This article discusses the classification of common attack schemes, using the CAPEC™ cybersecurity resource. One such attack is the Padding Oracle Attack, which was first discussed in 2012 on Wallet.dat on the VulDB platform, designed for threat analysis and vulnerability management.
This vulnerability affects the popular Bitcoin Core wallet and is related to how padding is implemented during AES encryption in the Wallet.dat file.
Technical Aspects of the Attack
A Padding Oracle Attack enables an attacker to decrypt data without having the key, if the system reveals whether a padding error occurred during decryption. If the system returns such information, it becomes an “oracle,” and the attacker can use it to decrypt data, making on average 128 requests for each byte of a block. Moreover, using a padding oracle, it is possible not only to decrypt but also to craft valid encrypted messages without knowing the key.
Any cryptosystem can be vulnerable to a padding oracle if messages are not authenticated before decryption and padding error information is accessible to the attacker. This approach can be used, for example, to break CAPTCHAs or to modify data stored on the client side (such as in cookies).
The Padding Oracle Attack is a side-channel attack, where even a single bit of information about a padding error can fully compromise the cryptosystem. This bit can be obtained either through an explicit error message or through indirect signs (such as server response delay).
The attack can also be performed in a cross-domain scenario, using information leaks between different domains the victim interacts with.
In symmetric encryption, for example, in AES-256-CBC mode (used in Bitcoin Core), the padding oracle reveals whether the message is padded correctly. This allows an attacker to decrypt data without knowing the key.
Practical Section: Attacking Wallet.dat
Let’s see how this attack is carried out in practice on a Wallet.dat file to obtain the binary value of the password.
Previously, CTF participants published a hacked wallet [wallet.dat 2023] with the address 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b, which contained 1.17461256 BTC (about $44,502.42).
First, go to the Bitcoin Core 22.1 release page, download and install the required version. After this, be sure to restart the program (Ctrl + Q) to synchronize the new wallet.dat.
Checking Address Information
Use the getaddressinfo command to check wallet information:
getaddressinfo 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b
The response will display wallet details, including the public key, ownership, and other parameters.
To get the private key, use the command:
dumpprivkey 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b
However, the system will require you to enter the wallet password, which we need to recover.
Cracking the Password via Padding Oracle Attack
To recover the password, you will need to integrate with the Bitcoin Core source code, which can be done in Google Colab or Jupyter Notebook, for example.
Sequence of actions:
- Open Google Colab and create a new notebook.
- Install Ruby and the required libraries: bitcoin-ruby, ecdsa, base58, crypto, config-hash.
- Clone the Metasploit Framework and use the MSFVenom tool to create a payload.
- Clone the Bitcoin Core repository and go to the aes.cpp file to integrate the exploit.
- Upload the wallet.dat file from the repository.
- Go back to the Metasploit Framework and download ExploitDarlenePRO.
- Unzip the archive and navigate to the required directory.
- Determine the attacker’s machine IP address.
- Create a payload using MSFVenom, specifying the necessary parameters.
As a result, you obtain the binary value of the password, which you save to the walletpassphrase.txt file using a Python script.
Using the Recovered Password
Open the walletpassphrase.txt file and see the password string. Now enter the command to unlock the wallet:
walletpassphrase <recovered_password> 60
dumpprivkey 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b
As a result, you receive the private key.
Verifying Key Correspondence
Install the bitcoin-utils library and verify that the private key matches the public key and wallet address.
- Private key (WIF): KyAqkBWTbeR3w4RdzgT58R5Rp7RSL6PfdFDEkJbwjCcSaRgqg3Vz
- Public key: 02ad103ef184f77ab673566956d98f78b491f3d67edc6b77b2d0dfe3e41db5872f
- Address: 1BtcyRUBwLv9AU1fCyyn4pkLjZ99ogdr7b
- Hash160: 7774801e52a110aba2d65ecc58daf0cfec95a09f
You can also sign a message and check the validity of the signature.
Checking the Balance
Using a blockchain explorer, you can confirm that the address actually contains the stated amount.
The article provides links to scientific papers on padding oracle attacks and notes that the material was created for the CRYPTO DEEP TECH portal to improve financial security and protect elliptic curve cryptography in Bitcoin.
Contacts