Collaborate Disseminate
What are the security implications of mapping a host folder to a Docker container ro? For example -v /usr/local/bin:/usr/local/bin:ro.
Of course, the container can now read the host folder. But, assuming the mapping is of data that’s publ… Continue reading Security of a ro volume in Docker
I learned about gVisor from https://security.stackexchange.com/a/259275/133925 . It runs containers under a custom kernel, written in Go, with very intense security.
My question is: The whole point of Docker is to use the host kernel. Ho… Continue reading How does gVisor run its own kernel replacement under Docker for security?
If I want to run untrusted code inside a Docker container, or an untrusted Docker container for that matter, how can I restrict it?
I’d like to make sure it has no access to the host filesystem. Ideally I’d like it to have limited network… Continue reading Security of untrusted Docker containers
I’m pentesting a system (call it X) which uses an internal secret key. Due to weaknesses in the crypto, I can determine:
The SHA1 hash of the key (stored as a checksum)
With high probability, the value of any byte of the key
The len of t… Continue reading Using John or hashcat when password stub is leaked by weak crypto
In rop, often a gadget has an undesired pop or push in the middle.
For a pop, we handle this simply by adding a dummy value to our chain: it is popped, and all is well.
What about a push: What do we do to our chain to handle it? It seems t… Continue reading Rop: Handling a `push` in the middle of a gadget
The classic malloc overflow, of overwriting pointers in a free chunk, to cause free() unlink to overwrite an arbitrary location with an arbitrary value, is no longer possible with modern glibc (although, other, more complicated attacks are… Continue reading How does glibc prevent malloc unlink exploits?
On a particular platform, I got segfault for multiple shellcodes, until through trial and error I found one that worked.
How can I determine what caused the segfaults?
How can I debug shellcode?
Is there a better process than trial and … Continue reading Debugging shellcode
On Linux, we enforce least privilege through sudo. This gives the best of both worlds: Passwords and accounts are for a person, as they should be, not a role. But we lower risk and exposure by only using privileges when we … Continue reading Best practice on Windows domains: To have a separate admin account or not?
Windows Active Directory is based on Kerberos and LDAP. When authenticating via the Domain Controller, how does my endpoint know that it’s really speaking to the DC?
Likewise, AD can be used to authenticate for services hos… Continue reading Windows Active Directory: How do endpoints authenticate the Domain Controller?
Looking at all examlpes of DNSSEC, you see that the zone includes not only the DNSKEY , but also a RRSIG of the DNSKEY created with that same DNSKEY? Why is this? Why publish a self-signed RRSIG? What security does it add?
UPDATE: In fa… Continue reading Why do DNSKEY have a RRSIG for themselves?