Oracle OAM is a widely used component that handles authentication for many web applications. Any request to a protected resource on the web application redirects to OAM, acting as middleware to perform user authentication.
Last year, a vulnerability was found in the login process which contains a serious cryptographic flaw. It can be exploited to:
- Steal a session token
- Create a session token for any user
Basically it allows to login to the website and impersonate any user. Bad stuff.
During login, Oracle OAM will send a value called encquery as part of the URL. This parameter contains some values like a salt and a timestamp, and is encrypted with AES-CBC. However:
- There is no HMAC attached, to verify that the encrypted string wasn’t tampered with
- The website responds with an error message when there is a padding error during decryption
This makes it vulnerable to a classic Padding Oracle Attack.
With AES-CBC, blocks of ciphertext are chained and dependent on each other. By adding blocks at the end and tampering with the second-to-last block, we can learn if the plain text is valid.
However, there is one extra challenge: We can not just add blocks of data to the end of the string because the decrypted value contains a validation hash at the end. When adding a block (that turns into gibberish when decrypted), the hash won’t be valid and we will not be able to use the oracle – it simply will always provide an error.
The fix to this problem is simple: we first have to search for the character that turns into a space (0x20) when decrypted. Now the hash will be untouched, and the gibberish we place behind it is interpreted as a new value.
For more in depth information, please read these excellent blog posts by SEC Consult:
There have been exploits in the wild for some time, but they are single threaded. Because this attack requires to guess byte values one by one, it can take about 4 hours to complete (without rate limiting).
With RedTimmy, we have developed a multithreaded version of the exploit called OAMBuster. Source code is available on GitHub.
The first two stages of the attack, showing the verification of a target being vulnerable to CVE-2018-2879.
OAMBuster is able to perform the following actions:
Verify if the target is vulnerable to the attack (<30 seconds)
Decrypt the encquery string, using POA
Decrypt any given string, using POA
Encrypt any given string, using POA
The final two functions can be used for example to decrypt the OAMAuthnCookie containing the session token, and then re-encrypt it.
Benefits of the multithreaded implementation
Because OAMBuster has multiple threads running, it can decrypt multiple blocks at the same time. So for example, when there are 16 blocks in total, the tool can run 16 threads on the last byte of each block. When a thread is finished, it continues to work on the second-to-last byte of the block, and so forth, working from back to front. Bytes within a block can not be parallelized, as they are dependent on each other.
Worthless to say, you can subscribe our blackhat course if you want to play with it more: