maride/hacktricks
1
0
Fork 0
mirror of https://github.com/HackTricks-wiki/hacktricks.git synced 2025-10-10 18:36:50 +00:00
Code Issues Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
SirBroccoli 2025-09-03 13:09:05 +02:00 committed by GitHub
parent 0d245aa594
commit b883a0d5c4
1 changed files with 0 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
src/linux-hardening/privilege-escalation/README.md
View File

@ -440,16 +440,6 @@ Bash performs parameter expansion and command substitution before arithmetic eva
# When the root cron parser evaluates (( total += count )), your command runs as root.
```
- Preconditions:
- You can cause a line you control to be written into the log consumed by the root script.
- The script evaluates an untrusted variable inside ((...)), $((...)) or let.
- Mitigations (for defenders):
- Never use arithmetic evaluation on untrusted strings. Validate first: `[[ $count =~ ^[0-9]+$ ]] || continue`.
- Prefer integer-safe parsing with awk or mapfile and explicit regex checks.
- Run log parsers as least-privileged users; never as root unless strictly necessary.
### Cron script overwriting and symlink
If you **can modify a cron script** executed by root, you can get a shell very easily: