Tearing Apart LastPass
Password managers not too long ago didn’t exist and it resulted in one of a few less than… optimal… paths taken to ensure a user didn’t forget their password(s). A few of the most common paths taken were reusing a super simple password, such as “password123” or “baseball”, in which, according to CyberNews (https://cybernews.com/best-passwordmanagers/most-common-passwords/), the use of incredibly simple passwords is still in use even today at the time of this writing. (I know, who would have thought). Another common technique utilized and probably still is even today someone just writing down their passwords or saving them in a cloud-based drive, that also utilized a very simple password, to allow them an easy way to store passwords for sites that have stronger password requirements than they are willing to work with. To be fair, remembering some of these passwords is not exactly easy, especially as life gets busier for us as we age or due to mental health impacts on memory. Luckily in the past few years password managers or password vaults have started to become technologically adapted to solve these problems, allowing for one password to rule them all. A password vault mixed with complex passwords, specifically those a lot of these tools auto generate have led to arguably stronger passwords being utilized across the web. However, a breach in the vault can result in not just one account being taken over, but all accounts stored in these tools, as well as credit card information and other sensitive information. As these tools have expanded to store additional content. Shown below, we can see LastPass’s dashboard on Windows 10, which provides some insight into the types of content these vaults can now store.
Another initial concern of these password managers/vaults is they often are designed for ease of use on the user’s system. This makes sense, as no one wants to jump through hoops to just get access to their passwords, otherwise they may just revert back to a less secure technique for keeping these passwords, however, if a user’s system was compromised by lets say malware that has the ability to take screenshots or get access to the devices clipboard, then the users data within the vault now becomes at risk of being stolen. Another concern that comes up often with these password managers is because they are cloud based, what happens if they are compromised like LastPass was in December of 2022 (https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/), where unauthorized access to their cloud-based backups occurred, which could result in hundreds of thousands, if not millions of passwords being leaked; to be fair, even with this occurring, if everyone just changes their passwords and resets their vault password, it’s probably still a better option than what most people do (back to my first point about terrible passwords and storage techniques). What can make things worse is the sense of security these vaults can provide, if a user gets too comfortable with these and assumes they are 100% secure, they may start to take less care of their vault and/or their passwords resulting in compromise of one or more accounts. Taking away the user side of things, which is generally the least secure part of a system, let’s start to get into what the real core of this text is covering, a deeper look at the password manager known as LastPass. To do this I had to finally cave and sign up for this service, which honestly already is haunting me with emails that to be fair I probably can opt out of easily, but I am lazy. Anyways, the first thing I had to do was install it on a Windows Flare box I spun up in the cloud, this provided me with both LastPass and the tools necessary to perform some static and dynamic analysis of the password manager.
As you can see from installation image above, upon installation LastPass lets you install plugins to your browsers as well with the desktop application, something I thought was nice, and provides more of a completed package. Upon installation, it will then sync with the cloud to allow you to pull in your passwords as well as other sensitive data, for the sake of this, I created a generic note and saved it to test out that feature as well, which can be seen in the first image of the dashboard above. Now with any form of dynamic analysis of a cloud-based tool, the first thing I personally like to do is inspect network traffic using Wireshark, so that’s just what I did. To perform this inspection, I logged in and out, while capturing traffic, and altered my test note I mentioned earlier. It appears that LastPass when making network comms back to the cloud will utilize TLS version 1.2.
Now, TLS version 1.2 is a bit older, specifically it was released in August 2008, according to acunetix.com (https://www.acunetix.com/blog/articles/history-of-tls-ssl-part-2/) and that’s correct, it does have known vulnerabilities, with the most recent being the Racoon attack (https://raccoon-attack.com/) I believe. To my limited knowledge on this attack and the other attacks, a user shouldn’t be too worried about this, however, as it seems there needs to be a specific setup required to trigger these attacks if LastPass is vulnerable to them. In my opinion, this only should concern someone who is a high valued target that may be targeted by not only some jerk in a coffeeshop, but by nation states and criminal organizations, so to 99.9% of people this is probably not a concern, or at least not something to keep you up overnight. LastPass using TLS version 1.2 also utilized, at least on my machine the “TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384” cipher suite for communications. For those interested, I’d recommend splitting the cipher suite by underscores and googling each of those terms to get a better understanding of this cipher suite, as it is not just one algorithm, such as MD5 or RSA.
