Fortitude HTTP 1.0.4.0 Unquoted Service Path Elevation of Privilege

A local, non-privileged user can exploit the unquoted service path by placing a malicious executable in a directory that Windows will search before the real binary. Because the path `C:\Program Files\NetworkDLS\Fortitude HTTP\Bin\FortitudeSvc.exe` is not enclosed in quotes, Windows interprets each space as a separator and attempts to execute `C:\Program.exe`, then `C:\Program Files\NetworkDLS\Fortitude.exe`, and so on. An attacker who can write to a location earlier in the path (e.g., `C:\Program.exe`) can cause their payload to run with SYSTEM privileges when the service starts or the system reboots [ref_id=1].

The vulnerable component is the Fortitude HTTP service (version 1.0.4.0) installed by Netgear Genie. The service binary path is `C:\Program Files\NetworkDLS\Fortitude HTTP\Bin\FortitudeSvc.exe /RunService`, which is unquoted and contains spaces.

The advisory does not include a patch. To remediate the vulnerability, the service binary path must be enclosed in quotation marks (e.g., `"C:\Program Files\NetworkDLS\Fortitude HTTP\Bin\FortitudeSvc.exe" /RunService`) so that Windows treats the entire string as a single path. Without a patch from the vendor, users should manually quote the service path or restrict write permissions on the directories in the path to prevent insertion of malicious executables.

1. Open a command prompt and run `sc qc "Fortitude HTTP"` to confirm the unquoted service path. 2. Place a malicious executable named `Program.exe` in `C:\` or `Fortitude.exe` in `C:\Program Files\NetworkDLS\`. 3. Restart the service or reboot the system; the malicious executable will execute with SYSTEM privileges.