关联漏洞
标题:
below 安全漏洞
(CVE-2025-27591)
描述:below是Meta Incubator开源的一个现代 Linux 系统的资源监视器。 below v0.9.0之前版本存在安全漏洞,该漏洞源于创建了全局可写目录,可能导致通过符号链接攻击提升到root权限。
介绍
# CVE-2025-27591-Below
## 📌 Description
This is a **proof-of-concept (PoC)** exploit for **CVE-2025-27591**, a local privilege escalation vulnerability in the `below` system monitor tool.
The issue arises from unsafe handling of log files (`/var/log/below/error_root.log`) when executed with elevated privileges. By abusing this, an attacker can perform a **symlink attack** and inject a malicious user into `/etc/passwd`, effectively granting root access.
## ⚙️ Affected
- **Binary**: `/usr/bin/below`
- **Requires**: `sudo` permission to run `below record`
- **Tested on**: HTB machine (specific name withheld)
## 🔧 Exploit Steps
1. **Delete** the target log file (if it exists)
2. **Create a symlink**: `/var/log/below/error_root.log → /etc/passwd`
3. **Run the vulnerable command**: `sudo /usr/bin/below record`
4. **Append a root-level user** to `/etc/passwd`
5. **Verify** the user was created
6. **Spawn a root shell** as the injected user
## 🚀 Exploitation Steps
1. **Clone this repository**
```bash
git clone https://github.com/Thekin-ctrl/CVE-2025-27591-Below.git
cd CVE-2025-27591-Below
python3 Exploit.py
## 🙏 Credits
This exploit was inspired by an earlier proof-of-concept by BridgerAlderson, available here:
- https://github.com/BridgerAlderson/CVE-2025-27591-PoC.git
The current version is a simplified and adapted version written by me for educational and practice purposes.
文件快照
[4.0K] /data/pocs/2796fb38068c14eb74bb1b8cd3b2f91e9c379109
├── [1.5K] Exploit.py
└── [1.4K] README.md
0 directories, 2 files
备注
1. 建议优先通过来源进行访问。
2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。