As far as LastPass’s cloud provider, it looks like they utilize Akamai (https://www.akamai.com/), who honestly, I have seen a lot in DNS resolutions before, but never dug into. It should be noted, they may just be a CDN (content delivery network) as well instead of their cloud host.
I should note for the curious mind who also wishes to dig into this tool, you will probably see two unique IP’s, one for logging in, and for any syncing, the one shown above through Akamai is who I at least saw talking to my VM. Shown below is the DNS answer received when trying to log back in.
What happens if we kill the network and try to access our content? Well, its cached as expected, as you can see below, after I killed the network, I was still able to access my secure notes.
Where this is hidden is a guess currently, I dug through the Windows file system and performed a file search for “LastPass” and beyond a few things that popped up, nothing appeared that looked like a cached vault to me. However, a few things that may have been keys did appear under program files and WindowsApps, but it should be noted that these folders require administrator access and even with that access you can’t just take the apparent files and do anything nasty that I am aware of. Below is an image of one area of interest that also looked like it contained certificate information as well as some DLLs and other app information.
I did get curious about the DLLs to see if they are signed and it appears “clrcompression.dll” is signed, while the other two are not. However, it should be noted that once again, this area requires administrative access so performing a simple form of DLL hijacking won’t be enough to do some nasty things.
Now onto one area of interest to me is the background process for LastPass, to provide a little context when LastPass is started it kicks off a background process that I would assume performs general upkeep and syncing with the LastPass cloud, it may be of interest to dig into so let’s do it!
The first thing when reversing a binary, I like to do is always look through strings, in my opinion strings provide with some flags for you to follow when looking to make more sense of a program and this program luckily has a ton!
The strings of interest that appeared to me in this search were related to hooking, login/logout, an indicator for serialization/deserialization of data, and some long strings that look like they may be used for salts or something as well as obfuscation related things. For this text to keep the static analysis of this service shorter, we won’t be digging too much into this though, as the reverse engineering process of a binary this large can easily go on for weeks or months. Two functions that did appear to stand out were related to obfuscation as shown below.
It should be noted that while we have names for these functions, it may not be what we think it is. Upon a quick overview of the functions, it does look like it is mixing up data to perform a form of obfuscation, possibly a proprietary algorithm to obfuscate whatever data this function is working with. Hopefully this isn’t anything super important though because we don’t want to rely on an inhouse obfuscation function, but tested and hardened cryptographic protocols and algorithms to ensure our data is safe. Without tearing this apart more, it is hard to say exactly what this is though as I mentioned earlier. Nothing else within this binary looked too interesting from an initial view, however, I am sure with more time and digging there are some interesting things hiding within there that may help us peel back the security of this tool more. But for now, it looks like most is just related to general upkeep and settings and such.
For more information on LastPass a quick google search will provide more than enough, and for those interested in digging deeper into LastPass I encourage you to reverse it more than what I did within this text, as there is quite a bit there to unpack that can easily go on for months, I am sure. Overall, from an initial look at the tool, LastPass does appear to be decently secure, without having any things that stood out as a huge risk, such as DLLs being placed in non-administrative folders, or insecure network traffic. I would recommend one of these password vaults to someone who needs to organize their passwords and needs a way to have more secure passwords, I know the cyber security community has a “don’t put all of your eggs in one basket” kind of view on these vaults, and that is true, but just for passwords I would say go for it as its probably better than what most people are doing for password management, plus, if the user doesn’t like it they can always just delete their account and go back to their old ways.
