Make KeePass more secure: compile KeePass yourself

Heise recently published an article about KeePass not using HTTPS. The article turns out to be a canard, since KeePass cannot update itself. This article reminded me that I have attacked KeePass in 2009 to see how secure it is. Since it offers security features like password encryption, dual channel auto-type obfuscation, secure desktops etc., I thought this is a well-written and totally secure application.

Unfortunately I had to find out that my first two approaches of attacking KeePass worked very well (I don’t want to go into details here and provide full source for script kiddies; if you’re a developer you’ll probably be able to implement the attack based on the modifications I make to KeePass). Therefore I contacted the author, Dominik Reichl. However, he explained that such issues cannot be fixed. A few days later (2009-02-27 according to archive.org), the following text was added on the KeePass website, Security section:

All security features in KeePass protect against generic threats like keyloggers, clipboard monitors, password control monitors, etc. (and against non-runtime attacks on the database, memory dump analyzers, …). However in all the questions above we’re assuming that there’s a spyware program running on the system that’s specialized on attacking KeePass.

In this situation, the best security features will fail. This is law #1 of the 10 Immutable Laws of Security [4][5]: “If a bad guy can persuade you to run his program on your computer, it’s not your computer anymore”.

For example, consider the following very simple spyware specialized for KeePass: an application that waits for KeePass to be started, then hides the started application and imitates KeePass itself. All interactions (like entering a password for decrypting the configuration, etc.) can be simulated. The only way to discover this spyware is to use a program that the spyware doesn’t know about or can’t manipulate (secure desktop); in any case it can’t be KeePass.

If KeePass is not that secure, let’s try to make it a little more secure by yourself. Are you allowed to do so? Well, KeePass is released under GPL2 so you can modify it. You even don’t need to publish the modified source code as long as you don’t distribute your version and keep it for yourself. Only with publishing you need to publish under the same license. The relevant paragraph is

6. Each time you redistribute the Program (or any work based on the Program), the recipient automatically receives a license from the original licensor to copy, distribute or modify the Program subject to these terms and conditions. […]

Step 1: Compiling KeePass

  1. Download and install Visual Studio 2015 Community Edition if you don’t have VS 2015 already
  2. In the Download section, scroll to the bottom and download the source code for KeePass 2
  3. Unblock the ZIP file in the file properties (otherwise you might get strange security questions)
  4. Unzip the ZIP file
  5. Ideally, add all the source code to a version control system (SVN) just to be able to make changes without breaking anything
  6. Open the solution file KeePass.sln, which is a VS 2008 project, in VS 2015
  7. Confirm the one-way upgrade warning
  8. Try to build the solution. You’ll get some errors regarding PFX files which are used for the digital signature.
  9. Open the properties of all projects. Choose “Signing” and remove the checkmarks for the PFX file. I’ll assume that you don’t have an own PFX. If you do have an own PFX file, you’re probably familiar on how to use it.
  10. Try to build the solution. For me, it still failed due to “sgen.exe” not working well. Open the KeePass properties, go to “Build Events” and remove the post build step. This also has to do with the digital signature
  11. Try to build. This time it should work.
  12. Set “KeePass” as the startup project.
  13. Commit your work to SVN (if you have)

Step 2: Make it a bit more secure

For a specialized attack on KeePass, the attacker needs to find out that KeePass is KeePass. The attacker might look at the executable name, so let’s change it.

  1. Open the KeePass project properties
  2. Change “Assembly Name” to something you want, e.g. “PwManager”

So the executable name is better now. An attacker may still identify it as KeePass from the title etc., so let’s change that as well.

  1. Open KeePassLib\PwDefs.cs
  2. Change all “KeePass” to something else as well, e.g. “PwManager”
  3. As you’re there, change all URLs to “about:blank” if you like

Our modified KeePass version still uses the KDBX file extension, so an attacker may notice that and gather interest.

  1. Open KeePass/App/AppDefs.cs
  2. Find a class called FileExtension
  3. Change the extension from kdbx to something else, e.g. pwmg
  4. Change the “ExtId” from “kdbxfile” to “pwmgfile”. This would probably affect the Registry in case you want to register the file extension. Personally I recommend running it portable and not registering the file extension.
  5. Below those definitions, you’ll find some more items with “KeePass” in the name. Change it as well.
  6. Compile it and run it
  7. Commit your work to SVN

Step 3: recognize a potential replacement

Whatever efforts we take, an attacker may use other techniques to identify our application as a KeePass clone and replace it with a copy to fool us. Let’s mitigate that by changing the color of the password form. A replacement may not be able to imitate this, so you’ll notice the replacement, because it has the default KeePass color and not your color.

