Last year I submitted an entry to the Underhanded C contest
, but unfortunately no winners were ever announced and there seems to have been no activity whatsoever on the contest page. So I've decided to at least make the code I wrote public in case it's interesting to someone. First, these are the rules
of the challenge; one must write an innocent-looking program that allows an evil check-in clerk to mis-route somebody's luggage just by entering a malicious comment
in the luggage database.
First, here's the evil C source code
for my entry in the Fifth Underhanded C Contest. My C program should run fine with most platforms and compilers. I tested it with Linux/gcc.
The program can be tested by doing:
% gcc -W -g -O2 -o lug luggage.c
For most inputs, this code behaves just as expected and does not produce any error or evil behaviour. However, this luggage_input.dat
input database contains some malicious comments on some of the bookings.
% cat luggage_input.dat | ./lug - - - -
I attached the output (luggage_output.dat
) obtained with the command above. The luggage_input.dat file demonstrates three different mechanisms a clerk can use to mis-route luggage, each with a different level of flexibility and innocence. The three "evil" lines in the input are:
1261959531 UA129080 UA530 WAS YUL Original flight for this passenger who was a bit upset because: "UA210 WAS PUT ON HOLD" he said
This line overrides the original entry for a Washington->Montreal flight and replaces it with a flight going to Puttaparthi, India. It is relatively innocent and with a bit of creativity, the clerk can achieve plausible deniability for the evil comment.
1262029822 UA129086 LH1450 FRA LHR Passenger A says screw it, send me to London. X 1261959531 UA129080 UA220 PUT NRT This is not so subtle but I can put whatever I want here
This line allows the clerk to add any entry to the database with complete flexibility. Obviously, it's hard to deny that the clerk's comment was malicious. This hole can be used recursively to add multiple entries from a single comment.
1262030463 UA129086 LH1280 FRA DUB Direct flight canceled because of fog,routed through Ireland
This line causes the parser to skip the following line, which means that the Dublin->London flight is never parsed. This behaviour is the least flexible, but it offers the most innocent of all evil comments.
Note that the three methods listed above are totally independent and a clerk does not have to make use of all of them to mis-direct luggage (each is sufficient by itself). From the input file, the second line demonstrates that a non-evil comment that goes over the length limit does *not* trigger any mis-routing.