KeePassXC OpenSSL Configuration Uncontrolled Search Path Element Local Privilege Escalation Vulnerability

A local privilege escalation vulnerability has been identified in KeePassXC versions through 2.7.11. This issue arises from the application's OpenSSL configuration, which is loaded from an unsecured location. A low-privileged user can exploit this vulnerability to inject a malicious DLL that is executed within the context of KeePassXC, potentially compromising the user's secrets managed by the application.

Impact

Exploitation of this vulnerability allows for local privilege escalation, enabling the execution of arbitrary code within the KeePassXC application process, with access to the user's secrets stored in the application.

Reproduction

To reproduce this vulnerability, first build the 'CmdOnDllMain' solution to create a DLL that will be used in the exploit. Then, log into a Windows machine as a low-privileged user and create a directory structure that mimics the OpenSSL configuration path. Place the crafted DLL and an OpenSSL configuration file in this directory. When KeePassXC is launched by any user on the machine, the malicious DLL is loaded, demonstrating the privilege escalation by executing arbitrary code in the context of the target user.

Remediation

Users are advised to update KeePassXC to version 2.7.12 or later, where this vulnerability has been patched.