  1. From the KeePass project, open Forms/KeyPromptForm in designer mode
  2. Change the background color, e.g. to blue
  3. Compile it and run it
  4. Create a demo database and check the password dialog. It should have your color now
  5. Commit your work to SVN

If you followed this tutorial, you should now have a version of KeePass that it a little bit safer and looks similar to this:

KeePass password entry form

Sure, it still does not cover all attack vectors but at least the following:

  • Stealing *.KDBX files: your password file will not be found since it has a new extension now
  • Replacement of KeePass by a malicious clone via the Image File Execution Options Debugger Registry key (since this would require the executable to be named KeePass.exe)
  • Replacement of KeePass by a malicious clone in any other way, since you’ll likely detect the replacement due to the wrong color

What else could you consider? Based on my attacks I would do the following two things next:

  • Add a part of the password to the password via code. This will prevent someone from recording your complete password with a generic keylogger. So even he has your “KDBX” file and a recorded password, he’ll still need your program to get the second half of the password.
  • Detect if KeePass loses the focus and regains the focus very quickly. A user will need ~100 ms or longer to switch between applications. If the time is shorter, it’s likely that an attacker opened an invisible window and returned the focus to KeePass. Using Auto-Type will type into the attacker’s invisible window. The attacker may choose to forward the input to the original destination window so you won’t notice that it got lost.
  • Display the title of the window that KeePass is going to send the password to.
  • Display a list of DLLs loaded into the process. That way you might detect keyboard hooks etc. To shorten the list you could exclude DLLs signed by Microsoft, exclude known DLLs etc.

I have not yet described these modifications in detail.

TaskJuggler Installer for Windows

Developing software often needs some project management and planning. Unfortunately I regularly break Microsoft Project schedules in a way that leveling the resources does not work any more.

I have tried alternatives like GanttProject and ProjectLibre, but they all don’t fit my needs. Then I saw a recommendation for TaskJuggler. Unfortunately, TaskJuggler is not very convenient to install, especially behind a company firewall which prevents downloading missing Ruby gems.

After much pain, I figured out that I need to download and install the following in this order:

  1. Ruby
  2. RubyGems
  3. Tins gem
  4. Term-ansicolor gem
  5. Mime-types gem
  6. Mail gem
  7. TaskJuggler gem

Luckily, RubyInstaller covers steps 1 and 2.

After installation, I found that I need even more adjustments for convenience:

  1. Icon to better recognize the TaskJuggler .TJP files
  2. A file association for editing the .TJP file in Notepad++ (or at least Notepad)
  3. A context menu entry to “compile” the project to avoid the long Ruby command line “C:\Ruby22\bin\ruby.exe” “c:\Ruby22\bin\tj3” “myproject.tjp”. In addition, stop in case of errors.
  4. Syntax highlighting in Notepad++ to detect mistakes while typing
  5. A template for the New entry in the context menu (because starting with a totally empty file is hard)
  6. Support for Windows Explorer’s preview pane

Those convenience features need a lot of Windows Registry tweaking and are thus error-prone.

Nevertheless, once installed, TaskJuggler is a really great product. To lower the hurdle of using it, I have created the TaskJuggler Windows Installer which performs above steps.

Download

TaskJuggler 3.5.0 Installer 0.7 32 Bit (20.0 MB)

TaskJuggler 3.5.0 Installer 0.7 64 Bit (20.6 MB)

Be aware that this is a version which has not been tested much.

Reporting bugs

Report bugs to taskjuggler.yyyy-mm-dd@lockerflockig,de (where yyyy-mm-dd is the current date).

Visual Studio File Size Extension

I posted a Code Puzzle on StackExchange. When solving it myself in C#, I found out that it is hard to tell whether the latest refactoring made the file smaller or larger. Therefore I asked for a Visual Studio file size extension on Software Recommendations. Unfortunately, nobody answered, so I checked whether I could implement it myself.

Here it is, a small extension with no features except displaying the number of printable characters in the text buffer of the editor, measured correctly using StringInfo.LengthInTextElements().

License

The MIT License (see opensource.org)

Download

Code Golf File Size Visual Studio Extension 1.0.0.1 (11 kB)

The VSIX file is digitally signed for “Thomas Weller”. If not, please contact me.

Screenshot of Visual Studio File Size Extension installation

Screenshot of Visual Studio File Size Extension installation

File size extension in action

File size extension in action

Known bugs

Starting from 1.000.000 characters, the character count starts hiding under the editor’s scroll bar.

WinMerge plugin to compare SilkTest files

I recently started doing test automation with Borland SilkTest Classic. Unfortunately, the collapse/expand state is stored directly in source code, which can result in many differences when comparing sources in WinMerge.

To mitigate this issue, I have implemented a PreDiffer plugin for WinMerge. It simply ignores the leading boxes when comparing the source, see the following screenshot (without plugin and with plugin).

The plugin is configured to be suggested on test files (.t) and include files (.inc).

