“WiFi Captive Portal Inpiazza Cloud" is a captive portal for connecting to Inpiazza Cloud WiFi networks that allows access to the network by entering a telephone number and password.
Before version 4.2.17 it was possible to perform a user enumeration (enumerate the telephone numbers) using the password recovery function offered by the portal. By requesting a new password, it is possible to receive a different message based on the presence or absence of that number within the system. Forward the generated password is always 8 digits and numeric only allowing bruteforcing once you know the phone number.
Username enumeration is the process of developing a list of all valid usernames on a server or web application. It becomes possible if the server or application provides a clue as to whether or not the username exists.
The CVE Program has assigned the ID CVE-2023-20255 to this issue. This is a record on the CVE List, which standardizes names for security problems:
CVE ID: CVE-2023-33754 --> https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-33754
This vulnerability allows an attacker to enumerate all user can access to a WiFi Network and can bruteforce the password.
First you need to connect to the WiFi network and open any tab in the browser to bring up the captive portal. Trying to access the CaptivePortal as shown in the image below, 2 options are made available.
- Enter the telephone number and then the password to log in
- Create new account
By entering any phone number, the third option opens, which is to recover an account.
By pressing the Recover Data button, you are redirected to a new page where you can enter the telephone number for which you wish to generate a new password which will be sent via SMS.
On this page, by intercepting the Request and analyzing the Response sent by the Server, it is possible to identify which accounts are active and which are not.
As visible in the 2 images below, if the number is present in the system, the "success" parameter is set to "True"; otherwise the parameter is set to "error_account_not_exists".
Thanks to these messages it is possible to Enumerate the registered Accounts and through a Brute Force attack to find the password and log in with their usernames. Furthermore, the password that is generated and sent always has a fixed length of 8 characters including only letters and numbers, thus reducing the time necessary for the Brute Force phase.