Keepass Plugins

[Janean Mcconnaughhay]

PortabilityPLGX plugins are compiled by KeePass and the generated files are storedin a plugin cache, which by default is located in theuser's application data directory (so, running a PLGX plugin by defaultcreates files outside the KeePass application directory).These plugin cache files do not need to be copied to other systems though,because they are generated on each system and do not contain any user data.

Plugins must be stored in the 'Plugins' folder of the KeePass applicationdirectory. An attacker who can copy a malicious plugin into this foldercould typically also replace the 'KeePass.exe' file by malware.As protection against such attacks, an appropriate file systemaccess control list (ACL) should be used(for the whole KeePass application directory, including the 'Plugins' folder);administrator privileges should be required for write access.

DLL vs. PLGX:

KeePass supports two plugin file formats: DLL andPLGX.A DLL plugin is loaded directly, whereas KeePass needs to compile a PLGXplugin to a DLL plugin first, which is then stored in aplugin cache (see the section below).

By default, the user has write access in the PLGX plugin cache directory(without administrator privileges).This is not a security vulnerability. Let us assume that an attacker has writeaccess in the plugin cache directory and the goal is code execution.The plugin cache folder is typically located in the user's profile directoryand has the same ACL, i.e. the attacker has write access in the user's profiledirectory.With this, there are many ways to execute malware (a few examples can be foundhere: 'WriteAccess to Configuration File').Stand-alone malware can also be specialized on attacking KeePass (see'Specialized Spyware');it does not need to be a plugin for this.Furthermore, an anti-virus software scans all files containing executable code(EXE, DLL, ...); a malware is either detected or not, independent of where inthe user's profile directory it is stored.

If you worry about this anyway, consider to adjust the ACL of the PLGXplugin cache directory to require administrator privileges for write access.Note though that this may result in some plugins not working properly anymore(those that assume to have write access in the plugin cache directory),and the KeePass option 'Delete old files from cache automatically' also maynot work anymore.

PLGX plugins (not DLL plugins) are compiled and stored in a plugin cache directoryon the user's system. This cache improves the startup performance of KeePass.Old files are normally deleted from the cache automatically(this can be disabled in the plugins dialog).The cache does not contain any user data.

By default, the plugin cache is located in the user's local application datadirectory (%LOCALAPPDATA%\KeePass\PluginCache).However, this can be overridden using theApplication/PluginCachePath setting in theenforcedconfiguration file(this setting supports placeholders and environment variables).So, if you are for example using KeePass on a portable device and do not wantthe cache to be on the system, you could set the path to APPDIR\PluginCache.

Let's take the example of Favicon downloader or even Password counter. These 2 plugins clearly show that they both have access to internet and my passwords. So how can I be sure they don't steal them? I mean they could just send all my information to a server and I'd never know it.

The only problem is that some of them are open source, some others are not. Moreover in case of an open source plugin, you can't be sure the PLGX file you downloaded really correspond to the public available source code. Therefore either you generate the PLGX file by yourself or you review the code of the PLGX file directly.

A KeePass plugin can do pretty much anything that KeePass itself can, it is effectively just a .NET library. AFAIK, there is no sandboxing at all to a KeePass plugin. So unless you decompile and do a code review, you have to trust the plugin's author(s), the person that compiled the plugin, and that the plugin hasn't been tampered in transit. A plugin is pretty much capable of sending your entire password lists to the internet, or format your harddisk if you run KeePass as a user with privilege to do that.

Also, when you're reviewing a KeePass plugin's source, don't forget to also review the --plgx-build-pre: and --plgx-build-post: code. Any shell commands can be run during plugin compile/install with those options.

This was already been answered, but I've made a small Windows tool for unpacking KeePass PLGX files. No KeePass executable dependency is required. It can also integrate into Shell Context Menu and associate with PLGX files (files having .plgx extension).

I am trying to delete the 2 plugins that I have: TwofishCipher and CertKeyProviderPlugin from AppData\Local\KeePass\PluginCache\ , but after deleting them from the PluginCache there, they pop-up again on the start of KeePass - both as listed under Tool/Plugins menu and as 2 dll files in the PluginCache.

