Live555 Streaming Media Use-After-Free Vulnerability in ADTSAudioFileSource Allowing Denial-of-Service

A use-after-free vulnerability has been identified in Live555 Streaming Media version 2018.09.02, specifically within the ADTSAudioFileSource::samplingFrequency() function. This vulnerability allows attackers to cause a denial-of-service (DoS) condition by supplying a crafted ADTS/AAC file. The issue arises when the Matroska demuxer is used during the RTSP SETUP process, leading to a heap-use-after-free condition that crashes the RTSP server.

Impact

Exploitation of this vulnerability causes a crash of the RTSP server during the SETUP process for Matroska streams, as evidenced by an AddressSanitizer heap-use-after-free error. This use-after-free condition could potentially be exploited for memory corruption beyond just crashing the server, depending on the state of the memory allocator and surrounding heap conditions.

Reproduction

To reproduce this vulnerability, first clone the Live555 repository and check out version 2018.09.02. Build the library with AddressSanitizer enabled, and then use the 'testOnDemandRTSPServer' demo program. Place a crafted Matroska file named 'test.mkv' in the appropriate directory for the RTSP stream. Start the RTSP server and issue a DESCRIBE command followed by a SETUP command for the Matroska stream. The server will crash during the SETUP process, demonstrating the use-after-free vulnerability.