CVE-2025-27591 PoC — below 安全漏洞

Source

https://github.com/Cythonic1/CVE-2025-27591

Associated Vulnerability

Title:below 安全漏洞 (CVE-2025-27591)
Description:A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow.

Description

a C exploit for CVE-2025-27591, which allow an attacker to escalate privilege to root.

Readme

# CVE-2025-27591 

## description
Basically `below` tool allow for universal modification on its log file which lead to privilege escalation as root.


## details.
The log file created by `below` is world-writable, allowing any user to modify or replace it. 
An attacker can exploit this by creating a symbolic link from the log file to /etc/passwd.

If the attacker can trigger an error in `below` that logs arbitrary input, and crafts that input in 
the format of a valid /etc/passwd entry, they can inject a new root user into the system.

In order for the exploit to work the attacker should be able to execute the `below` command as it should be run
as `root` then the user must have `sudo` permission or a way to run it.

## Compiling. 
```bash
git clone https://github.com/Cythonic1/CVE-2025-27591
cd CVE-2025-27591
gcc -static -W -Wall main.c ./libcrypt.a -o exploit
```

## usage
```bash
./exploit <username> <password>
```

File Snapshot


 [4.0K]  /data/pocs/32b75fdaa5654dcbda84ad1b804fc605af5f93a0
├── [913K]  libcrypt.a
├── [1.0K]  LICENCE
├── [2.6K]  main.c
└── [ 934]  README.md

0 directories, 4 files

Shenlong Bot has cached this for you

Remarks

1. It is advised to access via the original source first.

2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.

View subscription plans →

Goal Reached Thanks to every supporter — we hit 100%!