Siemens Gigaset Se366 Wlan Router Firmware Now

Siemens Gigaset Se366 Wlan Router Firmware Now

iptables -P INPUT DROP iptables -P FORWARD DROP iptables -P OUTPUT ACCEPT iptables -A INPUT -i lo -j ACCEPT iptables -A INPUT -i br0 -j ACCEPT iptables -A INPUT -i eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT iptables -A FORWARD -i br0 -o eth0 -j ACCEPT iptables -A FORWARD -i eth0 -o br0 -m state --state ESTABLISHED,RELATED -j ACCEPT 6.1 Known Vulnerabilities (CVE List) | CVE ID | Description | Impact | |--------|-------------|--------| | CVE-2008-0126 | Web interface command injection via ping parameter | Remote code execution as root | | CVE-2009-1791 | Default password "admin:admin" hardcoded | Unauthorized access | | CVE-2010-0265 | Information disclosure in SNMP community strings | Network reconnaissance | | CVE-2011-4156 | HTTPd buffer overflow in long POST requests | DoS, potential RCE | 6.2 Command Injection Example The /cgi-bin/ping.cgi script (called via web interface) fails to sanitize the ip parameter:

struct se366_fw_header uint32_t magic; // 0x53453636 ("SE66") uint32_t version; uint32_t kernel_offset; uint32_t kernel_size; uint32_t rootfs_offset; uint32_t rootfs_size; uint32_t crc32; char board_name[32]; // "SE366" char build_date[16]; uint8_t reserved[180]; ; Using binwalk reveals: Siemens gigaset se366 wlan router firmware

Splitting and decompressing:

/bin/ # BusyBox applets (ln, cat, echo, etc.) /sbin/ # init, ifconfig, route, arp, sysctl /usr/sbin/ # httpd, hostapd, dnsmasq, iptables, pppd /etc/ # Configuration scripts and default settings /lib/ # uClibc 0.9.28, kernel modules (wireless, switch) /var/ # tmpfs for runtime data (logs, DHCP leases) | Binary | Origin | Purpose | |--------|--------|---------| | httpd | Proprietary | Web management interface (CGI-like, uses environment variables) | | switch_config | Siemens | Configures Marvell 88E6060 switch via MDIO | | wireless_config | Siemens | Sets radio parameters, triggers hostapd | | led_control | Siemens | Manages front-panel LEDs (Power, WLAN, WAN, LAN1-4) | | nvram_tool | Siemens | Reads/writes NVRAM (stored in mtd3) | 4.3 Configuration Storage ( /dev/mtd3 ) The config partition contains a key-value store (similar to Broadcom NVRAM). Format: iptables -P INPUT DROP iptables -P FORWARD DROP

$ binwalk se366_fw_v3.07.bin DECIMAL HEXADECIMAL DESCRIPTION 0 0x0 Siemens SE366 firmware header 256 0x100 Linux kernel (LZMA compressed) 1024000 0xFA000 SquashFS filesystem, little endian // 0x53453636 ("SE66") uint32_t version

[Global] wan_type=dhcp lan_ip=192.168.1.1 wpa_passphrase=secretkey wpa_psk=8d969eef6ecad3c29a3a629280e686cf0c3f5d5a86aff3ca12020c923adc6c92 [Wireless] ssid=GigasetSE366 channel=6 mode=g security=wpapsk

interface=wlan0 driver=hostap ssid=GigasetSE366 hw_mode=g channel=6 wpa=2 wpa_passphrase=secretkey wpa_key_mgmt=WPA-PSK rsn_pairwise=CCMP The web interface generates iptables rules. Default policy: DROP on WAN, ACCEPT on LAN.