BehaviorTree XML Parser Null Pointer Dereference Vulnerability

A null pointer dereference vulnerability has been identified in BehaviorTree versions prior to 4.7.0. The issue arises in the XML parser component, specifically within the 'XMLParser::PImpl::loadDocImpl' function in 'xml_parsing.cpp'. When the parser encounters an 'include' tag without a path attribute, it attempts to process a null value as a filesystem path, leading to undefined behavior and a segmentation fault. This vulnerability can be exploited locally, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a crash of the application.

Reproduction

The vulnerability can be reproduced by using a fuzzer to send crafted XML input that includes an 'include' tag missing the required path attribute. The 'bt_fuzzer' tool, with the address and undefined behavior sanitizers enabled, can be used to automate this process. After building the project with the appropriate flags to enable fuzzing, the fuzzer can be run with a proof-of-concept file that triggers the null pointer dereference.

Remediation

Users can update to BehaviorTree version 4.7.0 or later, where this vulnerability has been fixed.