TippingPoint Zero Day Initiative

(0Day) Eaton ELCSoft LAD File Parsing Out-Of-Bounds Write Remote Code Execution Vulnerability

ZDI-17-818: September 26th, 2017

CVSS Score

Affected Vendors


Affected Products


Vulnerability Details

This vulnerability allows remote attackers to execute arbitrary code on vulnerable installations of Eaton ELCSoft. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file.

The specific flaw exists within the parsing of a LAD file. The issue results from the lack of proper validation of user-supplied data, which can result in a write past the end of an allocated buffer. An attacker can leverage this vulnerability to execute arbitrary code under the context of the current process.

Vendor Response

Eaton states:

This vulnerability is being disclosed publicly without a patch in accordance with the ZDI 120 day deadline.

03/23/2017 and 03/28/2017 - ZDI disclosed the reports to ICS-CERT
03/24/2017 - ICS-CERT provided ZDI with an ICS-VU#, ICS-VU-380351
03/28/2017 - ICS-CERT acknowledged all 7 reports from ZDI for this vendor
08/11/2017 - ZDI sent a status inquiry to ICS-CERT
08/11/2017 - ICS-CERT replied that the vendor is working with a 3rd party component and had no ETA
08/30/2017 - ZDI asks ICS-CERT to notify the vendor that these will 0-day on 9/26
09/15/2017 - ZDI reminded ICS-CERT that these will 0-day on 9/26

-- Mitigation:
Given the nature of the vulnerability the only salient mitigation strategy is to restrict interaction with the application to trusted files.

Disclosure Timeline

    2017-03-28 - Vulnerability reported to vendor
    2017-09-26 - Coordinated public release of advisory


This vulnerability was discovered by: