CVE-2001-1494

Step 1: Hardlink Creation: The attacker creates a hardlink from the expected typescript log file path (typically in the current directory, e.g., typescript) to a target sensitive file (e.g., /etc/shadow).

Step 2: Privilege Escalation Trigger: The attacker convinces a privileged user (e.g., root) to execute the script command, typically by providing a crafted command or script to be executed within the script session.

Step 3: File Overwrite: The script command starts logging to the typescript file. Because of the hardlink, any data written to the typescript file is actually written to the target file (e.g., /etc/shadow).

Step 4: System Compromise: The attacker overwrites the target file with malicious content (e.g., a modified /etc/shadow file with a known password or a root shell).

The vulnerability stems from a race condition within the script command. The command creates a typescript log file to record terminal sessions. An attacker can create a hardlink from this log file to a sensitive system file (e.g., /etc/shadow). When the script command is executed by a privileged user (e.g., root), the command attempts to write to the log file. Due to the hardlink, this write operation actually overwrites the target file. The flaw lies in the lack of proper file locking or checks to prevent the hardlink from being created and exploited before the script command writes to the file. This allows an attacker to overwrite any file the user running script has write permissions to, which, in the case of a root user, is often the entire system.