Cowrie SSRF Vulnerability in wget and curl Emulation Allows DDoS Amplification

A server-side request forgery (SSRF) vulnerability has been identified in Cowrie versions prior to 2.9.0. This vulnerability resides in the emulated shell implementation of wget and curl, where these commands perform real outbound HTTP requests to destinations specified by attackers. The lack of rate limiting on these outbound requests enabled unauthenticated remote attackers to generate unlimited HTTP traffic toward third-party targets, effectively using the Cowrie honeypot as a denial-of-service amplification tool while masking their true IP address behind that of the honeypot.

Impact

Exploitation of this vulnerability allows for unauthorized DDoS amplification attacks against external targets, with the added benefit of obscuring the attacker's identity.

Reproduction

To reproduce this vulnerability, upload a Cowrie honeypot instance running a version prior to 2.9.0. Ensure that it is configured to use the emulated shell feature, which is the default setting. Once the honeypot is active, an attacker can connect via SSH and issue repeated wget or curl commands targeting external websites. The absence of rate limiting will result in a surge of outbound traffic directed toward the specified sites, all appearing to come from the honeypot's IP address.

Remediation

Upgrade to Cowrie version 2.9.0 or later, which includes a rate limiting feature for outbound requests in the wget and curl emulations. This update prevents the misuse of the honeypot for DDoS amplification attacks.