Thursday, December 31, 2009

Underhanded C Contest - 2008 Winners

The Underhanded C Contest is about writing simple, clear and concise code to solve a problem but written in such a way that a malicious behaviour is included. The 2009 competition has just opened and the problem is about maliciously misrouting luggage if a comment field meets certain criteria. Last years problem was about redacting images in a leaky way. The winners from 2008 have been posted and they're a fun read. Go have a look at them.

If you're too lazy to click through, here's a brief summary.

Third place (Linus Akesson): Relied on the input and output buffers being adjacent on the stack so that the outputted redacted images will have a copy of the original buffer appended. The code that achieve this looks like code that supports pixel colour depth of greater than 24 bits but really is just camouflage allowing for the change of a '>' to a '<' to double the output write length.

Second place (Avinash Baliga): Uses a buffer overflow in an error checking/message macro to overwrite the mask used to redact pixels with 0x0a which allows some data reconstruction. This entry got bonus points for using an error handler to be evil but lost points for masking out data to redacted rather than overwriting it.

First place (John Meacham): Handles the ASCII PPM image format and relies on discrepancies between how numbers are represented as ints versus chars. The redacted pixels colour values are replaced with the value 0 to indicate no intensity but since the file is stored as a series of ASCII characters the redacted values can be stored as a string of multiple '0' characters without modifying how the file displays. The ASCII characters were just replaced with '0' on a character by character basis. In this particular example low intensity colour values were encoded as '0' and higher intensity colour values were encoded as '00' or '000'. So RGB "255 32 0" ( 0xFF2000 ) would become "000 00 0" rather than "0 0 0". When these strings are parsed they all evaluate to '0' but in text format they leak enough information to retrieve redacted pixels.

I really recommend looking at the code snippets that go with these entries, they're fascinating.
Maybe I'll have a shot at maliciously routing baggage.

P.S Happy New Year.

No comments:

Post a Comment