18 lines
974 B
Text
18 lines
974 B
Text
|
|
||
|
|
rule VULN_KeePass_DB_Brute_Forcible {
|
||
|
|
meta:
|
||
|
|
description = "Detects KeePass .kdbx password stores, which could be brute forced to steal the credentials. With AES-KDF and less than 65536 iterations the cracking speed with a single GPU is 20k/s, for the old default of 6.000 iterations it's 200k/s. Best remediation is to change the key derivative function to Argon2d and delete all older versions of the .kdbx"
|
||
|
|
author = "Arnim Rupp (https://github.com/ruppde)"
|
||
|
|
date = "2023-07-20"
|
||
|
|
score = 60
|
||
|
|
reference = "https://keepass.info/help/base/security.html#secdictprotect"
|
||
|
|
id = "b1a86e03-b3d1-5abc-9287-a4846451caff"
|
||
|
|
strings:
|
||
|
|
$keepass_magic = { 03 D9 A2 9A 67 FB 4B B5 }
|
||
|
|
// bytes 3-5 (after 06 08) are the number of iterations. if byte 3 is 00 the iterations are below 65536
|
||
|
|
$below_65536_rounds = { 06 08 00 ?? ?? 00 00 00 00 00 00 07 10 00 }
|
||
|
|
condition:
|
||
|
|
$keepass_magic at 0 and
|
||
|
|
$below_65536_rounds at 108
|
||
|
|
}
|