lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 18 Nov 2008 13:42:23 +0100
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Outdated and vulnerable OpenSource libraries used
	in "Deutsche Telekom" home banking software

The "Deutsche Telekom" resp. their "T-Online" branch offer their
own home banking software for Windows under
<ftp://software.t-online.de/pub/service/banking/banking70.exe>
The current release is version 7.00.0004 from 2008-03-17.


This software is but insecure; it installs and uses:

- the libraries LIBEAY32.DLL and SSLEAY32.DLL of the completely
  outdated, unsupported and vulnerable OpenSSL 0.9.6g from
  2002-08-19 (see <http://www.openssl.org/news/>);

- the library LIBCURL.DLL of the outdated, unsupported and
  vulnerable cURL 7.14.1 from 2005-09-05 (see
  <http://curl.haxx.se/libcurl/>);

- the libraries xerces-c_2_6.dll and xerces-depdom_2_6.dll of
  the outdated and unsupported Xerces 2.6 (see
  <http://xerces.apache.org/xerces-c/releases.html> as well as
  <http://xerces.apache.org/xerces-c/releases_archive.html>);

- the library CM32L7.DLL of vendor "combit GmbH" which has been
  built with a completely outdated, unsupported and vulnerable
  ZLIB (see <http://zlib.net/>);

- an SSL certifikate container CAcerts.pem with an expired
  certificate (Validity: not after "Feb 23 23:59:00 2006 GMT");
  Two other certificates will expire next week, and another two
  more in three weeks.


To put the icing on the cake:

- the software installs without any error message on Windows 2000,
  although it needs Windows XP or Windows Vista to run (see
  <http://service.t-online.de/c/12/70/32/44/12703244.html>), and
  fails to start with error message "Library UXTHEME.DLL missing"
  after successful installation.


The vendor has been informed via its own hotline, its own CERT, its
press spokesman for security (the "Deutsche Telekom" is member of
the german initiative "Sicher im Netz", see
<https://www.sicher-im-netz.de/wir_ueber_uns/146.aspx>) and its
security officer, both per mail and phone (where available).


Response(s): NONE
Reaction(s): NONE


Stefan Kanthak

PS: <http://service.t-online.de/c/12/70/85/92/12708592.html>
    states that this software has been evaluated by TUeV Saarland and
    got their label "TUeV Saarland: Gepruefte Home-Banking Software".
    Whatever they checked: it wasn't the security of this software!

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