CVE-2019-5185
Description
An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state= using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len("/etc/config-tools/config_interfaces interface=X1 state=") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Stack buffer overflow in WAGO PFC200 iocheckd service allows denial of service and potential code execution via crafted XML cache file.
Vulnerability
A stack buffer overflow vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200 controllers running firmware version 03.02.02(14) [1]. The service parses an XML cache file stored at /tmp/iocheckCache.xml, which is globally writable. During parsing, the state value extracted from the XML file is used in a sprintf() call to construct a command string, leading to a buffer overflow when the state value exceeds 512 bytes minus the length of the command prefix. The overflow corrupts adjacent stack memory, and a subsequent strcpy() causes invalid memory access [1].
Exploitation
An attacker with local access to the device, or the ability to write to the /tmp/iocheckCache.xml file, can craft a malicious XML file containing an overly long state value (approximately 0x3c9 bytes). Triggering the iocheckd service to parse this file (e.g., by sending a specially crafted packet) will cause the stack buffer overflow. No authentication is required beyond the ability to write to the cache file [1].
Impact
Successful exploitation results in a denial of service (crash of the iocheckd service). Depending on compiler and optimization settings, the vulnerability may be exploitable for arbitrary code execution with high impact on confidentiality, integrity, and availability (CVSS 7.0) [1].
Mitigation
No fixed firmware version has been disclosed in the available references [1]. As a workaround, restrict write access to /tmp/iocheckCache.xml or disable the iocheckd service if it is not required. Monitor for unusual writes to the cache file.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- WAGO/PFC 200description
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
1- talosintelligence.com/vulnerability_reports/TALOS-2019-0966mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.