Terratec dmx_6fire USB - Unquoted Service Path - CVE-2024-31804

1. # Exploit Title:  Terratec dmx_6fire USB - Unquoted Service Path
2. # Google Dork: null
3. # Date: 4/10/2024
4. # Exploit Author: Joseph Kwabena Fiagbor
5. # Vendor Homepage: https://dmx-6fire-24-96-controlpanel.software.informer.com/download/
6. # Software Link:
7. # Version: v.1.23.0.02
8. # Tested on: windows 7-11
9. # CVE : CVE-2024-31804
10.  
11. 1. Description:
12.  
13. The Terratec dmx_6fire usb installs as a service with an unquoted service
14. path running
15. with SYSTEM privileges.
16. This could potentially allow an authorized but non-privileged local
17. user to execute arbitrary code with elevated privileges on the system.
18.  
19. 2. Proof
20.  
21. > C:\Users\Astra>sc qc "ttdmx6firesvc"
22. > {SC] QueryServiceConfig SUCCESS
23. >
24. > SERVICE_NAME: ttdmx6firesvc
25. >         TYPE               : 10  WIN32_OWN_PROCESS
26. >         START_TYPE         : 2   AUTO_START
27. >         ERROR_CONTROL      : 1   NORMAL
28. >         BINARY_PATH_NAME   : C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe -service
29. >         LOAD_ORDER_GROUP   : PlugPlay
30. >         TAG                : 0
31. >         DISPLAY_NAME       : DMX6Fire Control
32. >         DEPENDENCIES       : eventlog
33. >                            : PlugPlay
34. >         SERVICE_START_NAME : LocalSystem
35. >
36. >
37.