CVE-2022-24051 - How a MariaDB CONNECT Storage Engine Format String Bug Allows Privilege Escalation

When most developers use MariaDB, they trust that SQL queries and engine plugins are secure by default. However, CVE-2022-24051 shattered this assumption for many users by revealing a dangerous privilege escalation flaw in the MariaDB CONNECT storage engine. In this long read, we’ll break down what this vulnerability is, how it works, why it’s serious, and how you (as an admin or developer) can protect your server.

What is CVE-2022-24051?

CVE-2022-24051 (also tracked as ZDI-CAN-16193) affects the CONNECT storage engine in MariaDB, a popular open-source database system. In plain English, it’s a bug that allows a user who is authenticated on MariaDB to run code with the privileges of the database server, by exploiting how the engine handles formatted strings in SQL queries.

> From MITRE

>> MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability: The CONNECT storage engine in MariaDB before 10.5.15 and 10.6.x before 10.6.7 improperly validates user-supplied input, allowing authenticated local users to perform privilege escalation and possibly execute arbitrary code.

MariaDB installations using the CONNECT storage engine.

- Default MariaDB installations usually do not have CONNECT enabled, but it is sometimes included by distributions or enabled for use cases involving foreign data or special table formats.

Where Did It All Go Wrong? (Technical Details)

The root issue arises from how the CONNECT engine processes certain table option arguments received via SQL. Specifically, a format string vulnerability exists—user input is handled as the format argument for functions like sprintf(), without proper sanitization.

The Exploitable Code

Let’s take a simplified look at the vulnerable code. Here’s an abstraction based on the MariaDB source tree around the reporting time (see: https://github.com/MariaDB/server/commit/c630d9):

// connect_engine.c (simplified)
char buffer[256];
...
// 'user_input' is a string provided by the table definition options
sprintf(buffer, user_input);

In this code, the user_input string—provided as part of a SQL statement—ends up as the *format specifier* for sprintf(). An attacker can supply special format string codes (like %x, %n, %s) that cause the server to read or write arbitrary memory locations.

How is it Triggered?

A user with permission to create CONNECT tables can craft a malicious table definition. Here’s a sample SQL statement that could trigger the bug (do not run on any production server!):

CREATE TABLE evil_table ENGINE=CONNECT TABLE_TYPE=CSV FILE_NAME='example.csv'
OPTION_LIST='... malicious format string ...';

Inside OPTION_LIST, a payload like %x%x%x%n would make the server behave unsafely.

What Can the Attacker Do?

- Read process memory: With certain format strings, the attack can leak stack data and other sensitive information.
- Write to arbitrary memory: With %n, the attack escalates—allowing writes to memory, which can be leveraged for code execution.
- Escalate database privileges: Ultimately, the attacker can run code as the MariaDB server user, which might be mysql or even root if the server is misconfigured.

Reproducing the Exploit

Warning: Only test on safe, disposable environments—never on a production box!

PoC SQL

CREATE TABLE hackme (
    id INT
)
ENGINE=CONNECT
TABLE_TYPE=CSV
FILE_NAME='data.csv'
OPTION_LIST='RECLEN=%x%x%x%x';

This causes the server to process the format string %x%x%x%x which does not match any legitimate value parsing, leading to undefined memory reads and possible crashes.

A more advanced attacker could try payloads involving %n for memory write, although exploitation for code execution typically needs extra work (e.g. targeting specific addresses).

Timeline and Patches

- Discovered: Trend Micro Zero Day Initiative

10.6.7

- MariaDB security advisory

Remediation:  
If you use CONNECT, *upgrade* ASAP to at least MariaDB 10.5.15, 10.6.7, or newer. Turn off the CONNECT engine if you don’t need it (see below).

References and Further Reading

- CVE-2022-24051 (MITRE)
- MariaDB Security Advisory MDB-2022-0325
- ZDI-22-259 Advisory
- Commit fixing vulnerability
- Connect Storage Engine Documentation

Conclusion

CVE-2022-24051 is a powerful reminder that even mature, open-source software can have dangerous flaws hiding in complex code. If you rely on MariaDB, keep it patched, restrict risky plugins, and always audit who gets local or table-creation privileges. Format string vulnerabilities are an old adversary—but still appear when input handling is overlooked.

Stay safe. And remember: Not all storage engines are created equal!

Timeline

Published on: 02/18/2022 20:15:00 UTC
Last modified on: 06/30/2022 19:42:00 UTC