DB Link password encryption/decryption : A step forward

In one of my previous posts i showed a way to recover the DB Link password in case we forgot it but i haven’t given any information on how it was encrypted/decrypted.So here is some info that may be helpful for future work such as writing a bunch of PL/SQL code to decrypt the password without the need for other tools (as in previous release ) .

TEST ENV : Oracle 12.1.0.2.6/OEL6/UEK4

Some functions names used in DB link encryption/decryption give us very helpful information “r0_AES_CBC_loop_dec_x86_intel”.So it seem that we are using AES (Advanced Encryption Standard ) in CBC encryption mode ! wiki

capture-01

So we need the IV (Initialization vector),Ciphertext and the encryption key to be able to decrypt the password.Using Intel pin and GDB i was able to find very useful bunch of stuff.

TEST CASE :

CREATE DATABASE LINK test11
CONNECT TO HATEM
IDENTIFIED BY "hatem_mahmoud_can_you_find_me"
USING 'testdb';

GDB script :


break *0x000000000c767112
break *0x000000000521a27f
command 1
print "Password from sys.link :"
x/16xg $rbp + 0x10
print "Input Vector  :"
p/x $rdx
p/x $rcx
print "Encryption Key  :"
p/x $xmm0.v16_int8
p/x $xmm1.v16_int8
c
end
command 2
print "Ciphertext"
p/x $xmm1.v16_int8
c
end

Based on my previous example here is the output of GDB after executing in another session :

select * from v$version@test11;

Extract from GDB output :

capture-02

A lot of interesting stuffs is happening inside function “ztcsr_dblink_v6” :

  • Password from sys.link$ : 07B344B47E244F1481B3AA40BD2138434256DCB….
  • Initialization vector : 02000100070203010102050200000101
  • Encryption key : b5001cd98094cfbed7ee9fd288fe9c947b05325fa7f85f25d7ab607bd97c9cc9
  • Ciphertext : 0f15b18763e01744838d0b8e68921ddc1bf7cf22442c15b55980b65b3199476a

Note : Beware of Endian Format.

Using an online encryption/decryption tools like http://aes.online-domain-tools.com/

capture-03

The question is how this Encryption key /Initialization vector/Ciphertext are deduced from the password stored in sys.link$ and maybe other things.The disassembly code of the “ztcsr_dblink_v6”  and “kzdlkdbde” may be worth analyzing.

That’s it 😀

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s