CVE-2019-5166
Description
An exploitable stack buffer overflow vulnerability exists in the iocheckd service ‘I/O-Check’ functionality of WAGO PFC 200 version 03.02.02(14). A specially crafted XML cache file written to a specific location on the device can cause a stack buffer overflow, resulting in code execution. An attacker can send a specially crafted packet to trigger the parsing of this cache file.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack buffer overflow in WAGO PFC 200 iocheckd service allows code execution via crafted XML cache file.
Vulnerability
A stack buffer overflow vulnerability exists in the iocheckd service's I/O-Check functionality of WAGO PFC 200 running firmware version 03.02.02(14). The service parses an XML cache file located at /tmp/iocheckCache.xml, which is globally writable. During parsing, the DNS parameter is copied onto the stack without proper bounds checking, leading to a buffer overflow. [1]
Exploitation
An attacker must first place a specially crafted XML file at /tmp/iocheckCache.xml. All users have write access to /tmp, so this can be achieved through any means that allows file creation on the device (e.g., another vulnerability or physical access). The vulnerability is then triggered by sending a BC_SaveParameter message to the device, which causes the iocheckd service to parse the malicious cache file. No authentication is required for the triggering message. [1]
Impact
Successful exploitation results in arbitrary code execution in the context of the iocheckd service, which runs with elevated privileges. This can lead to full compromise of the device, including disclosure, modification, or destruction of sensitive data, and potential use as a pivot point within the network. The CVSSv3 score is 8.8 (High). [1]
Mitigation
No official patch or firmware update has been released as of the publication date (2020-03-10). The available references do not provide any workaround or mitigation details. Users should monitor vendor advisories for future updates and consider restricting write access to /tmp or disabling the iocheckd service if operationally feasible. [1]
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Range: version 03.02.02(14)
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing length validation on the DNS value extracted from an XML cache file allows a stack buffer overflow via sprintf()."
Attack vector
An attacker must first write a specially crafted XML cache file to `/tmp/iocheckCache.xml`, which is globally writable on the device [ref_id=1]. The attacker then sends a `BC_SaveParameter` message to the iocheckd service, causing the service to parse the malicious cache file [ref_id=1]. When the parser encounters a `<dns>` node whose value exceeds approximately 0x3b9 bytes, the `sprintf()` call in `_callDnsTool` copies the attacker-controlled DNS string into a fixed 1024-byte stack buffer, overflowing it and overwriting the saved return address [ref_id=1]. This gives the attacker control of the program counter, leading to arbitrary code execution [ref_id=1].
Affected code
The vulnerability resides in the `_callDnsTool` function of the iocheckd service at address `0x1E3D0`. Inside this function, a stack buffer of 1024 bytes (`SP+0x8` / `var_408`) is overflowed by a call to `sprintf()` at `0x1E3F0` using the format string `/etc/config-tools/edit_dns_server %s dns-server-nr=%d dns-server-name=%s` [ref_id=1]. The DNS value extracted from the XML cache file is passed as the third argument without any length check [ref_id=1].
What the fix does
No patch is provided in the bundle. The advisory recommends two mitigations: disabling the iocheckd service via the Web-based management application, or disabling iocheckd caching by sending an `RC_WriteRegister` message to port 6626 [ref_id=1]. A proper fix would involve validating the length of the DNS value extracted from the XML file before passing it to `sprintf()`, or replacing the unbounded `sprintf()` with a bounded function such as `snprintf()` to prevent stack buffer overflow [ref_id=1].
Preconditions
- inputAttacker must be able to write a file to /tmp/iocheckCache.xml on the device (all users have write access to /tmp)
- networkAttacker must be able to send a BC_SaveParameter message to the iocheckd service over the network
- configThe iocheckd service must be running and caching must be enabled
Generated on May 25, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2019-0961mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.