i wish to inform you that the latest version of cotv is prone to a remotely
exploitable denial of service vulnerability because it fails to validate the
content of ServerInit packets.
A ServerInit packet contains the server's computer name and its size in the
computer-name-size is 4bytes interpreted as unsigned int rapresentig the size
in bytes of the computer name
computer-name is a variable size array of bytes rapresentig the computer name
when cotv recives a ServerInit packet, it first allocates a buffer by
passing computer-name-size to malloc() and then it copies computer-name to the
newly allocated memory. The problem is that cotv doesn't validate the pointer
returned by malloc() so it's possible that a NULL-pointer will be used as the
first parameter of memcpy() causing the program to crash.
(that's what gdb suggested me so i may be wrong as i dont have the cotv sources)
hope it helps,
Log in to post a comment.