What to do in case we forgot the database link password and we need it ? Are we stuck ? In this short blog post i will show a way to recover the password ! For that we are going to use the pin tools described on my previous post for tracing memory references and the debugger GDB.
Test ENV : oracle 12.1.0.2.6/OEL6/UEK4
I begin by creating a database link with a known password.
CREATE DATABASE LINK test12
CONNECT TO HATEM
IDENTIFIED BY "hatem_mahmoud"
USING 'testdb';
select UTL_RAW.CAST_TO_RAW('hatem_mahmoud') from dual;
Attach pin tools for memory reference tracing (see my previous post) to the process then run (This will trigger the decryption of the password ) :
select * from v$version@test12;
After analyzing the memory reference trace file to check for fragment of the password in clear text (raw format) i have identified interesting function used for the password encryption “r0_aes_cbc_loop_enc_x86_intel” (We can also use “r0_aes_cbc_loop_dec_x86_intel” function which is used for password decryption) and register name xmm1 (by disassembling the r0_aes_cbc_loop_enc_x86_intel function) .
Also after some experimentation it appeared that The password value is stored inside xmm1 register at address 0x000000000521a162 (point to some offset inside r0_aes_cbc_loop_enc_x86_intel function) when”r0_aes_cbc_loop_enc_x86_intel” function is not called from function “kpuauth0”.(This is far from being an exhaustive test)
Finally here is the gdb script :
break kpuauth0 break *0x000000000521a162 command 2 p/x $xmm1.v16_int8 c end
Attach GDB to the process then select from the dblink to trigger the decryption :
select * from v$version@test12;
GDB output :
And here is the password in raw format between “0x22” and “0x22,0x1”:
select select UTL_RAW.CAST_TO_VARCHAR2('686174656d5f6d61686d6f7564') from dual;
UTL_RAW.CAST_TO_VARCHAR2('686174656D5F6D61686D6F7564')
--------------------------------------------------------------------------------
hatem_mahmoud
Let’s test with a longer password identifier :
CREATE DATABASE LINK test11 CONNECT TO HATEM IDENTIFIED BY "hatem_mahmoud_can_you_find_me" USING 'testdb';
Attach GDB to the process then select from the db link to trigger the decryption :
select * from v$version@test11;
GDB output :
And here is the password in raw format between “0x22” and “0x22,0x1”:
select UTL_RAW.CAST_TO_VARCHAR2('686174656d5f6d61686d6f75645f63616e5f796f755f66696e645f6d65') from dual;
UTL_RAW.CAST_TO_VARCHAR2('686174656D5F6D61686D6F75645F63616E5F796F755F66696E645F
--------------------------------------------------------------------------------
hatem_mahmoud_can_you_find_me
That’s it 😀
If you like this you may like Oracle getting anyone’s password
REF :
http://www.ludovicocaldara.net/dba/ora-02153-create-database-link/
https://www.krenger.ch/blog/find-password-for-database-link/
Hatem Mahmoud's blog 
Wonderful Hatem
Thanks Sami 🙂
have you got a gdb script for oracle 11g?
No , but you can do the same for 11g ! Use Intel pin tools pinatrace.so for that 🙂
[…] is my third blog post about DB Link encryption/decryption.In the first one i demonstrated how we can find the database link password in clear text using GDB and Intel pin […]
how did u got this number to convert it it
686174656d5f6d61686d6f75645f63616e5f796f755f66696e645f6d65
From the xmm register, just take look at the picture above.
[…] just published a blog post on how to get the oracle database link password if for some reason we have forgotten it.Brian Fitzgerald respond to me with […]