Share
## https://sploitus.com/exploit?id=PACKETSTORM:178036
# Exploit Title: Terratec dmx_6fire USB - Unquoted Service Path  
# Google Dork: null  
# Date: 4/10/2024  
# Exploit Author: Joseph Kwabena Fiagbor  
# Vendor Homepage: https://dmx-6fire-24-96-controlpanel.software.informer.com/download/  
# Software Link:  
# Version: v.1.23.0.02  
# Tested on: windows 7-11  
# CVE : CVE-2024-31804  
  
1. Description:  
  
The Terratec dmx_6fire usb installs as a service with an unquoted service  
path running  
with SYSTEM privileges.  
This could potentially allow an authorized but non-privileged local  
user to execute arbitrary code with elevated privileges on the system.  
  
2. Proof  
  
> C:\Users\Astra>sc qc "ttdmx6firesvc"  
> {SC] QueryServiceConfig SUCCESS  
>  
> SERVICE_NAME: ttdmx6firesvc  
> TYPE : 10 WIN32_OWN_PROCESS  
> START_TYPE : 2 AUTO_START  
> ERROR_CONTROL : 1 NORMAL  
> BINARY_PATH_NAME : C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe -service  
> LOAD_ORDER_GROUP : PlugPlay  
> TAG : 0  
> DISPLAY_NAME : DMX6Fire Control  
> DEPENDENCIES : eventlog  
> : PlugPlay  
> SERVICE_START_NAME : LocalSystem  
>  
>