Notice: Function _load_textdomain_just_in_time was called incorrectly. Translation loading for the wp-pagenavi domain was triggered too early. This is usually an indicator for some code in the plugin or theme running too early. Translations should be loaded at the init action or later. Please see Debugging in WordPress for more information. (This message was added in version 6.7.0.) in /home/u918112125/domains/exploit.company/public_html/wp-includes/functions.php on line 6114
Terratec dmx_6fire USB - Unquoted Service Path - exploit.company
header-logo
Suggest Exploit
vendor:
dmx_6fire USB
by:
Joseph Kwabena Fiagbor
6.1
CVSS
HIGH
Unquoted Service Path Vulnerability
428
CWE
Product Name: dmx_6fire USB
Affected Version From: Not specified
Affected Version To: v.1.23.0.02
Patch Exists: NO
Related CWE: CVE-2024-31804
CPE: dmx_6fire_usb
Metasploit:
Other Scripts:
Platforms Tested: Windows 7-11
2024

Terratec dmx_6fire USB – Unquoted Service Path

Terratec dmx_6fire USB software installs a service with an unquoted service path that runs with SYSTEM privileges. This vulnerability could be exploited by a non-privileged local user to execute arbitrary code with elevated privileges on the system.

Mitigation:

To mitigate this vulnerability, the vendor should quote the service path in the software installation. Users should also update to a patched version once available.
Source

Exploit-DB raw data:

# Exploit Title:  Terratec dmx_6fire USB - Unquoted Service Path
# Google Dork: null
# Date: 4/10/2024
# Exploit Author: Joseph Kwabena Fiagbor
# Vendor Homepage: https://dmx-6fire-24-96-controlpanel.software.informer.com/download/
# Software Link:
# Version: v.1.23.0.02
# Tested on: windows 7-11
# CVE : CVE-2024-31804

1. Description:

The Terratec dmx_6fire usb installs as a service with an unquoted service
path running
with SYSTEM privileges.
This could potentially allow an authorized but non-privileged local
user to execute arbitrary code with elevated privileges on the system.

2. Proof

> C:\Users\Astra>sc qc "ttdmx6firesvc"
> {SC] QueryServiceConfig SUCCESS
>
> SERVICE_NAME: ttdmx6firesvc
>         TYPE               : 10  WIN32_OWN_PROCESS
>         START_TYPE         : 2   AUTO_START
>         ERROR_CONTROL      : 1   NORMAL
>         BINARY_PATH_NAME   : C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe -service
>         LOAD_ORDER_GROUP   : PlugPlay
>         TAG                : 0
>         DISPLAY_NAME       : DMX6Fire Control
>         DEPENDENCIES       : eventlog
>                            : PlugPlay
>         SERVICE_START_NAME : LocalSystem
>
>

Navigation

Suggest Exploit

Services By CQR