Headline
CVE-2023-33754: CVEs/CVE-2023-33754.md at main · Alkatraz97/CVEs
The captive portal in Inpiazza Cloud WiFi versions prior to v4.2.17 does not enforce limits on the number of attempts for password recovery, allowing attackers to brute force valid user accounts to gain access to login credentials.
Overview
“WiFi Captive Portal Inpiazza Cloud" is a captive portal for connecting to Inpiazza Cloud WiFi networks that allows access to the network by entering a telephone number and password.
Vulnerability Description
Before version 4.2.17 it was possible to perform a user enumeration (enumerate the telephone numbers) using the password recovery function offered by the portal. By requesting a new password, it is possible to receive a different message based on the presence or absence of that number within the system. Forward the generated password is always 8 digits and numeric only allowing bruteforcing once you know the phone number.
Username enumeration is the process of developing a list of all valid usernames on a server or web application. It becomes possible if the server or application provides a clue as to whether or not the username exists.
The CVE Program has assigned the ID CVE-2023-20255 to this issue. This is a record on the CVE List, which standardizes names for security problems:
CVE ID: CVE-2023-33754 --> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33754
Impacts
This vulnerability allows an attacker to enumerate all user can access to a WiFi Network and can bruteforce the password.
CVE-2023-33754 - User Enumeration****Proof of concept (POC)****Reproducing Steps
First you need to connect to the WiFi network and open any tab in the browser to bring up the captive portal. Trying to access the CaptivePortal as shown in the image below, 2 options are made available.
- Enter the telephone number and then the password to log in
- Create new account
By entering any phone number, the third option opens, which is to recover an account.
By pressing the Recover Data button, you are redirected to a new page where you can enter the telephone number for which you wish to generate a new password which will be sent via SMS.
On this page, by intercepting the Request and analyzing the Response sent by the Server, it is possible to identify which accounts are active and which are not.
As visible in the 2 images below, if the number is present in the system, the “success” parameter is set to “True”; otherwise the parameter is set to “error_account_not_exists”.
Thanks to these messages it is possible to Enumerate the registered Accounts and through a Brute Force attack to find the password and log in with their usernames. Furthermore, the password that is generated and sent always has a fixed length of 8 characters including only letters and numbers, thus reducing the time necessary for the Brute Force phase.
Discovered by****Kevin Riva of Cybertech srl
Related news
A vulnerability in an API of the Web Bridge feature of Cisco Meeting Server could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition. This vulnerability is due to insufficient validation of HTTP requests. An attacker could exploit this vulnerability by sending crafted HTTP packets to an affected device. A successful exploit could allow the attacker to cause a partial availability condition, which could cause ongoing video calls to be dropped due to the invalid packets reaching the Web Bridge.
An unauthenticated path traversal vulnerability affects the "STAGIL Navigation for Jira - Menu & Themes" plugin before 2.0.52 for Jira. By modifying the fileName parameter to the snjCustomDesignConfig endpoint, it is possible to traverse and read the file system.