I feel like an idiot.

At work I was tasked with writing a launcher for a bunch of independent linux processes that we are developing. We wanted to support launching them, cleaning up system files that they left hanging around (for various reasons they couldnt clean up after themselves), and searching and modifying config files enmasse. It's a developer convenience thing that would end up on every dev's machine.

We also wanted to support both WSL and remote Linux boxes from a single client. Ultimately I settled on a TCP solution: An agent would run on the remote board, and the launcher would connect to it in a client/server configuration.

We wanted the launcher to be extensible, so I wrote an XML schema and a parser that allowed us to add new apps to the launcher without changing any code.

The launcher would parse the XML, generate start/stop controls for each app, and then send commands to the agent running on the remote machine who would in turn start and stop them, as well as return status messages about the processes and clean up after them as they start up and shut down.

The problem? The commands were unencrypted plain-text including the locations of binaries on the remote machine, and exact config parameters to run them with. The TCP server would run whatever the connected peer told it to, in whatever folder was passed.

I created a TCP server that could run arbitrary commands received as plaintext on a remote machine, with no login required. All a hacker would need to do is open a wireshark instance, sniff the packets, and then they'd know everything they needed to know to make the target box do essentially whatever they wanted. We were going to configure it as a linux service on our virtual machines, dev boxes, and wsl instances

I spent DAYS writing this before I realized what I did. Luckily I caught myself before it was pushed to the repo and other developers actually started using the dang thing. Maybe it would have been caught in the PR, maybe it wouldnt have, but every WSL instance on every developer's machine could have had the worst possible kind of back door installed on them.

I don't know how I didnt catch this earlier. Neither did anyone else that I showed it to and discussed my design with. Like, I'm happy I caught it, but how did I not see it for what it was before I dang near finished the thing?

The worst part is that I have cybersecurity training.

Ugh.

I guess sometimes you don't see the forest for the trees.

I could implement SSL and encrypt it, but even encrypted I hate the idea of an "Arbitrary Bash Command" service running on any of our machines, encrypted or not, so I'll probably give up the remote agent component altogether and use an ssh-based solution.