Bitwarden Hack - How to Break Into Password Vaults Without Using Passwords 👀 \ stacker news ~security

Bitwarden Hack - How to Break Into Password Vaults Without Using Passwords 👀blog.redteam-pentesting.de/2024/bitwarden-heist/

4241 sats \ 15 comments \ @Eobard 4 Jan security

This article is discussing an issue that was patched in April 2023 and does not affect current versions of Bitwarden.

(...) this issue was only a threat when using Windows Hello with the desktop application on a device that was already compromised to a level that allowed access to Windows Credential Manager on your Windows account (basically, you have malware on your device). Classifying the storage as plaintext is a little misleading, in my opinion. The key was stored in Windows Credential Manager, which can access the plaintext value from within the scope of the Windows account. It's not on disk in plaintext. Latest versions of the Windows desktop application resolve the issue (starting with the April 2023 release, version 2023.4.0).

view all related items

772 sats \ 1 reply \ @OT 4 Jan

You had me worried reading that title.

Sigh of relief when I saw Windows

0 sats \ 0 replies \ @Eobard OP 4 Jan

deleted by author

364 sats \ 0 replies \ @ZezzebbulTheMysterious 4 Jan

My big take away here is that Microsoft DPAPI (Data Protection API) protected data on domain connected Windows hosts has an escrow key called “DPAPI Backup Key” in the DC (Domain Controller). This allows DA (Domain Administrators) to recover user data if the user forgets their password (which used to be the only way to key DPAPI, which led to user data loss in the past).

This allows dumping of all credentials locally-protected on windows host over remote SMB, including biometric unlock keys for Bitwarden vaults, which are stored in the users profile folder, given DA creds.

DA compromise can lead to all local data protected by DPAPI on domain connected windows hosts being decrypted, including credentials and vaults; without exploiting any vulns. By design.

Bitwarden changed their key scheme to add another layer of encryption to the DPAPI stored creds in the case of biometric unlock, so this attack is now more difficult. I am not convinced this is directly solvable problem given the windows domain security model with DPAPI.

843 sats \ 3 replies \ @ek 4 Jan

Ahh, Windows hacks, my favorite hacks! Always fun to see how Windows works under the hood and how their weird design gets exploited. But to be fair, most of their codes is probably that weird for historic reasons.

This post gave me the idea that I should post a write-up about a challenge in a pentesting lab. We had to get root on a Windows machine by pretending we're a printer spooler (program that queues documents for printing). Fun times :)

What is a print spooler? The print spooler is a dedicated program/software that essentially manages the order of the documents to proceed to the print queue. When you select print, your program talks to the print spooler service to work out how to render (or draw) your print job so the printer will understand it and put the colors in the right spots on the page. There are all different types of spoolers in computing (once upon a time there were literal tape spools running inside computers), so the print spooler, you guessed it, takes care of just your print documents.

-- papercut.com

What Is The Print Nightmare? Print Nightmare is actually a Remote Code Execution(RCE) vulnerability identified as CVE-2021-34527 in Microsoft’s Windows Print Spooler service. This Print Nightmare vulnerability grants access to the “RpcAddPrinterDriverEx()” a feature that installs new printer drivers in the system. Consequently, through this printing nightmare, hackers can gain complete access to the vulnerable system.

Windows Print Spooler is software that maintains a connection between the Windows operating system and a printer. It acts as a print server performing certain print activities like operating printer drivers and executing printing jobs.

-- https://www.uniprint.net/en/print-nightmare-exploit-a-detailed-analysis/

0 sats \ 2 replies \ @Eobard OP 4 Jan

deleted by author

231 sats \ 1 reply \ @ek 4 Jan

They do but they aren't as funny. Linux is FOSS, Windows is proprietary.

So reading about Windows hacks is sometimes more interesting since you usually don't have the chance to learn about Windows internals and there is definitely some schadenfreude involved.

For example, did you know what we're still using JPEG and JPG as a file extension even though they are referring to the same image format? That's only because Windows used to not support more than three letters for file extensions:

JPG and JPEG are file extensions that both refer to the same image format. The two names exist because some early Windows computers only supported three-character extensions, but modern devices recognize both JPGs and JPEGs and handle them the same.

-- https://www.howtogeek.com/796389/jpg-vs.-jpeg-are-they-the-same-thing/

0 sats \ 0 replies \ @Eobard OP 4 Jan

deleted by author

172 sats \ 5 replies \ @kepford 4 Jan

Moral of the story... don't use Windows.

50 sats \ 3 replies \ @kepford 4 Jan

I have zero trust of Windows. I would not even have it on my network let alone run a bitcoin wallet app or password store on it.

10 sats \ 2 replies \ @Eobard OP 4 Jan

deleted by author

40 sats \ 1 reply \ @Coinosphere 5 Jan

I wouldn't have been able to switch from windows to linux without Mint. It was the easiest + the most supported for years.

Nowadays I think that title goes to POPOS: https://pop.system76.com/

Honestly, you won't have to see the command line for years, if ever. It's that easy to pick up.

30 sats \ 0 replies \ @kepford 5 Jan

I'm not a windows guy but this advice is what I hear most often. Honestly just make the jump.

0 sats \ 0 replies \ @haimot 5 Jan

And host your own Bitwarden sever

0 sats \ 0 replies \ @Lumor 4 Jan

One wonders what happens to the contents of KeyCredentialManager if the user forgets their password..

Had a task on my TODO-list once to use the Windows secret storing API:s. Would probably ended up with the same vulnerability as Bitwarden. (Was just for an internally used service in my case).

0 sats \ 0 replies \ @0xIlmari 4 Jan

People still using Windows in ~~2023~~ 2024?