Does the SCADA community get interested in security? I think they not because they always say "don't touch those things, you could hurt people" to avoid moving their asses to secure their networks so with this bug and the previous about Wonderware DoS they will probably start to really secure their products and do better things during the development process.
Some people asked me how I found the vulnerability and the answer is simple:
1) Download and install the soft, duh!!!!
2) Select a process with a port listening for incoming connections (I just selected the first one I saw)
3) Start your favorite debugger
4) Set a breakpoint on recv() function (the one that receives info from TCP connections)
5) Use your favorite programming language (mine is python) and create a script to send a bunch of A's.
6) When the breakpoint hits, start debugging. You'll usually see that a byte of two are read from the socket and that is processed as the length of the rest of the packet so you could adjust your script to send a packet with those bytes at the beginning representing the length.
7) If you step out a function or two, you'll see the function that processes the packet content according to the length specified.
8) In those parser functions, you'll usually see that a byte or two are read from the packet and interpreted the field type (That is usually a huge switch-case).
8) According to the operation selected by the byte read, a byte or two are read as the size of the field to process (like Tag-Length-Value).
9) The field is copied into a fixed-size buffer on the stack by the length specified in the packet... OUCH!!! Eip = 0x41414141 ??? That's not good (for them... ahhaha)