Below Privilege Escalation Vulnerability

A privilege escalation vulnerability exists in the Below service, specifically in versions prior to 0.9.0. The issue arises from the creation of a world-writable directory at /var/log/below, which can allow local unprivileged users to escalate to root privileges. This can be achieved through symlink attacks that manipulate sensitive files, such as /etc/shadow.

Impact

Exploitation of this vulnerability can lead to unauthorized root access on the affected system.

Reproduction

The vulnerability can be reproduced by creating a symlink in the world-writable directory /var/log/below that points to a file like /etc/shadow. When Below's service is started, it will overwrite the target file with the symlinked one, effectively allowing the attacker to escalate privileges.

Remediation

Users can update to Below version 0.9.0 or later, which addresses the permission issues by removing the problematic assignments and allowing systemd to manage the log directory safely.