lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <2112EB4C46134E66B978981D2A966E3F@localhost>
Date: Thu, 16 Jul 2009 00:42:02 +0200
From: "Stefan Kanthak" <stefan.kanthak@...go.de>
To: <bugtraq@...urityfocus.com>,
	<vuln@...unia.com>
Cc: full-disclosure@...ts.grok.org.uk
Subject: Vulnerable DLLs distributed with Terratec
	HomeCinema 6.3

Once again a sad story of poor software "engineering", missing QA
and a TOTALLY unresponsive vendor.

The current version 6.3 of Terratec's TV software HomeCinema
<http://ftp.terratec.de/Receiver/TerraTec_HomeCinema/TerraTec_Home_Cinema_6.3.exe>
from 2009-05-05 installs outdated and vulnerable .DLLs (the
test system used is a fully patched german Windows XP SP3):


1. Version 1.2.2 of ZLIB1.DLL is installed as
   "%ProgramFiles%\TerraTec\TerraTec HomeCinema\zlib1.dll".

   Current since 2005-07-18 is version 1.2.3 of ZLIB1.DLL
   (see <http://zlib.org/>):

| Version 1.2.3 eliminates potential security vulnerabilities in
| zlib 1.2.1 and 1.2.2, so all users of those versions should
| *upgrade* *immediately*.


2. Version 5.1.3102.2180 of Microsoft's GDIPLUS.DLL is installed as
   "%SystemRoot%\SYSTEM32\GDIPLUS.DLL".

   The current version of GDIPLUS.DLL for Windows XP SP3 is
   5.1.3102.5512, which is already part of the system and installed
   into Windows' side-by-side cache under "%SystemRoot%\WinSxS\"!

   According the MSDN GDIPLUS.DLL MUST NOT be installed into
   "%SystemRoot%\SYSTEM32\", and DLLs distributed with Windows
   MUST NOT be redistributed by ISVs.

   In addition see the MSFT security bulletin MS08-052
   <http://www.microsoft.com/technet/security/bulletin/MS08-052.mspx>
   as well as the MSFT knowledge base article 954593
   <http://support.microsoft.com/kb/954593/en-us>.


3. The DLLs of the current version of the component MSXML4 SP2 are
   installed to "%SystemRoot%\SYSTEM32\".

   This component is but not installed from the redistributable
   package provided by Microsoft that ISVs have to use to meet the
   legal mumbo-jumbo, instead Terratec choose to repackage the DLLs
   into an NSIS installer, thus violating MSFTs redistribution
   policy.

   (Un)fortunately this NSIS installer is flawed and does not
   perform all the necessary steps needed for a clean installation
   of MSXML4 SP2, so Microsoft Update detects the MSXML4 SP2
   installation as outdated/incomplete and fetches the current
   patch installer (<http://support.microsoft.com/kb/954430/en-us>,
   <http://www.microsoft.com/technet/security/bulletin/MS08-069.mspx>)
   to repair it.

   The best of all: MSXML4 is NOT referenced at all by the installed
   application CynergyDVR.EXE, which but uses XMLLITE.DLL
   (<http://support.microsoft.com/kb/915865/en-us>) instead.


4. A superfluous pthreadVC2.dll is installed as
   "%CommonProgramFiles%\TerraTec\Cyberlink\Decoder\pthreadVC2.dll"


Stefan Kanthak

PS: Tools like Secunia's PSI don't detect such outdated and
    vulnerable DLLs. Admin beware!


TIMELINE:

2009-06-16  phone call with Terratec's hotline - they were unable
            to take any action, but requested to send report per
            mail

2009-06-17  sent mail to Terratec - no response

2009-06-30  resent mail to Terratec - again no response

2009-07-16  report published

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