hi, i wish to inform you that cotv 2.0 (a vnc client for maxosx) available at http://sourceforge.net/projects/cotvnc/ is prone to a remotely exploitable denial of service vulnerability because it fails to validate the content of ServerInit packets. A ServerInit packet contains the server's computer name and its size in the following format: [...] where: computer-name-size is 4bytes interpreted as unsigned int rapresentig the size in bytes of the computer name and computer-name is a variable size array of bytes rapresentig the computer name when cotv recives a ServerInit packet, it first allocates a buffer by passing computer-name-size to malloc() and then it copies computer-name to the newly allocated memory. The problem is that cotv doesn't validate the pointer returned by malloc() so it's possible that a NULL-pointer will be used as the first parameter of memcpy() causing the program to crash. a proof-of-concept is attached, run that php script and connect cotv to it with a blank password (disable vnc auth) hope it helps, cheers -poplix # BOF # EOF