In one of my previous posts i showed a way to recover the DB Link password in case we forgot it but i haven’t given any information on how it was encrypted/decrypted.So here is some info that may be helpful for future work such as writing a bunch of PL/SQL code to decrypt the password without the need for other tools (as in previous release ) .
TEST ENV : Oracle 126.96.36.199.6/OEL6/UEK4
Some functions names used in DB link encryption/decryption give us very helpful information “r0_AES_CBC_loop_dec_x86_intel”.So it seem that we are using AES (Advanced Encryption Standard ) in CBC encryption mode ! wiki
So we need the IV (Initialization vector),Ciphertext and the encryption key to be able to decrypt the password.Using Intel pin and GDB i was able to find very useful bunch of stuff.
TEST CASE :
CREATE DATABASE LINK test11 CONNECT TO HATEM IDENTIFIED BY "hatem_mahmoud_can_you_find_me" USING 'testdb';
GDB script :
break *0x000000000c767112 break *0x000000000521a27f command 1 print "Password from sys.link :" x/16xg $rbp + 0x10 print "Input Vector :" p/x $rdx p/x $rcx print "Encryption Key :" p/x $xmm0.v16_int8 p/x $xmm1.v16_int8 c end command 2 print "Ciphertext" p/x $xmm1.v16_int8 c end
Based on my previous example here is the output of GDB after executing in another session :
select * from v$version@test11;
Extract from GDB output :
A lot of interesting stuffs is happening inside function “ztcsr_dblink_v6” :
- Password from sys.link$ : 07B344B47E244F1481B3AA40BD2138434256DCB….
- Initialization vector : 02000100070203010102050200000101
- Encryption key : b5001cd98094cfbed7ee9fd288fe9c947b05325fa7f85f25d7ab607bd97c9cc9
- Ciphertext : 0f15b18763e01744838d0b8e68921ddc1bf7cf22442c15b55980b65b3199476a
Note : Beware of Endian Format.
Using an online encryption/decryption tools like http://aes.online-domain-tools.com/
The question is how this Encryption key /Initialization vector/Ciphertext are deduced from the password stored in sys.link$ and maybe other things.The disassembly code of the “ztcsr_dblink_v6” and “kzdlkdbde” may be worth analyzing.
That’s it 😀