Source: cve@mitre.org
script command in the util-linux package before 2.11n allows local users to overwrite arbitrary files by setting a hardlink from the typescript log file to any file on the system, then having root execute the script command.
Local privilege escalation is possible in vulnerable systems due to a flaw in the script command within the util-linux package. This allows attackers to overwrite arbitrary files on the system by exploiting a hardlink vulnerability, potentially leading to complete system compromise and data exfiltration.
Step 1: Hardlink Creation: The attacker creates a hardlink from the typescript file (which script will create) to a sensitive system file (e.g., /etc/shadow).
Step 2: Triggering Script Command: The attacker, or a user with access to execute script, triggers the script command. This can be done directly or indirectly through another vulnerable application or service.
Step 3: File Overwrite: The script command, running with the privileges of the user executing it (or root if the command is run by a privileged user or through a SUID binary), opens the typescript file. Because of the hardlink, any data written to typescript is also written to the target file (e.g., /etc/shadow).
Step 4: Privilege Escalation: The attacker crafts malicious content (e.g., a root password hash) to overwrite the target file. This allows the attacker to gain elevated privileges, such as root access.
The vulnerability stems from a race condition and a lack of proper input validation in the script command. Specifically, the command creates a log file (typescript) to record terminal activity. An attacker can create a hardlink from the typescript file to a critical system file (e.g., /etc/shadow, /etc/passwd). When the script command is executed by a privileged user (e.g., root), it opens the typescript file for writing. Because of the hardlink, any data written to typescript is also written to the target file. The lack of proper file permissions checks and the race condition between the hardlink creation and the script command's execution allows the attacker to overwrite the target file with malicious content, achieving local privilege escalation.
This vulnerability is a classic example of a local privilege escalation. While no specific APT groups are directly linked, the ease of exploitation makes it attractive to a wide range of attackers. The vulnerability's age and the availability of PoCs suggest it is likely used by both sophisticated and less-skilled attackers. Not listed on CISA KEV due to its age and the focus on more recent vulnerabilities, but the impact is still significant.
Monitor file system activity for unexpected hardlink creation, particularly linking typescript to sensitive system files (e.g., /etc/shadow, /etc/passwd, /etc/group).
Analyze system logs for suspicious activity related to the script command, including unusual command-line arguments or execution patterns.
Implement file integrity monitoring (FIM) to detect unauthorized modifications to critical system files.
Review audit logs for script command executions, especially those initiated by privileged users or from unexpected sources.
Use intrusion detection systems (IDS) with rules tailored to detect hardlink creation and file modification attempts.
Upgrade the util-linux package to version 2.11n or later. This version includes the fix for the vulnerability.
Implement strict file permissions and access controls to limit the ability of unprivileged users to create hardlinks to sensitive system files.
Regularly scan systems for vulnerable versions of util-linux using vulnerability scanners.
Consider disabling the script command if it is not essential for system operations. If it must be used, restrict its usage to trusted users.
Implement a robust backup and recovery strategy to mitigate the impact of a successful exploit.