ZLMediaKit VP9 RTP Payload Parser Heap Buffer Overflow Vulnerability

A heap buffer overflow vulnerability has been identified in ZLMediaKit's VP9 RTP payload parser. The issue arises because the parser reads multiple fields from the RTP payload based on flag bits in the first byte, without verifying that enough data is available in the buffer. This flaw allows a crafted VP9 RTP packet with a 1-byte payload (0xFF, all flags set) to be exploited, causing the parser to read beyond the end of the allocated buffer.

Impact

Exploitation of this vulnerability leads to a heap buffer overflow, which can cause the server to crash or allow a remote attacker to manipulate memory in a way that could be exploited to execute arbitrary code.

Reproduction

The vulnerability can be reproduced by sending crafted VP9 RTP packets to a ZLMediaKit instance. This can be done using a Python script that opens an RTP server on the ZLMediaKit instance, crafts a VP9 RTP packet with all flag bits set, and sends the packet to the server. The ZLMediaKit server logs will show error traces after the crafted packets are sent, indicating a crash or memory corruption due to the heap buffer overflow.

Remediation

Users can update to the patched version of ZLMediaKit, which is available on the ZLMediaKit GitHub repository.