Terratec dmx_6fire USB - Unquoted Service Path

Terratec dmx_6fire USB — Unquoted Service Path (CVE-2024-31804)

Summary: The Terratec DMX6Fire USB driver/service (service name: ttdmx6firesvc) installs on Windows systems with an unquoted service path and runs as LocalSystem. This misconfiguration — tracked as CVE-2024-31804 — can permit a local, authorized but non‑privileged user to achieve privilege escalation if they can place an executable on the filesystem in a location that Windows will resolve before the legitimate service binary.

Key details

• Vulnerability type: Unquoted service path (privilege escalation risk)
• Affected product: Terratec DMX6Fire USB control software (example version: v.1.23.0.02)
• Service: ttdmx6firesvc (display name: DMX6Fire Control)
• Privileges: Service runs as LocalSystem
• CVE: CVE-2024-31804
• Date reported: 2024-04-10 (as reported by researcher)

What is an unquoted service path and why it matters

When Windows starts a service, it uses the service's configured ImagePath (binary path). If the path contains spaces and is not wrapped in quotes, the Windows service loader can interpret the path in parts. For example, an ImagePath of:

C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe -service

...if unquoted, might be parsed by the OS as attempting to run one of these in order:

• C:\Program.exe
• C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe

If an attacker can place a binary at an earlier parsed path (e.g., C:\Program.exe) and the service runs as SYSTEM, that binary would execute with elevated privileges. This class of vulnerability is well understood and commonly referred to as an "unquoted service path" privilege escalation.

Proof (example output)

The following sc qc output demonstrates the affected service configuration:

C:\Users\Astra>sc qc "ttdmx6firesvc"
[SC] QueryServiceConfig SUCCESS

SERVICE_NAME: ttdmx6firesvc
TYPE               : 10  WIN32_OWN_PROCESS
START_TYPE         : 2   AUTO_START
ERROR_CONTROL      : 1   NORMAL
BINARY_PATH_NAME   : C:\Program Files\TerraTec\DMX6FireUSB\ttdmx6firesvc.exe -service
LOAD_ORDER_GROUP   : PlugPlay
TAG                : 0
DISPLAY_NAME       : DMX6Fire Control
DEPENDENCIES       : eventlog : PlugPlay
SERVICE_START_NAME : LocalSystem

Note: This output shows an unquoted BINARY_PATH_NAME that includes spaces and the service is configured to start as LocalSystem.

Impact and risk

• Primary risk: local privilege escalation to SYSTEM on affected Windows hosts.
• Attacker model: requires local account access (any non‑privileged user who can write to a strategic filesystem location). Not remotely exploitable by itself.
• Damage potential: installation of persistent SYSTEM‑level backdoors, elevation of further lateral movement activities, or full system compromise.

Detection and scanning

Administrators should inventory services and detect any ImagePath entries that contain spaces but lack surrounding quotes. The following PowerShell example is a safe, defensive scanner to find unquoted service paths on a host:

# PowerShell: find services with unquoted ImagePath
Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\* |
  Where-Object {
    $path = $_.ImagePath
    -not [string]::IsNullOrEmpty($path) -and
    $path -match '\s' -and
    $path -notmatch '^\s*"'    # not already quoted
  } |
  Select-Object PSChildName, ImagePath

Explanation: This script enumerates service ImagePath values from the registry, filters for entries containing whitespace, and excludes those already wrapped in quotes. It returns the service key name and the associated ImagePath for review.

Additional detection tips

• Use endpoint management tools or vulnerability scanners that report unquoted service paths.
• Search for services configured to run as LocalSystem to prioritize remediation.
• Generate alerts for newly created services whose ImagePath contains spaces and is unquoted.

Remediation and mitigation

Primary remediation options (preferred order):

• Apply vendor patch or updated software: check Terratec for an updated DMX6Fire USB release that corrects the service installation. Vendor fixes are the safest and recommended approach.
• By configuration: quote the service ImagePath so Windows interprets it correctly.
• Restrict write permissions: ensure regular users cannot write to locations that could be interpreted by unquoted paths.
• Temporary mitigation: set the service to manual start until a patched version is available, if feasible for your environment.

Safe example: quoting the ImagePath via the registry (administrators only)

Before attempting any change: back up the registry and test in a lab. The example below shows how to safely read and update the ImagePath for remediation purposes only.

# PowerShell (remediation example) - run as Administrator
$svcName = 'ttdmx6firesvc'
$keyPath = "HKLM:\SYSTEM\CurrentControlSet\Services\$svcName"

# Read current ImagePath
$current = Get-ItemProperty -Path $keyPath -Name ImagePath
$current.ImagePath

# If it contains spaces and is not quoted, wrap it in quotes
if ($current.ImagePath -match '\s' -and $current.ImagePath -notmatch '^\s*"') {
  $newPath = '"' + $current.ImagePath + '"'
  Set-ItemProperty -Path $keyPath -Name ImagePath -Value $newPath
  Write-Output "ImagePath updated to: $newPath"
} else {
  Write-Output "No change needed (already quoted or no spaces)."
}

Explanation: This script reads the service ImagePath from the registry and, if necessary, wraps the whole value in quotes. It is intended for administrators who must remediate their managed systems. Always test on a non‑production system first and ensure the quoted value preserves any arguments (for example, ensure the command-line arguments remain after the quoted executable path).

Alternative: use the service installer or vendor-supplied tools

If the service was installed by an MSI or installer, re-running an updated installer from the vendor that fixes the ImagePath is recommended. If available, apply official hotfixes or a new driver package that addresses the unquoted path at install time.

Hardening recommendations

• Enforce least privilege for local accounts; reduce the number of accounts with write permissions to the filesystem roots and Program Files directories.
• Harden file system ACLs so standard users cannot create executables in high‑priority locations (e.g., C:\Program.exe, C:\Program Files\...).
• Regularly scan endpoints for configuration issues such as unquoted service paths, weak ACLs, and services running as LocalSystem.
• Maintain asset and software inventory to quickly identify systems running vulnerable versions.

Responsible disclosure and references

Reported by: Joseph Kwabena Fiagbor (report date: 2024-04-10). CVE identifier: CVE-2024-31804.

Item	Reference
Vendor page / download	https://dmx-6fire-24-96-controlpanel.software.informer.com/download/
CVE	CVE-2024-31804

Final notes for administrators

Unquoted service paths remain a common and avoidable misconfiguration. For the Terratec DMX6Fire USB service specifically, prioritize updating to a vendor-fixed package. If immediate patching isn't possible, use the defensive scanning and safe remediation steps above, restrict write access to key filesystem locations, and monitor services running as SYSTEM for unexpected changes.