Sneed-Reactivity/yara-Neo23x0/vuln_keepass_brute_forcible.yar

18 lines
974 B
Text
Raw Normal View History

rule VULN_KeePass_DB_Brute_Forcible {
meta:
description = "Detects KeePass .kdbx password stores, which could be brute forced to steal the credentials. With AES-KDF and less than 65536 iterations the cracking speed with a single GPU is 20k/s, for the old default of 6.000 iterations it's 200k/s. Best remediation is to change the key derivative function to Argon2d and delete all older versions of the .kdbx"
author = "Arnim Rupp (https://github.com/ruppde)"
date = "2023-07-20"
score = 60
reference = "https://keepass.info/help/base/security.html#secdictprotect"
id = "b1a86e03-b3d1-5abc-9287-a4846451caff"
strings:
$keepass_magic = { 03 D9 A2 9A 67 FB 4B B5 }
// bytes 3-5 (after 06 08) are the number of iterations. if byte 3 is 00 the iterations are below 65536
$below_65536_rounds = { 06 08 00 ?? ?? 00 00 00 00 00 00 07 10 00 }
condition:
$keepass_magic at 0 and
$below_65536_rounds at 108
}