
Bugtraq mailing list archives
Re: HP Secure Web Console
From: osiris () GNSS COM (GNSS Research Division)
Date: Fri, 3 Dec 1999 17:03:09 +0000
Jon Mitchell earlier posted information on HP's Secure Web Console (see his post attached below), speculating that it uses a secret decoder ring type "encryption" (encoding) method (and not MD5). That's hard to believe, but if so, the below perl script will encode (and decode) strings passed through SWC. #!/bin/perl # # swc_crypt_test # # Syntax: swc_crypt_test [option] [word] # # encrypt example: swc_crypt_test -e abcd # output: VUTS # # decrypt example: swc_crypt_test -d VUTS # output: ABCD # if(!$ARGV[0]) { &usage; } if($ARGV[0] ne "-e" && $ARGV[0] ne "-d") { &usage; } if($ARGV[0] eq "-e") { $string=$ARGV[1]; $string=~s/(.*)/\u\U$1/g; $string=~y/A-Za-z/S-ZA-za-m/; $output = reverse $string; print $output; } if($ARGV[0] eq "-d") { $string=$ARGV[1]; $string=~y/S-ZA-za-m/A-Za-z/; $string=~s/(.*)/\l\L$1/g; $output = reverse $string; print $output; } sub usage { print "\nUsage: poor_crypt [option] [word]\n"; print "\n-e encrypts the supplied string"; print "\n-d decrypts the supplied string\n"; print "\n***Note: your string MUST be in uppercase.\n"; exit; } Jon Mitchell wrote: The Secure Web Console is a device that looks (and acts) like a JetDirect printserver. It has one ethernet port and one serial port. The idea behind it is that you can connect your console cable from your HP9000 machine to this device and put it on the network. This way you can connect to your HP9000's via a web browser so remote access to the console is easy. Since this is actual console access you could potentially do upgrades or reboots into single user mode safely from this device without being onsite. The problem with this device is the word Secure in the name. This implies that this device is providing secure access from the network. The information on this devices web site http://www.hp.com/go/webconsole states that it currently uses MD5 user digest as the encryption scheme and that future firmware will support SSL. We have the latest firmware installed at this time of A1.6 (A.01.06.001) Upon first connecting we noticed that it would not support an SSL connection as the documentation states. Because even the first page you access on this device is a Java applet, we assumed the best, that encryption was somehow provided through that. However we discovered that it does not appear to be any sort of MD5 encryption scheme (although I'm not an encryption expert), but in actuality what we've deemed Secret Decoder Ring encryption. The letters are one to one with another letter, and even worse, in order as well. Here's an example of two sets of letters: You type: abcd Transmits: VUTS You type: ABCD Transmits: vuts Thanks to Joe Munson for helping debug this and coming up with the Secret Decoder Ring reference (which reminded me of the Little Orphan Annie Ring, that only says to drink more Ovaltine, in the Christmas Story). <HR NOSHADE> <UL> <LI>application/x-pkcs7-signature attachment: S/MIME Cryptographic Signature </UL>
Current thread:
- HP Secure Web Console Jon Mitchell (Dec 01)
- Re: HP Secure Web Console Alec Kosky (Dec 01)
- Re: HP Secure Web Console Keith Rice (Dec 02)
- Re: HP Secure Web Console GNSS Research Division (Dec 03)
- Re: HP Secure Web Console GNSS Research Division (Dec 03)
- UnixWare gain root with non-su/gid binaries Brock Tellier (Dec 03)
- UnixWare read/modify users' mail Brock Tellier (Dec 03)
- UnixWare and the dacread permission Brock Tellier (Dec 03)
- Apologies for wierd email Brock Tellier (Dec 05)
- Re: HP Secure Web Console Keith Rice (Dec 02)
- Re: HP Secure Web Console David Zverina (Dec 02)
- Re: HP Secure Web Console Alec Kosky (Dec 01)
- <Possible follow-ups>
- Re: HP Secure Web Console Mark Gross DSO (Dec 01)
- Re: HP Secure Web Console Randal L. Schwartz (Dec 06)
- Re: HP Secure Web Console Thillmann, Rolf (Dec 28)