Download IgnoreCollapseBoxes 1.0.0.0 (4 kB)

License: Freeware. You’re free to use this plugin also in commercial environments.

The plugin was developed in Visual Basic 6. If you find bugs, please contact me at winmerge-plugin.<yyyy-mm-dd>@lockerflockig.de, where <yyyy-mm-dd> is replaced with the current date (to bypass the spam filter).

SNMP password guess list

Did you ever want to hack a factory or plant? Hirschmann HiVision uses the following SNMP password guess list to log in:

Username  Password
 -        manager
 -        operator
 -        admin
 -        user
 -        private
 -        public
 admin    Emerson1
 admin    abbadmin
 admin    admin
 admin    private
 manager  manager
 operator operator
 user     Emerson1
 user     abbuser
 user     user
 user     public

Removing source control settings from Enterprise Architect

I last used Enterprise Architect by Sparx Systems on 19th of June 2006.  As our architecture was stable since then, there was hardly a need to update the architectural diagrams. And, frankly spoken, Enterprise Architect was not the best product at that time, so everyone was happy in case he needn’t touch it.

We’re now making a major refactoring so I copied the Enterprise Architect model from our old repository to the new location, then opened it. Although I am using version 9.1 now (I started with version 5.0 in 2005), the usability has not significantly improved. The first dialog I saw asked me to remove the read-only flag manually. While I can do that, it would definitely have been an option to provide a button labelled “Remove read-only flag and open”.

We’re simplifying the architecture, so for most parts I should remove existing parts. That should be as easy as pressing the Del key. As a warm-up task to become familiar with EA again, I identified something to remove, selected it and pressed the Del key. Nothing happens. No message, even not a notification in the status bar. What’s wrong?

In the Edit menu, I find my first mistake: items are not deleted using the Del key, they are deleted using Ctrl+D. How could I forget? But unfortunately the menu item is disabled, which means that I cannot delete it.

I remember that we had trouble accidentally modifying diagrams some years ago and there was a way to protect items against modification. That’s confirmed by doing a right-click on the item: there’s a context menu entry labelled “Lock Element…”.

Nothing happens. Wait, notice the text in the status bar, which says:

Current package and contained elements are checked in and may not be edited.

Alright, so there’s the old version control setting included somewhere and I should probably remove it. That should be a project-wide setting, right? EA is almost intuitive in this point. There’s a Version Control submenu of the Project menu. I see that there’s the old configuration. I can select it and press the Delete button. But Enterprise Architect cannot simply remove the version control settings from all those items for you, because it says

This configuration is being used by the following package(s): Building Block View, Runtime View, Concept View, Process View, … and may not be deleted.

Alright, that’s only a list of 16 packages. I should be able to remove version control settings from those packages manually. In the project browser I select one of the views and in its context menu I choose Package Control/Version Control Settings. It turns out that this is exactly the same dialog as on project level. Very confusing. Much like Enterprise Architect in 2005.

Luckily I tried Package Control/Configure… next. This dialog provides a checkbox to enable or disable the checkbox “Control Package”.

I went through all the 5 root views and removed the source control settings. But there need to be 11 more items under source control. How to find them?

There is a keyboard shortcut which expands all nodes of a treeview. And since Enterprise Architect didn’t modify that default behavior, just press the asterisk key to expand all nodes. The nodes under source control all have a yellow key on a dark background. Simply identify those and remove version control settings as well.

Whenever you think you have removed all items, go back to the project menu and try to delete the setting on project level. Finally, I reached my goal: removing source control settings from Enterprise Architect.

No, wait – the original goal was to remove an item from a diagram…

Processing Word documents with DocX

For an association, I had the task to write some Word documents to all members. Unfortunately, the task was a bit more complex than simply writing a circular letter and I decided to automate this task, because it will reoccur once a year.

Of course I started with the built-in Office automation which is part of Visual Studio 2010. However, I ran into deep trouble configuring all the security aspects. I was unable to open documents from a network location, because it is not trusted by default. Next I should have applied code signing in order to make it work. As I don’t have a valid certificate, this was the point in time where I was looking for alternatives.

And I found DocX at Codeplex. It really works like a charm! I didn’t have any security warning to solve, so that I’m confident it will run on other PCs as well without major administration work. It claims to work even on PCs without having Word installed. Second, the API is much more intuitive. You don’t have to deal with Type.Missing parameters and all this stuff. And the task of replacing text is done in one line of code instead of defining a range, executing a find query and then replacing the result.

Of course, DocX does probably not offer all features Word has. But it was definitely the best choice for me at this time to do a simple text replacement task (and some calculations in my code) to get the circular letter ready.

Generating PDFs with PDFSharp

PDFSharp (rev. 2013-01-06) is an open source library for creating PDF documents in any .NET language. I recently used this library because I had a print functionality in an application using the standard PrintDocument class of the Microsoft .NET Framework. The customer now wanted PDF support without the need of installing a PDF printer such as PDFCreator (rev. 2013-01-06), which would have been my first choice of realizing PDF support.

