Outdated and vulnerable OpenSource libraries used in "Deutsche Telekom" home banking software

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Outdated and vulnerable OpenSource libraries used in "Deutsche Telekom" home banking software
From: "Stefan Kanthak" <stefan.kanthak@xxxxxxxx>
Date: Tue, 18 Nov 2008 13:42:23 +0100
Cc: <full-disclosure@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: Me, myself & I

The "Deutsche Telekom" resp. their "T-Online" branch offer their
own home banking software for Windows under
<ftp://software.t-online.de/pub/service/banking/banking70.exe>
The current release is version 7.00.0004 from 2008-03-17.


This software is but insecure; it installs and uses:

- the libraries LIBEAY32.DLL and SSLEAY32.DLL of the completely
  outdated, unsupported and vulnerable OpenSSL 0.9.6g from
  2002-08-19 (see <http://www.openssl.org/news/>);

- the library LIBCURL.DLL of the outdated, unsupported and
  vulnerable cURL 7.14.1 from 2005-09-05 (see
  <http://curl.haxx.se/libcurl/>);

- the libraries xerces-c_2_6.dll and xerces-depdom_2_6.dll of
  the outdated and unsupported Xerces 2.6 (see
  <http://xerces.apache.org/xerces-c/releases.html> as well as
  <http://xerces.apache.org/xerces-c/releases_archive.html>);

- the library CM32L7.DLL of vendor "combit GmbH" which has been
  built with a completely outdated, unsupported and vulnerable
  ZLIB (see <http://zlib.net/>);

- an SSL certifikate container CAcerts.pem with an expired
  certificate (Validity: not after "Feb 23 23:59:00 2006 GMT");
  Two other certificates will expire next week, and another two
  more in three weeks.


To put the icing on the cake:

- the software installs without any error message on Windows 2000,
  although it needs Windows XP or Windows Vista to run (see
  <http://service.t-online.de/c/12/70/32/44/12703244.html>), and
  fails to start with error message "Library UXTHEME.DLL missing"
  after successful installation.


The vendor has been informed via its own hotline, its own CERT, its
press spokesman for security (the "Deutsche Telekom" is member of
the german initiative "Sicher im Netz", see
<https://www.sicher-im-netz.de/wir_ueber_uns/146.aspx>) and its
security officer, both per mail and phone (where available).


Response(s): NONE
Reaction(s): NONE


Stefan Kanthak

PS: <http://service.t-online.de/c/12/70/85/92/12708592.html>
    states that this software has been evaluated by TUeV Saarland and
    got their label "TUeV Saarland: Gepruefte Home-Banking Software".
    Whatever they checked: it wasn't the security of this software!

Prev by Date: [DSECRG-08-039] Local File Include Vulnerability in Pluck CMS 4.5.3
Next by Date: [security bulletin] HPSBST02386 SSRT080164 rev.1 - Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-067 to MS08-069
Previous by thread: [DSECRG-08-039] Local File Include Vulnerability in Pluck CMS 4.5.3
Next by thread: [security bulletin] HPSBST02386 SSRT080164 rev.1 - Storage Management Appliance (SMA), Microsoft Patch Applicability MS08-067 to MS08-069
Index(es):
- Date
- Thread