Analysis of a public, patched, third-party CVE, written as a portfolio example. Not original discovery by Goldberg Security Research.

Summary

below is an open-source resource monitor for Linux (cgroup2-aware, a kind of historical top). In versions before 0.9.0 it wrote its logs into a world-writable directory and followed symlinks when opening the log file. A local attacker can pre-plant a symlink so that below — running with root privileges — writes attacker-influenced content into a sensitive file such as /etc/passwd, yielding root.

Root Cause

Two weaknesses combine:

  • Incorrect permissions: the log directory (/var/log/below) was created world-writable (0777), so any local user can create entries inside it.
  • Insecure file open: the logger opened/created its log file without O_NOFOLLOW and without verifying the path wasn't a symlink — so if the log path is a symlink, the privileged process writes through it to the target.
# Attacker (unprivileged): point the log path at a sensitive file
rm -f /var/log/below/error_root.log
ln -s /etc/passwd /var/log/below/error_root.log

# Victim/automation runs below as root (e.g. via sudo):
sudo below record    # writes "log" content through the symlink into /etc/passwd

Because the write happens as root and follows the symlink, the attacker can corrupt /etc/passwd — e.g. appending a UID-0 account with a known password — then su to it.

Exploitation

  1. Confirm below is installed and runnable as root (commonly via a sudoers rule or a scheduled/privileged invocation).
  2. Replace the predictable log file path with a symlink to /etc/passwd (or another root-writable target).
  3. Trigger the privileged below run; its log output is written through the symlink.
  4. Use the injected credentials / clobbered file to obtain a root shell.

Impact

Local privilege escalation to root on any host where an unprivileged user can both write to the log directory and cause below to run with elevated privileges. A textbook example of how mundane logging hygiene becomes a root vector.

Remediation

  • Upgrade below to 0.9.0 or later.
  • Ensure log directories are owned by root and not world-writable (0755 / 0750).
  • Open privileged log files with O_NOFOLLOW / O_CREAT|O_EXCL and validate the path is not a symlink.
  • Avoid granting sudo to monitoring tools that write to shared, writable locations.

Timeline

  • 2025 — Reported and assigned CVE-2025-27591.
  • 2025 — Fixed in below v0.9.0.

References