10-23, 14:00–14:30 (Europe/Luxembourg), Europe - Main Room
Passwords have long been a foundational element of cybersecurity, but they remain vulnerable to various attacks aimed at acquiring user credentials. Password management software (PM) has emerged as a key defense, yet misconfigurations and user errors can still result in data leaks. This presentation introduces a new red teaming tool, Pandora, capable of extracting credentials from 18 popular PM implementations, including desktop applications, browsers, and browser plugins. Pandora requires the PM to be active to dump its processes and analyzing them for user credentials. Although this vulnerability is not new, Pandora represents the first public tool to exploit it, emphasizing the need for the pentesting community to advocate for stronger protections from vendors to secure user credentials. Additionally, only two vendors have acknowledged the problem, with one CVE ID (CVE-2023-23349) reserved for Kaspersky.
Passwords have long been a fundamental aspect of cybersecurity, with numerous attacks targeting the covert acquisition of user passwords. Password management software (PM) has emerged as a crucial defense mechanism against such attacks. Despite the security measures embedded in these applications, misconfigurations and user errors can still result in sensitive data breaches.
In this context, the current presentation introduces a newly developed red teaming tool called Pandora (https://github.com/efchatz/pandora). Pandora is capable of extracting end-user credentials from 18 widely-used PM implementations, including MS Windows 10 desktop applications and browser plugins. The sole requirement for Pandora to function is for the PM to be active, enabling the tool to dump the PM’s processes. Through experimentation, it was found that only 1Password necessitates high integrity privileges for an attacker to dump the relevant processes. Once executed on a host machine, Pandora will dump the PM’s processes, analyze them, and extract any user credentials it finds. The tool offers various modes to support penetration testers and can provide an additional attack vector in red team engagements, given the widespread use of PMs today.
Methodologically, Pandora operates based on the specific implementation of each PM. Many PMs store their entries or master credentials in plaintext format within the corresponding memory processes. Consequently, Pandora consists of different autonomous scripts tailored to each PM implementation.
Following a Coordinated Vulnerability Disclosure (CVD) process, most vendors responded that these issues fall outside their scope, as the attacker requires local access, or the antivirus/endpoint detection and response (AV/EDR) systems might prevent such attacks. To date, only two vendors have acknowledged the problem, with one already reserving a CVE ID: CVE-2023-23349 (Kaspersky).
It is important to note that this issue is not entirely new. It has long been recognized that there is no foolproof method for desktop applications to be protected against such attacks. However, to the best of our knowledge, this is the first time such a tool has been publicly discussed and made available. Since various PMs use different encryption and obfuscation methods, it is up to the pentesting community to encourage vendors to implement protections that will safeguard user credentials.
Efstratios Chatzoglou received the M.Sc. degree in Security of Information and Communication Systems from the University of the Aegean, Samos, Greece. He has worked for more than 3 years in the field of cybersecurity. Currently, he is a Penetration Tester with Memorandum, and a PhD candidate at the University of the Aegean. He has identified more than 25 different CVE IDs from well-known vendors, like ASUS, MediaTek, Netgear, Huawei, LiteSpeed, etc. The most recent one is the CVE-2023-23349 from Kaspersky. He has published more than 15 research papers in well-known conferences and academic journals.