GatewayGeo MapServer for Windows Privilege Escalation Vulnerability

A Dynamic-link Library Injection vulnerability has been identified in GatewayGeo MapServer for Windows, specifically in versions through 5. This vulnerability allows attackers to escalate privileges by injecting a crafted executable into the application's configuration file, 'ms4w.conf', which is located in the default installation directory. The MapServer service runs under the NT Authority/System account, enabling the execution of arbitrary code with high-level privileges.

Impact

Exploitation of this vulnerability leads to local privilege escalation, allowing a non-administrative user to execute code as the NT Authority/System.

Reproduction

To reproduce this vulnerability, first install GatewayGeo MapServer for Windows (MS4W) version 5. After installation, the 'ms4w.conf' file can be found in 'C:\ms4w'. This file is writable by all users. The MS4W service runs with NT Authority/System privileges. To exploit the vulnerability, create a malicious map file named 'CVE-2026-30478.map' and host it on a remote machine. This map file should be crafted to include a plugin layer that references a malicious dynamic-link library (DLL). Next, create a 32-bit DLL named 'CVE-2026-30478.dll', also hosted on a remote machine. This DLL should be programmed to execute arbitrary commands, such as creating a file on the attacker's system. Once both files are prepared and hosted, modify the 'ms4w.conf' file to include references to the malicious map file and DLL. Finally, call the map file through the MapServer CGI interface, which will trigger the execution of the injected DLL, resulting in code execution with elevated privileges.