来源

关联漏洞

描述

self cleaning CVE-2025-27591 Poc that grants a root reverse shell instead of modifying passwd files

介绍

# CVE-2025-27591

# introduction

`below` versions < `v0.9.0` are vulnerable to a local privilege escalation vulnerability duo to the fact that the program creates a world-writable log file, an a world writable log file instead, the attacker can replace the log file with a symblink to any system-critical file and be able to edit it in order to login as root

the following vulnerablity targets `/etc/ld.so.preload` to pop a reverse shell as root, cleaning all indicators of compromise before doing so

the vulnerability is only exploitable on systems that ship with installation packages that don't create the log file directory, or create it with a specific permissions, and/or rely on the program to create the log directory instead, such systems include : ubuntu, arch linux, gentoo ..

# cve analysis

coming soon ..

# usage
change the IP and port on the exploit code and compile it on your machine
```bash
$ bash compile.sh
```

then copy it the shared library and the exploit script to the same folder on the remote machine and run it

```bash
$ bash exploit.sh
```

# references
- [openwall discussion](https://www.openwall.com/lists/oss-security/2025/03/12/1)
- [facebook advisory](https://www.facebook.com/security/advisories/cve-2025-27591)
- [github advisory](https://github.com/advisories/GHSA-9mc5-7qhg-fp3w?utm_source=chatgpt.com)
- [github patch](https://github.com/facebookincubator/below/commit/da9382e6e3e332fd2c3195e22f34977f83f0f1f3)
- [BridgerAlderson's exploit](https://github.com/BridgerAlderson/CVE-2025-27591-PoC) 

文件快照

 [4.0K]  /data/pocs/e7745100f35e3d968e3ff31096d488a5ae32c371
├── [ 118]  compile.sh
├── [1.4K]  exploit.sh
├── [1.5K]  README.md
└── [ 856]  shared.c

1 directory, 4 files

备注