loading/Injection/Hijacking/Preloading.
KeePass Password Safe is a free, open source, light-weight and
easy-to-use password manager for Windows. You can store your passwords
in a highly-encrypted database, which is locked with one master
password or key file.
The KeePass application passes an insufficiently qualified path in
loading an external library, "dwmapi.dll"
when a user opens its associated file with extensions - "kdbx".
2.12 and lower version family of 2.x
http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/keepass/poc/movie/
http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/keepass/poc/keepass.exe_2.12_dwmapi.dll.zip
Tested Platform: Windows XP Service Pack 3 (Fresh Windows)
Attackers can trigger a successful exploit against a victim user in a
number of ways such as placing a malicious external
library file made as hidden attribute and a seemingly interesting file
in network shares, usb drives, file sharing networks,
social networks, …etc
Fix version (i.e 2.13) has not been released yet but the latest patch
is available at:
http://keepass.info/filepool/KeePass_100829b.zip
Dominik Reichl
http://keepass.info
This vulnerability was discovered by Aung Khant, http://yehg.net, YGN
Ethical Hacker Group, Myanmar.
08-29-2010: vulnerability discovered
08-29-2010: notified vendor
08-29-2010: patch released
09-01-2010: vulnerability disclosed
Original Advisory URL:
http://core.yehg.net/lab/pr0js/advisories/dll_hijacking/[keepass]_2.12_insecure_dll_hijacking_(dwmapi.dll)
Workaround Solution: http://support.microsoft.com/kb/2264107
Workaround Solution:
https://www.microsoft.com/technet/security/advisory/2269637.mspx#EGF
Developer Solution:
http://msdn.microsoft.com/en-us/library/ff919712%28v=VS.85%29.aspx
Unofficial DLL Hijacking List:
http://www.corelan.be:8800/index.php/2010/08/25/dll-hijacking-kb-2269637-the-unofficial-list/
#yehg [09-01-2010]