I love the Underhanded C Contest, I enjoy it a lot more than the Obfuscated C Contest. It is also a great educational material; whenever someone advocates human code inspection as a security measure I only need to point them to the UCC website to display the weaknesses of that approach. (I'm not talking about peer review of course, that serves a different purpose)
Writing it in C makes it too easy. You can just store the comment in a struct before the airline so that a long comment overwrites the airline number and luggage gets missed. Store the airline number as text and add a validation routine in case numbers are input badly, and any long comment with a number at the end will reroute your luggage to the new airline.
I'm sure the winning entry will be cleverer than that. But all of the entries would have to be better if they insisted on a garbage collected language with safe string handling.
You know, like Java, PHP, Visual Basic, C#, Python, JavaScript, Perl, Ruby, etc. (I got that list by reading off the top 10 on the TIOBE index then removing C and C++ because by default they are not garbage collected and offer unsafe string handling.)
I just submitted an entry. And it doesn't do any stupid stuff like that. No overruns, no pointer tricks, no funny syntax. All the string handling is even done correctly. My exploit abuses a simple, safe API call that sometimes behaves in a way people don't expect if they're not looking for it.
This is good. I was thinking about how to make this program. Just write the correct program and then look for the innocent-looking spots and insert the malicious code there.
