header-logo
Suggest Exploit
vendor:
dmx_6fire USB
by:
Joseph Kwabena Fiagbor
6.1
CVSS
HIGH
Unquoted Service Path Vulnerability
428
CWE
Product Name: dmx_6fire USB
Affected Version From: Not specified
Affected Version To: v.1.23.0.02
Patch Exists: NO
Related CWE: CVE-2024-31804
CPE: dmx_6fire_usb
Metasploit:
Other Scripts:
Platforms Tested: Windows 7-11
2024

Terratec dmx_6fire USB – Unquoted Service Path

Terratec dmx_6fire USB software installs a service with an unquoted service path that runs with SYSTEM privileges. This vulnerability could be exploited by a non-privileged local user to execute arbitrary code with elevated privileges on the system.

Mitigation:

To mitigate this vulnerability, the vendor should quote the service path in the software installation. Users should also update to a patched version once available.
Source

Exploit-DB raw data:

# Exploit Title:  Terratec dmx_6fire USB - Unquoted Service Path
# Google Dork: null
# Date: 4/10/2024
# Exploit Author: Joseph Kwabena Fiagbor
# Vendor Homepage: https://dmx-6fire-24-96-controlpanel.software.informer.com/download/
# Software Link:
# Version: v.1.23.0.02
# Tested on: windows 7-11
# CVE : CVE-2024-31804

1. Description:

The Terratec dmx_6fire usb installs as a service with an unquoted service
path running
with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.

2. Proof

> C:\Users\Astra>sc qc "ttdmx6firesvc"
> {SC] QueryServiceConfig SUCCESS
>
> SERVICE_NAME: ttdmx6firesvc
>         TYPE               : 10  WIN32_OWN_PROCESS
>         START_TYPE         : 2   AUTO_START
>         ERROR_CONTROL      : 1   NORMAL
>         BINARY_PATH_NAME   : C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe -service
>         LOAD_ORDER_GROUP   : PlugPlay
>         TAG                : 0
>         DISPLAY_NAME       : DMX6Fire Control
>         DEPENDENCIES       : eventlog
>                            : PlugPlay
>         SERVICE_START_NAME : LocalSystem
>
>