漏洞平台

POC详情： a9647655c04f61d1286732e60a9220b116f849a9

来源

https://github.com/Diabl0xE/CVE-2025-27519

关联漏洞

标题： Cognita 路径遍历漏洞 (CVE-2025-27519)
描述：Cognita是TrueFoundry开源的一个用于构建 TrueFoundry 生产模块化开源应用程序的 RAG 框架。 Cognita存在路径遍历漏洞。攻击者利用该漏洞可以远程执行代码。

描述

PoC exploit for Below privilege escalation (CVE-2025-27591) allowing local root access via symlink manipulation in world-writable log directory.

介绍

# Below Privilege Escalation Exploit (CVE-2025-27519)

This repository contains a proof-of-concept (PoC) Bash script to exploit the **Below privilege escalation vulnerability** (CVE-2025-27519) on Linux systems. The exploit allows a local user to escalate privileges to **root** by abusing the way the `below` binary logs errors.

> ⚠️ **Warning:** This script is intended for **educational purposes and authorized penetration testing only**. Do **not** use it on systems you do not own or have permission to test.

---

## Overview of the Vulnerability

- **CVE:** CVE-2025-27519  
- **Affected software:** `below` logging utility  
- **Impact:** Local privilege escalation  
- **Description:** The `below` binary improperly handles error logging and file locks. Its log directory (`/var/log/below/`) is **globally writable**, allowing any local user to manipulate log files. By creating a symlink from `error_root.log to` `/etc/ passwd` and triggering `below error`, an attacker can insert a fake root user entry and gain administrative privileges. 

**Why it works:**  
1. `below` writes errors to `/var/log/below/error_root.log`.
2. The log directory /var/log/below/ is world-writable (drwxrwxrwx), allowing any local user to replace or symlink the log file.
3. The program does not properly check file ownership and permissions before writing.  
4. By replacing the log file with a symlink to `/etc/passwd`, the script can insert a fake root user entry
5. after triggering an error low priv user can able to create fake user inside `/etc/passwd`
---

## Usage

1. **Clone the repository:**
   ```bash
   git clone https://github.com/Diabl0xE/CVE-2025-27519
   cd CVE-2025-27519
2. **Make the script executable:**
   ```bash
   chmod +x exploit.sh
3. **Run the exploit:**
   ```bash
   ./exploit.sh

文件快照


 [4.0K]  /data/pocs/a9647655c04f61d1286732e60a9220b116f849a9
├── [1.1K]  exploit.sh
└── [1.8K]  README.md

0 directories, 2 files

神龙机器人已为您缓存

备注

1. 建议优先通过来源进行访问。

2. 如果因为来源失效或无法访问，请发送邮箱到 f.jinxu#gmail.com 索取本地快照（把 # 换成 @）。

3. 神龙已为您对POC代码进行快照，为了长期维护，请考虑为本地POC付费，感谢您的支持。