libucl Null Byte Vulnerability Leading to Denial-of-Service

A denial-of-service vulnerability has been identified in libucl. A remote attacker can exploit this issue by sending specially crafted Universal Configuration Language (UCL) input that includes a key with an embedded null byte. This malformed input causes a segmentation fault in the 'ucl_object_emit' function, leading to a crash and denial-of-service on the affected system. The vulnerability arises when the 'UCL_PARSER_ZEROCOPY' mode is used, as the null byte disrupts the assumption that strings are properly null-terminated.

Impact

Exploitation of this vulnerability causes a segmentation fault, crashing the application. Additionally, it can lead to an out-of-bounds read, potentially allowing an attacker to access sensitive information from memory, such as cryptographic keys or personal data.

Reproduction

The vulnerability can be reproduced by creating a UCL file that includes a key with an embedded null byte. This file can be parsed using the libucl library in 'UCL_PARSER_ZEROCOPY' mode. The 'ucl_object_emit' function will then attempt to process the malformed input, resulting in a segmentation fault.

Remediation

Applications using libucl should avoid processing untrusted input with embedded null bytes, particularly when in 'UCL_PARSER_ZEROCOPY' mode. It is advisable to restrict input to trusted sources.