Strings in the Minecraft Query Protocol are null-terminated. By adding null-bytes (\u0000) to a server's MOTD in the server.properties file, other values in the query Response can be overwritten. This problem only exists for query responses, server list pings are not affected.

Example:

test\u0000numplayers\u00001\u0000\u0000\u0001player_\u0000\u0000Test\u0000\u0000

When using this MOTD, all full-stat query responses will show that the player 'Test' is online. It overwrites the numplayers with 1 and player_ (player list).

Depending on the query client implementation, parsing the response packet might also fail entirely because unused bytes are remaining after the end of the packet. While this behavior mostly prevents injections like this, but it still can't parse the packet correctly and therefore is not a real solution for the issue.

The expected behavior would be that the Minecraft server filters (or somehow escapes) null bytes in null-terminated string values.

Edit: To test this with Dinnerbone's mcstatus python package (https://github.com/Dinnerbone/mcstatus), more values than the ones in my original example need to be replaced, since some missing values can cause errors. To fully reproduce this issue using mcstatus, use the following MOTD:

\u0000gametype\u0000SMP\u0000game_id\u0000MINECRAFT\u0000version\u00001.16.5\u0000plugins\u0000\u0000map\u0000w\u0000numplayers\u00001\u0000maxplayers\u000020\u0000hostport\u000025565\u0000hostip\u0000127.0.0.1\u0000\u0000\u0001player_\u0000\u0000test\u0000\u0000

You can then use the mcstatus cli to see the 'fake' player:

mcstatus <yourServerAddress> query

host: 127.0.0.1:25565
software: v1.16.5 vanilla
plugins: []
motd: ""
players: 1/20 ['test']