Webroot Spysweeper Server Vuln

By Roger on February 28, 2005 4:56 PM |

I also posted this in the security forums over at http://myitforum.com/forums.

Webroot Spysweeper 2.0 Enterprise by default creates a website on port 8080. The webserver is an Apache Jetty server. This website is used to sent updates to the clients.

The website is misconfigured so the "PUT" command is enabled. This allows anyone to upload files to the server and potentially replace the files that are there. Traditionally leaving the PUT command enabled can lead to complete system compromise.

If you go to http://servername:8080/updates, you will see a list of folders with sequential naming: 0057F161...0057F165. Each folder contains a zip file and an INI file. The zip file contains a mst file and an INI file. I have not tested this, but I postulate that at best an attacker could overwrite these files preventing client updates. At worst an attacker could create their own mst files that could crash webroot and potentially run hostile code on the clients.

I called webroot today. At first the professed to have no idea what I was talking about. After explaining it a few times, it turns out this has been discovered and will be fixed in version 2.1 due next week.

Categories

Spyware

Tags

About this Entry

This page contains a single entry by Roger published on February 28, 2005 4:56 PM.

AV-Comparatives.org results was the previous entry in this blog.

Kaspersky - "No such thing as spyware" is the next entry in this blog.

Find recent content on the main index or look in the archives to find all content.

Subscribe to feed Subscribe to this blog's feed
Add to Google
Please contact me by leaving a comment where appropriate. Otherwise, you can click here to reveal an email address for me.
Got Backups? Get Safe Online Remember Rick Rescorla Powered by Movable Type 4.2-en

Search