At first, I refactored the existing code with a lot of help of Resharper (rev. 2013-01-06), an invaluable tool for such tasks. The existing code parsed an XML description of what to print and directly sent it to the PrintDocument. I loosened this tight coupling and introduced a strategy pattern (rev. 2013-01-06) for printing to the PrintDocument. In the next step, I wanted to create another strategy for printing to PDFSharp. The step of defining the strategy interface and moving the PrintDocument implemention into the strategy went very well. The old functionality was not broken, so I could move on to the next step, learning about PDFSharp and doing some exercises.

At first glance, PDFSharp seemed to have all the features I needed and which were defined in the XML description: Rectangles and Pens for drawing them, Fonts and methods for drawing text. Of course, a Hello World program was the first to be achieved:

var page = new PdfPage();
page.Orientation = PageOrientation.Portrait;
page.Size = PageSize.A4;
var pdf = new PdfDocument();
pdf.Pages.Add(page);
var pageGraphics = XGraphics.FromPdfPage(page);
var arial = new XFont("Arial", 12.0);
pageGraphics.DrawString("Hello World", arial, XBrushes.Black, 10, 10, XStringFormats.Default);
pdf.Save(@"d:\sample1.pdf");

This worked very well and looked exactly like typing “Hello World” in Word and saving as PDF. I was glad, everything went smoothly so far.

When implementing the XGraphics.FromPdfPage(…) line, I saw that there was an overload where the units of the page can be specified. It also contains a definition for millimeter, which perfectly fits my needs. The definitions in my XML document are in millimeters and it took a while to implement all the conversions for the PrintDocument, so I was happy, PDFSharp would do all this for me. So I just changed the code to have

var pageGraphics = XGraphics.FromPdfPage(page, XGraphicsUnit.Millimeter);

However, this time, the text was way too big. Actually it looked like the font is now 12 millimeters high instead of 12 point. To check, what mistake I made, I read a bit more in the documentation. It turns out that the parameter of the XFont constructor actually wants to have the font size measured in em, not in pt.

This again means that I should have specified 1.0 em instead of 12.0 pt in my first example and that the output of the initial hello world program was already wrong. A quick check indicates that it was accidentally correct because the default unit is point:
var pageGraphics = XGraphics.FromPdfPage(page);
MessageBox.Show(pageGraphics.PageUnit.ToString());

Well, ok, if this is the only problem to work around, implementation will be about the same effort as for the PrintDocument. But the next problem didn’t wait long to pop up. The XGraphics.DrawString(…) method does not handle line breaks (newlines) as the .NET Graphics.DrawString(…) method does. Instead, PDFSharp will output something like blanks for \r and \n.

This is a little bit trickier to work around. You need an XTextFormatter, a XRect for the region which is available for the layouter and then call DrawString(…) on the formatter instead of the XGraphics object:

var formatter = new XTextFormatter(pageGraphics);
var layoutRectangle = new XRect(10, 10, page.Width, page.Height);
formatter.DrawString("Hello\r\nWorld", arial, XBrushes.Black, layoutRectangle);

This works and is not too complex to understand, but to use it corretcly, the page.Width and page.Height need to be replaced by some calculation which takes the page margins into account.

When implementing above layout mechanism, I saw that the formatter also has some properties which can be set.

var formatter = new XTextFormatter(pageGraphics);
var layoutRectangle = new XRect(10, 10, page.Width, page.Height);
formatter.Font = arial;
formatter.LayoutRectangle = layoutRectangle;
formatter.Text = "Hello\r\nWorld";

Unfortunately, there’s no method to draw the string without arguments, so this is quite useless. I thought it wouldn’t really matter to me, because I have a working solution for multiline strings.

Again, while using the XTextFormatter.DrawString(…) method, I saw that there’s an overload which takes a XStringFormats argument. This comes pretty handy, because I need to center a text as well. A short test should prove it works, before I use it in my code, so I simply added the XStringFormats.Center argument.

formatter.DrawString("Hello\r\nWorld", arial, XBrushes.Black, layoutRectangle, XStringFormats.Center);

I don’t exactly know how people use PDFSharp, but almost everything I try fails – also in this case. The function throws an ArgumentException saying that only TopLeft is implemented.

Implementing a multiline string center functionality is not so simple and it was worth googling for a solution. It quickly turns out that the XStringFormat argument of XTextFormatter.DrawString(…) is not the same thing as the XTextFormatter.Alignment property. Finally, I could use an Alignment of Center and keep the XStringFormat in its default to get centered text.

Well, finally it seems I have just went through all the problems during the Hello World phase. The final implementation of the PDFSharp strategy was completed within three hours.