{"containers":{"cna":{"affected":[{"product":"Wago","vendor":"n/a","versions":[{"status":"affected","version":"WAGO PFC200 Firmware version 03.02.02(14)"}]}],"descriptions":[{"lang":"en","value":"An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \"I/O-Check\" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=<contents of state node> using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len(\"/etc/config-tools/config_interfaces interface=X1 state=\") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash."}],"problemTypes":[{"descriptions":[{"description":"stack buffer overflow","lang":"en","type":"text"}]}],"providerMetadata":{"dateUpdated":"2020-03-23T13:22:52.000Z","orgId":"b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b","shortName":"talos"},"references":[{"tags":["x_refsource_MISC"],"url":"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966"}],"x_legacyV4Record":{"CVE_data_meta":{"ASSIGNER":"talos-cna@cisco.com","ID":"CVE-2019-5185","STATE":"PUBLIC"},"affects":{"vendor":{"vendor_data":[{"product":{"product_data":[{"product_name":"Wago","version":{"version_data":[{"version_value":"WAGO PFC200 Firmware version 03.02.02(14)"}]}}]},"vendor_name":"n/a"}]}},"data_format":"MITRE","data_type":"CVE","data_version":"4.0","description":{"description_data":[{"lang":"eng","value":"An exploitable stack buffer overflow vulnerability vulnerability exists in the iocheckd service \"I/O-Check\" functionality of WAGO PFC 200. An attacker can send a specially crafted packet to trigger the parsing of this cache file. At 0x1ea28 the extracted state value from the xml file is used as an argument to /etc/config-tools/config_interfaces interface=X1 state=<contents of state node> using sprintf(). The destination buffer sp+0x40 is overflowed with the call to sprintf() for any state values that are greater than 512-len(\"/etc/config-tools/config_interfaces interface=X1 state=\") in length. Later, at 0x1ea08 strcpy() is used to copy the contents of the stack buffer that was overflowed sp+0x40 into sp+0x440. The buffer sp+0x440 is immediately adjacent to sp+0x40 on the stack. Therefore, there is no NULL termination on the buffer sp+0x40 since it overflowed into sp+0x440. The strcpy() will result in invalid memory access. An state value of length 0x3c9 will cause the service to crash."}]},"problemtype":{"problemtype_data":[{"description":[{"lang":"eng","value":"stack buffer overflow"}]}]},"references":{"reference_data":[{"name":"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966","refsource":"MISC","url":"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966"}]}}},"adp":[{"providerMetadata":{"orgId":"af854a3a-2127-422b-91ae-364da2661108","shortName":"CVE","dateUpdated":"2024-08-04T19:47:56.813Z"},"title":"CVE Program Container","references":[{"tags":["x_refsource_MISC","x_transferred"],"url":"https://talosintelligence.com/vulnerability_reports/TALOS-2019-0966"}]}]},"cveMetadata":{"assignerOrgId":"b86d76f8-0f8a-4a96-a78d-d8abfc7fc29b","assignerShortName":"talos","cveId":"CVE-2019-5185","datePublished":"2020-03-23T13:22:52.000Z","dateReserved":"2019-01-04T00:00:00.000Z","dateUpdated":"2024-08-04T19:47:56.813Z","state":"PUBLISHED"},"dataType":"CVE_RECORD","dataVersion":"5.1"}