Facebookincubator/below, Incorrect Permission Assignment for Critical Resource, CVE-2025-27591 (High)

By /

How the Mentioned CVE Works:

CVE-2025-27591 is a privilege escalation vulnerability in the Below service (prior to version 0.9.0) due to incorrect permission assignment for a critical resource. The service creates a world-writable directory at /var/log/below, which allows any local unprivileged user to write files in this directory. Attackers can exploit this by creating symbolic links (symlinks) to critical system files, such as /etc/shadow, and manipulate them to escalate privileges to root. This vulnerability stems from improper directory permission settings during the installation or runtime of the Below service, making it a high-severity issue.

DailyCVE Form:

Platform: Facebookincubator/below
Version: < 0.9.0
Vulnerability: Privilege Escalation
Severity: High
Date: Mar 11, 2025

What Undercode Say:

Exploitation:

1. Symlink Attack:

  • Create a symlink from `/var/log/below` to /etc/shadow.
  • Example command: 
    ln -s /etc/shadow /var/log/below/malicious_file
  • This allows overwriting `/etc/shadow` with malicious content.

2. Privilege Escalation:

  • Replace `/etc/shadow` with a crafted file to add a new root user or modify existing credentials.
  • Example command: 
    echo "root2:$6$randomsalt$hashvalue:0:0:root:/root:/bin/bash" > /var/log/below/malicious_file

Protection:

1. Patch Installation:

  • Upgrade to Below v0.9.0 or later.
  • Command: 
    sudo apt-get update && sudo apt-get install below

2. Manual Permission Fix:

  • Change permissions of `/var/log/below` to restrict write access.
  • Command: 
    sudo chmod 755 /var/log/below

3. Audit Symlinks:

  • Regularly audit system for unauthorized symlinks.
  • Command: 
    find /var/log/below -type l -exec ls -l {} \;

4. SELinux/AppArmor:

  • Use mandatory access control frameworks to restrict Below service.
  • Example SELinux policy: 
    chcon -t var_log_t /var/log/below

5. Log Monitoring:

  • Monitor `/var/log/below` for unusual activity.
  • Command: 
    tail -f /var/log/below/access.log

References:

Additional Analytics:

  • Affected Systems: Systems running Below service versions < 0.9.0.
  • Exploitability: High for local attackers with unprivileged access.
  • Mitigation Complexity: Low (patch or permission fix).
  • Risk Score: 8.5/10 (CVSS v3.1).

Example Code for Detection:

!/bin/bash
if [bash]; then
echo "Vulnerable: /var/log/below is world-writable!"
else
echo "Not Vulnerable."
fi

Example Code for Exploit Prevention:

!/bin/bash
sudo chmod 755 /var/log/below
sudo chown root:root /var/log/below
echo "Permissions updated to prevent symlink attacks."

This concludes the technical breakdown of CVE-2025-27591.

References:

Reported By: https://github.com/advisories/GHSA-9mc5-7qhg-fp3w
Extra Source Hub:
Undercode

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Scroll to Top