Finding Oracle DB link password : Memory analysis

What to do in case we forgot the database link password and we need it ? Are we stuck ? In this short blog post i will show a way to recover the password ! For that we are going to use the pin tools described on my previous post for tracing memory references and the debugger GDB.

Test ENV : oracle 12.1.0.2.6/OEL6/UEK4

I begin by creating a database link with a known password.


CREATE DATABASE LINK test12
CONNECT TO HATEM
IDENTIFIED BY "hatem_mahmoud"
USING 'testdb';

select UTL_RAW.CAST_TO_RAW('hatem_mahmoud') from dual;

Attach pin tools for memory reference tracing (see my previous post) to the process then run (This will trigger the decryption of the password ) :


select * from v$version@test12;

After analyzing the memory reference trace file to check for fragment of the password in clear text (raw format) i have identified interesting function used for the password encryption “r0_aes_cbc_loop_enc_x86_intel” (We can also use “r0_aes_cbc_loop_dec_x86_intel” function which is used for password decryption) and register name xmm1 (by disassembling the r0_aes_cbc_loop_enc_x86_intel function) .

Also after some experimentation it appeared that The password value is stored inside xmm1 register at address 0x000000000521a162 (point to some offset inside r0_aes_cbc_loop_enc_x86_intel function) when”r0_aes_cbc_loop_enc_x86_intel” function is not called from function “kpuauth0”.(This is far from being an exhaustive test)

Finally here is the gdb script  :


break kpuauth0
break *0x000000000521a162
command 2
p/x $xmm1.v16_int8
c
end

Attach GDB to the process then select from the dblink to trigger the decryption :


select * from v$version@test12;

GDB output :

capture-02

And here is the password in raw format between “0x22” and “0x22,0x1”:


select select UTL_RAW.CAST_TO_VARCHAR2('686174656d5f6d61686d6f7564') from dual;

UTL_RAW.CAST_TO_VARCHAR2('686174656D5F6D61686D6F7564')
--------------------------------------------------------------------------------
hatem_mahmoud

Let’s test with a longer password identifier :


CREATE DATABASE LINK test11
CONNECT TO HATEM
IDENTIFIED BY "hatem_mahmoud_can_you_find_me"
USING 'testdb';

Attach GDB to the process then select from the db link to trigger the decryption :


select * from v$version@test11;

GDB output :

Capture 01.PNG

And here is the password in raw format between “0x22” and “0x22,0x1”:


select UTL_RAW.CAST_TO_VARCHAR2('686174656d5f6d61686d6f75645f63616e5f796f755f66696e645f6d65') from dual;

UTL_RAW.CAST_TO_VARCHAR2('686174656D5F6D61686D6F75645F63616E5F796F755F66696E645F
--------------------------------------------------------------------------------
hatem_mahmoud_can_you_find_me

That’s it 😀

If you like this you may like Oracle getting anyone’s password

REF :
http://www.ludovicocaldara.net/dba/ora-02153-create-database-link/
https://www.krenger.ch/blog/find-password-for-database-link/

4 thoughts on “Finding Oracle DB link password : Memory analysis

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s