关联漏洞
标题:
below 安全漏洞
(CVE-2025-27591)
描述:below是Meta Incubator开源的一个现代 Linux 系统的资源监视器。 below v0.9.0之前版本存在安全漏洞,该漏洞源于创建了全局可写目录,可能导致通过符号链接攻击提升到root权限。
描述
A Proof of Concept for CVE-2025-27591, a local privilege escalation in Below ≤ v0.8.1
介绍
# CVE-2025-27591 PoC: Local Privilege Escalation in Below < v0.9.0
Proof of Concept for CVE-2025-27591, a vulnerability that allows to local unprivileged users to escalate their privileges to root through symlink attacks.
# 🕵️♂️ Technical Details
The vulnerability affects the Below service (versions prior to v0.9.0). It creates a /var/log/below directory with world-writable permissions (0777), allowing unprivileged local users to relocate symbolic links and manipulate critical files such as /etc/shadow, resulting in escalation to root.
## 🧩 Impact
A local, unprivileged user can escalate to root by:
- Creating a symlink in /var/log/below to a sensitive system file.
- Triggering the service with sudo (e.g., sudo below snapshot), causing Below to write to the symlink with root privileges.
## ✅ Requirements
- `/var/log/below/` must have world-writable permissions (0777) and contain the error_root.log file.
- You must be allowed to use sudo /usr/bin/below.
~~~ bash
foo@victim:~$ ls -l /var/log/ | grep below
drwxrwxrwx 3 root root 4096 Jul 8 20:45 below
~~~
# 🛠️ Usage
We will need privileges at the sudoers level.
~~~ bash
foo@victim:~$ sudo -l
Matching Defaults entries for jacob on victim:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User foo may run the following commands on victim:
(ALL : ALL) NOPASSWD: /usr/bin/below
~~~
Once we have the `poc.sh` file, we will give it the necessary permissions, execute it, and we'll be `root`.
~~~ bash
foo@victim:/tmp$ chmod +x poc.sh
foo@victim:/tmp$ ./poc.sh
evil@victim:/tmp# id
uid=0(evil) gid=0(root) groups=0(root)
~~~
## ✅ Official Fix
Upgrade to Below v0.9.0 or later, which removes the insecure chmod logic and relies on systemd unit features like `LogsDirectory=below`
## ⚖️ Legal
- This script is for educational purposes. Always obtain explicit permission before testing.
## 📚 References
- [NVD](https://nvd.nist.gov/vuln/detail/CVE-2025-27591)
- [wiz.io](https://www.wiz.io/vulnerability-database/cve/cve-2025-27591)
- [SUSE Security](https://security.opensuse.org/2025/03/12/below-world-writable-log-dir.html)
文件快照
[4.0K] /data/pocs/1cd7f075351e7c8f2e014934cf2ac6ce696308a9
├── [ 346] poc.sh
└── [2.2K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。