September 12, 2011 (Updated December 28, 2011)

Independent security research Steven Seeley publicly released a report that included proof-of-concept (PoC) exploit code targeting a remote, buffer-overflow vulnerability in the ScadaTEC ModbusTagServer and ScadaPhone products.

Exploitation of this vulnerability requires a specially crafted ZIP archive file to be opened using the affected application. An attacker could exploit this issue to execute arbitrary code in the context of the affected application. Failed exploit attempts will likely result in denial-of-service conditions.

ScadaTEC has produced a patch that resolves this vulnerability for all affected products and versions.

The following versions are vulnerable:

ScadaTEC ScadaPhone 5.3.11.1230 and prior.
ScadaTEC ModbusTagServer 4.1.1.81 and prior.

SCADAhacker comment:
ScadaTEC, Inc. is a US-based company, and is not the same as Scadatec Ltd. recently mentioned in ICS-CERT Advisory ICSA-11-216-01 for the Procyon product.

ICSA-11-362-01
ICS-ALERT-11-255-01

ScadaTEC Website
Alarm Dialer (ScadaPhone) Overview
Tag Server (ModbusTagServer) Overview
ScadaPhone Brochure

Patch is available by calling ScadaTEC support at +1.715.348.7336.

All software downloads appear to be "unavailable" on the vendor site following the public disclosure.

Metasploit Framework (windows/fileformat/scadaphone_zip)
Security Focus
Packet Storm
Exploit-DB ID 17817

CVE-2011-4535
NVD CVE-2011-4535

Exploit-DB ID 17817
Exploit-DB ID 17833
Secunia Advisory #45950
Security Focus Vulnerability Info and Exploit Bugtraq ID 49560
Open-Source Vulnerability Database #75375

SCADA Firms Suffer Vulnerabilities (ISSSource)