// For flags

CVE-2019-5185

 

Severity Score

7.0
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

1
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service "I/O-Check" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=<contents of state node> using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len("/etc/config-tools/config_interfaces interface=X1 state=") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash.

Se presenta una vulnerabilidad de desbordamiento del búfer de la pila explotable en la funcionalidad "I/O-Check" del servicio iocheckd de WAGO PFC 200. Un atacante puede enviar un paquete especialmente diseñado para activar el análisis de este archivo caché. En 0x1ea28, el valor de estado extraído del archivo xml es usado como un argumento para /etc/config-tools/config_interfaces interface=X1 state= usando la función sprintf(). El búfer de destino sp+0x40 es desbordado con la llamada a la función sprintf() para cualquier valor de estado que sea mayor de 512-len("/etc/config-tools/config_interfaces interface=X1 state=") de longitud. Más tarde, en 0x1ea08 la función strcpy() es usada para copiar el contenido del búfer de la pila que se desbordó sp+0x40 en sp+0x440. El búfer sp+0x440 está inmediatamente adyacente a sp+0x40 sobre la pila. Por lo tanto, no presenta terminación NULL en el búfer sp+0x40 ya que se desbordó en sp+0x440. La función strcpy() resultará en un acceso no válido a la memoria. Un valor de estado de longitud 0x3c9 causará que el servicio se bloquee.

*Credits: N/A
CVSS Scores
Attack Vector
Local
Attack Complexity
High
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Local
Attack Complexity
Medium
Authentication
None
Confidentiality
Partial
Integrity
Partial
Availability
Partial
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2019-01-04 CVE Reserved
  • 2020-03-23 CVE Published
  • 2023-07-27 EPSS Updated
  • 2024-08-04 CVE Updated
  • 2024-08-04 First Exploit
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
CWE
  • CWE-787: Out-of-bounds Write
CAPEC
References (1)
URL Tag Source
URL Date SRC
https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966 2024-08-04
URL Date SRC
URL Date SRC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Wago
Search vendor "Wago"
 Pfc200 Firmware
Search vendor "Wago" for product "Pfc200 Firmware"
 03.02.02\(14\)
Search vendor "Wago" for product "Pfc200 Firmware" and version "03.02.02\(14\)"
-
Affected
in Wago
Search vendor "Wago"
 Pfc200
Search vendor "Wago" for product "Pfc200"
--
Safe