"Chicken of the VNC is a VNC client for Mac OS X. A VNC client allows one to display and interact with a remote computer screen. In other words, you can use Chicken of the VNC to interact with a remote computer as though it's right next to you."
Cotv 2.0 is prone to a remotely exploitable denial of service vulnerability because it fails to validate the content of ServerInit packets.
Credit:
The information has been provided by poplix.
A ServerInit packet contains the server's computer name and its size in the following format:
[...]<computer-name-size><computer-name>
Where:
computer-name-size is 4bytes interpreted as unsigned int representing the size in bytes of the computer name and computer-name is a variable size array of bytes representing the computer name
When Cotv receives a ServerInit packet, it first allocates a buffer by passing computer-name-size to malloc() and then it copies computer-name to the newly allocated memory.
The problem is that Cotv doesn't validate the pointer returned by malloc() so it's possible that a NULL-pointer will be used as the first parameter of memcpy() causing the program to crash.
A proof-of-concept is attached, run that PHP script and connect Cotv to it with a blank password (disable vnc auth)
print "this fake vnc server will crash cotv2.0 (http://sourceforge.net/projects/cotvnc/) due to a NULL-pointer dereference
02-02-2007 poplix [@] papuasia.org
listening on $port ...\n";
