BehaviorTree Null Pointer Dereference Vulnerability in JsonExporter Function

A null pointer dereference vulnerability has been identified in BehaviorTree versions through 4.7.0. The issue arises in the JsonExporter::fromJson function within the file src/json_export.cpp. The vulnerability occurs because the function does not properly validate the presence of a '__type' field before accessing JSON objects. This oversight allows for manipulation of the 'source' argument, leading to a dereference of a null pointer. The vulnerability can be exploited locally, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability causes a segmentation fault due to a null pointer dereference, disrupting the application's execution and leading to a crash.

Reproduction

The vulnerability can be reproduced by running the application with the AddressSanitizer and UndefinedBehaviorSanitizer enabled. After building the application with these sanitizers, the fuzzer can be used to send crafted JSON input that exploits the missing validation of the '__type' field in the JsonExporter::fromJson function. This crafted input should be directed towards the application in a way that triggers the vulnerability, such as through a fuzzing process that automates the discovery of such issues.

Remediation

Users are advised to update to BehaviorTree version 4.7.1 or later, where this vulnerability has been fixed.