I just tried both plugins and didn't have any trouble adding or deleting them. Upon Adding they compiled and showed up in the KeePass Plugins dialog. Upon deleting the .plgx files they dissapeared from the Plugins dialog.

Problem solved.

Earlier, I deleted the two plugins from both the /PluginCache and from the /plugins sub-dir, and when you mentioned earlier to look at the /appdir I thought you meant the /plugins dir below the /appdir.

You insistence about checking the /appdir made me look again (including doing a whole disk search...) - and indeed I had the two plugins also at the /appdir. Deleted them and now I am OK.

I have tried to install the KeeForm plugin which says to unzip and copy its executables to the same folder as KeePass.exe which on my system is

"C:\Program Files (x86)\KeePass Password Safe 2" (without quote marks)

KeePass does not find the plugins.

As per the KeePass general plugin install instructions, I copied a folder containing the plugin executables to the KeePass Plugins folder, which on my system is

C:\Program Files (x86)\KeePass Password Safe 2\Plugins\KeeFormFF

KeePass does not find the plugins.

Thanks, it wasn't obvious to me. I see now where the developer describes it as an extension. In the future, how does one tell from the KeePass plugins page which are actually extensions? And where do "extensions" get installed?

What Dominik describes as "extensions" are essentially plugins for other programs (browsers, usually) that are designed to allow those other programs to interact with KeePass. They're not called KeePass plugins because (for the most part) they don't make changes to the KeePass program's functionality. Where and how "extensions" get installed is dependent upon which program they're extending.

The instructions are indeed a bit rubbish. If KeeForm is a browser plug-in, why are the installation instructions not related to a browser, but only to KeePass ?

Charles, presumably you tried the instructions that include:

"To make KeeForm the default URL handler for KeePass, navigate in the KeePass main menu to Tools -> Options -> Integration and enter the following setting in the input field Override all URLs." etc....

I have the above working, but not sure it's actually using KeeForm - it just seems to use functionalitity built into KeePass....in which case I'm unsure why it's stated on the KeeForm website ??!!

If you used the KeeForm instructions and the fields fill in as soon as you open the web page, then you are using KeeForm.

KeePass requires you press the Global Auto-Type hot keys to fill in fields.

Today I got that update notification that a plugin update was available. Is there an easier way to accomplish this than by going to the plugins folder > plugins web page > webpage of the particular plugin > download the plugin > manually install?

EarlyUpdateCheck helps to run this checks for updates of KeePass and installed plugins BEFORE a database is opened.

Additionally, it offers a handy one click update mode for all of my plugins integrated in KeePass' update check and also supports updating KeePass itself. This will invoke Windows UAC if required to copy the downloaded files into KeePass' plugin folder. Details can be found in the configuration settings.

However, downloading and copying the KeePassHttp executable to the C:\Program Files (x86)\KeePass Password Safe folder, however it refuses to show up in the KeePass plugins window. Please help, I've tried download KeePassHttp using multiple links from github and passifox itself using Firefox and even wget. Also I've tried pinging :19455 but nothing was found.

Hi, I'm using Keepass 2.33 portable and I want to use plugins but if I copy files .plgx on same folder where there's keepass.exe (I've also try to creare a subfolder on portable folder and copy into plugins) but when I go into menu Tools \ Plugins I don't see any plugins!!!

What's wrong?

Plug-ins work for me on portable versions.

What "portable" KeePass are you using? The one from keepass.info?

Are you using KeePass V1 or V2?

What plug-in?

Have you re-started KeePass twice?

Hi Paul, I'm using V2.33 version of portable from keepass.info... yes I've restart Keepass twice but I see nothing on plugin list.

I've see now that the problem is "only" with KeePassHttp.plgx plugin, I've try another plugin and it show corrrectly on the list.

Hello,

I think it could be usefull to be able to speficy an alternate plugins foder (via a "-pluginsdir" command line option for instance). Could this be considered? (unless there a other reason to prohibit this).

Some of my coworkers have chosen to use a version of Keepass packaged by our IT PC department. Doing so, they benefit from automatic updates via our software delivery infrastructure but this prevent using plugins since it's installed at system level.

They could use the portable version as I do (or even create it using the installed one as described here but they would have to manage updates themself.

3a8082e126