CVE-2025-27591 PoC — below 安全漏洞

Source

https://github.com/obamalaolu/CVE-2025-27591

Associated Vulnerability

Title:below 安全漏洞 (CVE-2025-27591)
Description:below是Meta Incubator开源的一个现代 Linux 系统的资源监视器。 below v0.9.0之前版本存在安全漏洞，该漏洞源于创建了全局可写目录，可能导致通过符号链接攻击提升到root权限。

Description

CVE-2025-27591

Readme

# CVE-2025-27591 - Privilege Escalation via `below`

This repository contains an exploit for **CVE-2025-27591**, a privilege escalation vulnerability in the Linux monitoring tool **Below**.

## 🛠️ Vulnerability Details

- **CVE**: CVE-2025-27591  
- **CVSS Score**: 7.8 (High)  
- **Affected Tool**: [`below`](https://github.com/facebookincubator/below) (prior to `v0.9.0`)  
- **Vulnerability**: Below creates world-writable directories and log files (`/var/log/below/error_root.log`) as root, allowing symlink attacks by unprivileged users.
- **Discovered**: January 2025  
- **Published**: March 12, 2025  
- **Source**: [SecurityOnline](https://securityonline.org/), [OpenWall](https://www.openwall.com/)

## 💥 Exploit Summary

This exploit allows a local user to escalate privileges to root by:

1. Symlinking `/var/log/below/error_root.log` to `/etc/passwd`
2. Triggering `below` to write to the symlink
3. Injecting a malicious root user into `/etc/passwd`

## ⚙️ Requirements

- `below` is available via `sudo`, e.g.:

```bash
sudo -l
(ALL : ALL) NOPASSWD: /usr/bin/below *

File Snapshot


 [4.0K]  /data/pocs/83334348397df5a843d2830374cda7ac8efe8f0b
├── [1.3K]  CVE-2025-27591.sh
├── [ 34K]  LICENSE
└── [1.1K]  README.md

0 directories, 3 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).

3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.

Goal Reached Thanks to every supporter — we hit 100%!