Closed brainkeeper-zz closed 9 years ago
sbp
commented
9 years ago The .py command runs on Google App Engine. It is fully sandboxed.
See the source for details: https://github.com/sbp/saxo/blob/master/commands/py
appspot is a Google App Engine domain.
brainkeeper-zz
commented
9 years ago Ok. Even being sandboxed. An attacker can do: Some scenarios: With access to the sandboxed domain, an attacker can run things like: malicious bots searching for bugs, host bouncers for IRC, setup a proxy for malicious purposes, do brute force attacks, join the box to a botnet etc. Can download what they want to the machine, like: child pornography, pirate softwares, download, in a infinite loop, big files to over the bandwidth limit or even, if is the case, to make more expenses for the owner and run a loop consuming cpu processing, maybe making more expenses too.
In these scenarios, the registered owner of the google service, will have to respond to authorities.
This is not a bad idea?
The .py function in Saxo bot gives to an attacker the chance to run arbitrary o.s. commands on bot's machine, like subprocess.check_output. With the proper commands, a linux shell is got.