05-03-2018 / Vulnerabilities

GPG Reaper - Steal GPG Private Keys

  • Obtain/Steal/Restore GPG Private Keys from gpg-agent cache/memory.

This POC demonstrates method for obtaining GPG private keys from gpg-agent memory under Windows.

Normally this should be possible only within 10 minutes time frame (--default-cache-ttl value).

Unfortunately housekeeping() function (which is responsible for cache cleanup) is executed only if you are using GPG (there is no timer there).

This means that in normal GPG usecase like: you sign some file then close GUI and do other task you password is still in gpg-agent memory (even if ttl expired).

Attacker, who has access to your current session, can use this for stealing private key without knowing your passphrase.

  • NOTICE:GPG will change caching mechanism in version 2.2.6. Check commit and issue.

Basic usage:

On victim computer:

powershell -ExecutionPolicy Bypass -File Gpg-Reaper.ps1 -OutputFile out.txt

Transfer out.txt to your machine and restore private keys:

gpg_reaper.py out.txt

Download HERE.

Timeline

  • 05-03-2018: Release