CVE-2009-4606 in WebDrive
Summary
by MITRE
South River Technologies WebDrive 9.02 build 2232 installs the WebDrive Service without a security descriptor, which allows local users to (1) stop the service via the stop command, (2) execute arbitrary commands as SYSTEM by using the config command to modify the binPath variable, or (3) restart the service via the start command.
Once again VulDB remains the best source for vulnerability data.
Analysis
by VulDB Data Team • 11/02/2025
The vulnerability identified as CVE-2009-4606 affects South River Technologies WebDrive version 9.02 build 2232 and represents a critical privilege escalation flaw stemming from improper service configuration. This issue arises from the installation process where the WebDrive Service is deployed without a proper security descriptor, creating a fundamental access control weakness that can be exploited by local attackers to gain elevated system privileges.
The technical flaw manifests through the absence of a security descriptor during service installation, which typically would define access control lists and security permissions for the service. Without this security descriptor, the service operates with default permissions that are overly permissive, allowing local users to manipulate the service through standard Windows service control commands. The vulnerability specifically enables three distinct attack vectors that collectively allow for complete system compromise.
The operational impact of this vulnerability is severe as it permits local users to execute arbitrary code with SYSTEM privileges through the config command functionality. When attackers modify the binPath variable using the config command, they can redirect the service to execute malicious code with the highest system privileges, effectively bypassing normal user access controls. Additionally, the ability to stop and restart the service through standard commands provides attackers with additional control over the compromised system, enabling them to maintain persistence or execute further attacks.
This vulnerability aligns with CWE-264, which addresses permissions, privileges, and access controls, specifically focusing on insufficient privileges or permissions. The flaw also maps to several ATT&CK techniques including privilege escalation through service modification and persistence mechanisms. The security descriptor issue represents a fundamental failure in service hardening practices and demonstrates the critical importance of proper access control implementation during software deployment.
Organizations should immediately implement mitigations including updating to a patched version of WebDrive, applying proper security descriptors to the service installation, and implementing monitoring for unauthorized service modifications. System administrators should also conduct security audits to identify any services installed without proper access controls and ensure that all services operate with the principle of least privilege. The vulnerability highlights the necessity of robust service configuration management and the importance of adhering to security best practices during software installation processes.