COMMAND

    Secure Web Console

SYSTEMS AFFECTED

    HP Secure Web Console

PROBLEM

    Jon Mitchell found following.  The Secure Web Console is a  device
    that looks (and  acts) like a  JetDirect printserver.   It has one
    ethernet port and  one serial port.   The idea behind  it is  that
    you can  connect your  console cable  from your  HP9000 machine to
    this device and put it on  the network.  This way you  can connect
    to  your  HP9000's  via  a  web  browser  so  remote access to the
    console is easy.   Since this is  actual console access  you could
    potentially do upgrades  or reboots into  single user mode  safely
    from this device without being onsite.

    The problem with this device is the word Secure in the name.  This
    implies  that  this  device  is  providing  secure access from the
    network.  The information on this devices web site

        http://www.hp.com/go/webconsole

    states that it  currently uses MD5  user digest as  the encryption
    scheme  and  that  future  firmware  will  support  SSL  (firmware
    installed at this time of A1.6 (A.01.06.001)).

    Upon first connecting Jon noticed that it would not support an SSL
    connection as the  documentation states.   Because even the  first
    page you access on this device  is a Java applet, Jon assumed  the
    best, that encryption was somehow provided through that.   However
    it was discovered that  it does not appear  to be any sort  of MD5
    encryption scheme, but in actuality what it seemed Secret  Decoder
    Ring encryption.  The letters are one to one with another  letter,
    and even worse, in order as  well.  Here's an example of  two sets
    of letters:

        You type:  abcd
        Transmits: VUTS

        You type:  ABCD
        Transmits: vuts

    To make simpler, GNSS Research Division posted following:

        #include <stdio.h>
        #include <ctype.h>

        void main() {
           int user_input;
           while((user_input=getchar())) {

                   if (islower(user_input))
                    user_input = 'a' + (user_input - 'a' + 18) % 26;
                  if (isupper(user_input))
                    user_input = 'A' + (user_input - 'A' + 18) % 26;

                 /* convert to string and put a reverse string function here */
                 putchar(user_input);
         }

    or (same by GNSS)

        #!/bin/perl
        #
        # swc_crypt_test
        #
        # Syntax: swc_crypt_test [option] [word]
        #
        # encrypt example: swc_crypt_test -e abcd
        # output: VUTS
        #
        # decrypt example: swc_crypt_test -d VUTS
        # output: ABCD
        #

        if(!$ARGV[0]) { &usage; } if($ARGV[0] ne "-e" && $ARGV[0] ne "-d") { &usage; }

        if($ARGV[0] eq "-e") {
        $string=$ARGV[1];
        $string=~s/(.*)/\u\U$1/g;
        $string=~y/A-Za-z/S-ZA-za-m/;
        $output = reverse $string; print $output;
        }

        if($ARGV[0] eq "-d") {
        $string=$ARGV[1]; $string=~y/S-ZA-za-m/A-Za-z/;
        $string=~s/(.*)/\l\L$1/g;
        $output = reverse $string; print $output; }

        sub usage {
        print "\nUsage: poor_crypt [option] [word]\n";
        print "\n-e encrypts the supplied string";
        print "\n-d decrypts the supplied string\n";
        print "\n***Note: your string MUST be in uppercase.\n";
        exit;
        }

    In first code  above, you may  wish to change  lines so they  will
    look like:

    ...
              if (islower(user_input))
                user_input = 'A' + (user_input - 'a' + 18) % 26;
              else if (isupper(user_input))
                      user_input = 'a' + (user_input - 'A' + 18) % 26;
    ...

    There is an  even more gaping  security hole in  HP's SWC product.
    It is possible to create multiple user accounts on the web console
    device  and  there  are  two  types of accounts: Administrator and
    Operator.  Furthermore,  it  is  also  possible for multiple users
    to be  connected to  this device  concurrently.   The initial user
    connection  gets  read/write  access  to  the  console,  and   any
    subsequent  connections  get  read-only  access.   One would think
    that operator  accounts would  have limited  privileges, but  this
    is not  the case.   Operators can  do anything  to the  SWC device
    that administrators can do (reboot  the device, etc).  Mark  Gross
    was considering implementing these  devices on some of  our remote
    HP9000 servers,  so he  was testing  a SWC  in our  lab.  He found
    that an operator can reboot the console while any other users  are
    connected  (including  root).   As  would  happen  with  a regular
    console device, any logins  remain active.  So  whoever reconnects
    first to  the SWC  captures the  active session  (which in testing
    allowed an operator to hijack  root's session).  What's worse,  if
    the server is in  Service mode, anyone who  has an account on  the
    SWC (administrators AND operators)  can perform CTRL+B and  reboot
    the server.

SOLUTION

    Nothing yet.