[12857] in bugtraq
Re: HP Secure Web Console
daemon@ATHENA.MIT.EDU (GNSS Research Division)
Mon Dec 6 12:47:27 1999
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=sha1; boundary="------------ms8A0EA4FF6CF78031FAE5E6B3"
Message-Id: <3847F7CD.6FF66072@gnss.com>
Date: Fri, 3 Dec 1999 17:03:09 +0000
Reply-To: osiris@gnss.com
From: GNSS Research Division <osiris@GNSS.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
This is a cryptographically signed message in MIME format.
--------------ms8A0EA4FF6CF78031FAE5E6B3
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Jon Mitchell earlier posted information on HP's Secure Web Console (see his post
attached below), speculating that it uses a secret decoder ring type "encryption"
(encoding) method (and not MD5). That's hard to believe, but if so, the below perl
script will encode (and decode) strings passed through SWC.
#!/bin/perl
#
# swc_crypt_test
#
# Syntax: swc_crypt_test [option] [word]
#
# encrypt example: swc_crypt_test -e abcd
# output: VUTS
#
# decrypt example: swc_crypt_test -d VUTS
# output: ABCD
#
if(!$ARGV[0]) { &usage; } if($ARGV[0] ne "-e" && $ARGV[0] ne "-d") { &usage; }
if($ARGV[0] eq "-e") {
$string=$ARGV[1];
$string=~s/(.*)/\u\U$1/g;
$string=~y/A-Za-z/S-ZA-za-m/;
$output = reverse $string; print $output;
}
if($ARGV[0] eq "-d") {
$string=$ARGV[1]; $string=~y/S-ZA-za-m/A-Za-z/;
$string=~s/(.*)/\l\L$1/g;
$output = reverse $string; print $output; }
sub usage {
print "\nUsage: poor_crypt [option] [word]\n";
print "\n-e encrypts the supplied string";
print "\n-d decrypts the supplied string\n";
print "\n***Note: your string MUST be in uppercase.\n";
exit;
}
Jon Mitchell wrote:
The Secure Web Console is a device that looks (and acts) like a JetDirect
printserver. It has one ethernet port and one serial port. The idea
behind it is that you can connect your console cable from your HP9000
machine to this device and put it on the network. This way you can
connect to your HP9000's via a web browser so remote access to the console
is easy. Since this is actual console access you could potentially do
upgrades or reboots into single user mode safely from this device without
being onsite.
The problem with this device is the word Secure in the name. This implies
that this device is providing secure access from the network. The
information on this devices web site http://www.hp.com/go/webconsole
states that it currently uses MD5 user digest as the encryption scheme and
that future firmware will support SSL. We have the latest firmware
installed at this time of A1.6 (A.01.06.001)
Upon first connecting we noticed that it would not support an SSL
connection as the documentation states. Because even the first page you
access on this device is a Java applet, we assumed the best, that
encryption was somehow provided through that. However we discovered that
it does not appear to be any sort of MD5 encryption scheme (although I'm
not an encryption expert), but in actuality what we've deemed Secret
Decoder Ring encryption. The letters are one to one with another letter,
and even worse, in order as well.
Here's an example of two sets of letters:
You type: abcd
Transmits: VUTS
You type: ABCD
Transmits: vuts
Thanks to Joe Munson for helping debug this and coming up with the Secret
Decoder Ring reference (which reminded me of the Little Orphan Annie Ring,
that only says to drink more Ovaltine, in the Christmas Story).
--------------ms8A0EA4FF6CF78031FAE5E6B3
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature
MIIM4QYJKoZIhvcNAQcCoIIM0jCCDM4CAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCC
Cm0wggUCMIIEa6ADAgECAhBi4KikVUVRIQ8eelGrIZXMMA0GCSqGSIb3DQEBBAUAMIHMMRcw
FQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29y
azFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5
IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRp
dmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMB4XDTk5MTAyNTAwMDAw
MFoXDTAwMTAyNDIzNTk1OVowggEdMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UE
CxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9y
ZXBvc2l0b3J5L1JQQSBJbmNvcnAuIGJ5IFJlZi4sTElBQi5MVEQoYyk5ODEeMBwGA1UECxMV
UGVyc29uYSBOb3QgVmFsaWRhdGVkMTMwMQYDVQQLEypEaWdpdGFsIElEIENsYXNzIDEgLSBO
ZXRzY2FwZSBGdWxsIFNlcnZpY2UxJDAiBgNVBAMUG1dpbGxpYW0gUmFuZG9scGggUm95ZXJl
IElJSTEeMBwGCSqGSIb3DQEJARYPb3NpcmlzQGduc3MuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQCoNQ21KaFkjiztN/eU4nfjO969DH/IEHGG7FMz0FXB9/QZCCitELCXxSkw
1t9cXVGcDQ5/Ad4c6yfLQRqUHxVZc2xjOTM5uWmbHaZiLxydlGcQNrA1nddHuGRrBu9naeGg
7jG4AVlcC1q/MBj5nzZBhgYomuwc1JLfNVS222JMTQIDAQABo4IBjzCCAYswCQYDVR0TBAIw
ADCBrAYDVR0gBIGkMIGhMIGeBgtghkgBhvhFAQcBATCBjjAoBggrBgEFBQcCARYcaHR0cHM6
Ly93d3cudmVyaXNpZ24uY29tL0NQUzBiBggrBgEFBQcCAjBWMBUWDlZlcmlTaWduLCBJbmMu
MAMCAQEaPVZlcmlTaWduJ3MgQ1BTIGluY29ycC4gYnkgcmVmZXJlbmNlIGxpYWIuIGx0ZC4g
KGMpOTcgVmVyaVNpZ24wEQYJYIZIAYb4QgEBBAQDAgeAMIGGBgpghkgBhvhFAQYDBHgWdmQ0
NjUyYmQ2M2YyMDQ3MDI5Mjk4NzYzYzlkMmYyNzUwNjljNzM1OWJlZDFiMDU5ZGE3NWJjNGJj
OTcwMTc0N2RhNWQzZjIxNDFiZWFkYjJiZDJlODkyMWZhZTZiZjVkNjExNDg5ZmExYmY0NGY5
ZjNlYTQ1MGMwMwYDVR0fBCwwKjAooCagJIYiaHR0cDovL2NybC52ZXJpc2lnbi5jb20vY2xh
c3MxLmNybDANBgkqhkiG9w0BAQQFAAOBgQAk1GPMlziWoSJ8+/CnOHIdJvlivigmJZ+wtvZL
VVGliI2Jp+fGacqMRjANSZIy5htk7yTH8mNKHgi37K9wQsvHSb79QKoAoe/BffYggs9FtrQG
vJnLjpNhUcMtVcaVnv8rEVENhXSU6d0/hYkKG6tc5KxMNtY0L6YlflarQFfE7zCCAy4wggKX
oAMCAQICEQDSdi6NFAw9fbKoJV2v7g11MA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVT
MRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJp
bWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05ODA1MTIwMDAwMDBaFw0wODA1MTIy
MzU5NTlaMIHMMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24g
VHJ1c3QgTmV0d29yazFGMEQGA1UECxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQ
QSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xh
c3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkMIGf
MA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQC7WkSKBBa7Vf0DeootlE8VeDa4DUqyb5xUv7zo
dyqdufBou5XZMUFweoFLuUgTVi3HCOGEQqvAopKrRFyqQvCCDgLpL/vCO7u+yScKXbawNkIz
tW5UiE+HSr8Z2vkV6A+HthzjzMaajn9qJJLj/OBluqexfu/J2zdqyErICQbkmQIDAQABo3ww
ejARBglghkgBhvhCAQEEBAMCAQYwRwYDVR0gBEAwPjA8BgtghkgBhvhFAQcBATAtMCsGCCsG
AQUFBwIBFh93d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBBMA8GA1UdEwQIMAYBAf8C
AQAwCwYDVR0PBAQDAgEGMA0GCSqGSIb3DQEBAgUAA4GBAIi4Nzvd2pQ3AK2qn+GBAXEekmpt
L/bxndPKZDjcG5gMB4ZbhRVqD7lJhaSV8Rd9Z7R/LSzdmkKewz60jqrlCwbe8lYq+jPHvhnX
U0zDvcjjF7WkSUJj7MKmFw9dWBpJPJBcVaNlIAD9GCDlX4KmsaiSxVhqwY0DPOvDzQWikK5u
MIICMTCCAZoCBQKkAAABMA0GCSqGSIb3DQEBAgUAMF8xCzAJBgNVBAYTAlVTMRcwFQYDVQQK
Ew5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3MgMSBQdWJsaWMgUHJpbWFyeSBDZXJ0
aWZpY2F0aW9uIEF1dGhvcml0eTAeFw05NjAxMjkwMDAwMDBaFw05OTEyMzEyMzU5NTlaMF8x
CzAJBgNVBAYTAlVTMRcwFQYDVQQKEw5WZXJpU2lnbiwgSW5jLjE3MDUGA1UECxMuQ2xhc3Mg
MSBQdWJsaWMgUHJpbWFyeSBDZXJ0aWZpY2F0aW9uIEF1dGhvcml0eTCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEA5Rm/baNWYS2ZSHH2Z965jeu3noaACpEO+jglr0aIguVzqKCbJF0N
H8xlbgyw0FaEGIeaBpsQoXPftFg5a27B9hXVqKg/qhIGjTGsf7A01480Z4gJzRQR4k5FVmkf
eAKA2txHkSm7NsljXMXg1y2He6G3MrB7MLoqLzGq7qNn2tsCAwEAATANBgkqhkiG9w0BAQIF
AAOBgQBSc7qaVdzcP4J9sJCYYiqCTHYAbiU91cIJcFcBDA93Hxih+xxgDqB1O0khQf6nXC1M
QknT/yjYjOqd/skH4neCUyPeVfPORJP6+ky9yjbzW2aynsjyDF5e1KG0IQkzyjtZ/JLCOPyt
2ZYk4C36oyn1M2h4TrS8n2k14qiYlHM7xDGCAjwwggI4AgEBMIHhMIHMMRcwFQYDVQQKEw5W
ZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UE
CxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElB
Qi5MVEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1
YnNjcmliZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhBi4KikVUVRIQ8eelGrIZXMMAkGBSsO
AwIaBQCggbEwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkqhkiG9w0BCQUxDxcNOTkx
MjAzMTcwMzA5WjAjBgkqhkiG9w0BCQQxFgQUN/kH2ATJFElqyPEbVjrp6TcHK7owUgYJKoZI
hvcNAQkPMUUwQzAKBggqhkiG9w0DBzAOBggqhkiG9w0DAgICAIAwBwYFKw4DAgcwDQYIKoZI
hvcNAwICAUAwDQYIKoZIhvcNAwICASgwDQYJKoZIhvcNAQEBBQAEgYAC0pDfD1x1bUOQUJA9
Lx0G+NNLY3JAqpzcyCUYviriVqBua1iSvrjfPIRfMxL94xNJe07L8v8NI7AwtmXdOK5WqpNV
+XDqnbrYceaJGZn48Bmr/rtcrY7Kl9u1eHlBN4xWuE0+EuK12LbYqE8Y6fHULMsO8zbDWVMy
YNwuA+QlXA==
--------------ms8A0EA4FF6CF78031FAE5E6B3--
