CVE-2019-5182

Vulnerability

The iocheckd service 'I/O-Check' in WAGO PFC 200 firmware version 03.02.02(14) contains a stack buffer overflow vulnerability. The vulnerability lies in the parsing of the cache file /tmp/iocheckCache.xml. When the BC_SaveParameter message is processed, the function uses sprintf() to copy a type value into a stack buffer at offset sp+0x440. If the type value exceeds 1024 bytes minus the length of the string '/etc/config-tools/config_interfaces interface=X1 state=enabled config-type=' (approximately 1024-74 = 950 bytes), a buffer overflow occurs. A type value of length 0x3d9 (985 bytes) will cause a crash. The affected versions are WAGO PFC200 firmware 03.02.02(14) and possibly earlier.

Exploitation

An attacker must have write access to the /tmp directory, which is globally writable. The attacker places a malicious XML file at /tmp/iocheckCache.xml. The service then triggers parsing of this cache file when a BC_SaveParameter message is sent. No authentication is required to trigger the vulnerability, but the attacker must be able to write the cache file (local access or via a service that writes to /tmp). The exploitation involves crafting a type value longer than the buffer limit, causing a stack buffer overflow.

Impact

Successful exploitation results in arbitrary code execution on the device. Since the overflow occurs on the stack, an attacker can overwrite return addresses and gain full control of the iocheckd service, which runs with elevated privileges. The confidentiality, integrity, and availability of the device are compromised.

Mitigation

No fix is disclosed in the available references [1]. WAGO PFC 200 users should monitor WAGO's security advisory for a firmware update. As a workaround, restrict write access to /tmp if possible, or limit network access to the device. This CVE is not listed in the KEV catalog as of the publication date.