[Live-devel] UAF report

wengsongwei at stu.scu.edu.cn wengsongwei at stu.scu.edu.cn
Wed Jun 15 06:28:38 PDT 2022


It seems that there is a uaf problem in the software.

My test version is live.2022.04.26 and after my test it also works in live.2022.06.14(the newest version now). All the changes I make over the original version is for test more easier and won't change the execute process. The changes I make is: 1. change the server port from 8554 to receive from argv. 2. make the create session ID to a fixed number(8888) and this won't change server behavior because we test only in one session and the session ID can be easily gotten from the response packet and attached to the following request packet.

The attachments is a common webm file and a poc. The poc's format is length(4 bytes) + data. Note that the last three request should be sent together once time to trigger the segment fault.

The poc contains 5 request:
1. a SETUP with PLAY to play track1.
2. a SETUP without PLAY to setup track2.
The following should be sent together.
3. a PLAY to play track2, will throw exception in "MatroskaFileParser::parse()" because this is the first time to read track2. And now stay parse state in "DELIVERING_FRAME_BYTES", with a ptr fCurFrameTo.
4. a SETUP with PLAY(there is a \r in packet so printf can't see the Range field) to reset the ptr to.
5. a PLAY to play track2, now 2 tracks are both playing. Now, remember in packet 3 we throw an exception so there will have a "ByteStreamFileSource::fileReadableHandler" handler in the list. The handler will call parse again, and remember we still at state "DELIVERING_FRAME_BYTES", so server won't do "DELIVERING_FRAME_WITHIN_BLOCK" to reset the ptr fCurFrameTo. The ptr fCurFrameTo is the same as packet 3 but has been reset by packet 4.

So, a UAF occur and we get a segment fault now.

I am not familiar with the live555 in fact so I don't know if this segment fault will cause in many situations. And the elf under test is testOnDemandRTSPServer(I see there is a PassiveServerMediaSubsession.cpp but seems won't be called under the elf).

-------------- next part --------------
A non-text attachment was scrubbed...
Name: cull11
Type: application/octet-stream
Size: 1359 bytes
Desc: not available
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20220615/c5ad22b1/attachment-0001.obj>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: test.webm
Type: video/webm
Size: 336923 bytes
Desc: not available
URL: <http://lists.live555.com/pipermail/live-devel/attachments/20220615/c5ad22b1/attachment-0001.webm>


More information about the live-devel mailing list