Full Report
Many point of sale (POS) devices are going towards Android based systems instead of obscure custom made things. The authors of this post decided to review the PAX POS system for vulnerabilities. In part 1 of this post, they decided to go through mechanisms for attackers with local access to backdoor the device. In fastboot, the hidden custom command oem paxassert can be used to overwrite the pax1 partition. This is a special partition that doesn't contain a filesystem but is a configuration map. Some values from this map are used in kernel parameters. From this, it is possible to inject our own kernel parameters to get root with a custom rootfs. For more information on the technique, they linked alphsecurity. The unsigned partition exsn also had information concatenated to the kernel parameters. So, by flashing this partition, it's possible to get code execution using the same technique as before. In practice, adding spaces can be easily used to escape the context to add arbitrary parameters. Within one of the Android apps, there is a command injection issue. It checks to see if the command starts with dumpsysx. However, simply appending a semi colon after this can be used to execute arbitrary commands afterwards. The PoC is done via ADB so I don't know how exploitable this actually is. systool_server is a daemon exposed via Android binder with root privileges. It exposes the miniunz, where an attacker can add an arbitrary amount of flags and the input/output directory. Using this and symbolic links, it is possible to get an arbitrary file write primitive, since it's running as root. The systool_server tool performs multiple checks for verifying the uid to ensure only specific users can execute this API. However, these can be bypassed with LD_PRELOAD. Honestly, I don't understand HOW this bypass works but that's what they claim. There finally issue is a downgrade attack to a older signed/vulnerable version. TBH, being able to downgrade is a very common thing for functionality. For instance, what if the version you have doesn't work and you want to go backwards? Not a trivial thing to fix. Overall, many of these attacks were interesting! Backdooring a device like this could be used to steal sensitive card information. Additionally, they have one CVE that is undisclosed that I'm curious to see what it is later!
Analysis Summary
# Vulnerability: Multiple Privilege Escalation and Bootloader Flaws in PAX POS Devices
## CVE Details
- **CVE ID:** CVE-2023-42134, CVE-2023-4818, CVE-2023-42135, CVE-2023-42136 (CVE-2023-42133 Reserved)
- **CVSS Score:** 7.3 - 7.6 (High)
- **CWE:** CWE-78 (OS Command Injection), CWE-20 (Improper Input Validation), CWE-674 (Improper Check for Unusual or Exceptional Conditions)
## Affected Systems
- **Products:** PAX Technology Point of Sale (POS) Terminals
- **Models:** A920, A920Pro, A50, A77
- **Versions:**
- PayDroid 8.1.0_Sagittarius_11.1.50_20230314 (and prior)
- PayDroid 7.1.2_Aquarius_11.1.50_20230614 (and prior)
- **Configurations:** Devices with accessible USB ports and Fastboot mode enabled.
## Vulnerability Description
Research identified several critical flaws in the PaxDroid implementation:
1. **Bootloader Command Injection (CVE-2023-42134):** A hidden Fastboot command `oem paxassert` allows overwriting the `pax1` configuration partition. Because this partition's values are appended to kernel parameters without sanitization, attackers can inject arbitrary parameters to gain root access.
2. **Unsigned Partition Injection (CVE-2023-42135):** The `exsn` partition is unsigned and its content is concatenated to kernel parameters. Flashing this partition allows for kernel parameter injection.
3. **Bootloader Downgrade (CVE-2023-4818):** Improper tokenization of partition names (e.g., using `aboot:`) bypasses version checks, allowing an attacker to flash older, vulnerable, but signed bootloader images.
4. **Command Injection (CVE-2023-42136):** An Android application checks if commands start with `dumpsysx` but fails to sanitize subsequent characters, allowing arbitrary command execution via a semicolon (`;`).
5. **Arbitrary File Write (systool_server):** The `systool_server` daemon (running as root) exposes a `miniunz` (unzip) function through Binder. Attackers can use symbolic links and arbitrary flags to achieve an arbitrary file write primitive.
## Exploitation
- **Status:** PoC available.
- **Complexity:** Medium (Requires knowledge of Android internals and Fastboot).
- **Attack Vector:** Physical (Most exploits require USB access to interface with Fastboot or ADB).
## Impact
- **Confidentiality:** High (Access to sensitive transaction data or system files).
- **Integrity:** High (Ability to modify transaction amounts sent to the Secure Processor or backdoor the OS).
- **Availability:** High (Potential to brick the device or disable security features like SELinux).
## Remediation
### Patches
PAX has released firmware updates to address these issues. Users should update to at least:
- **A920Pro/A50/A77:** PayDroid 8.1.0_Sagittarius_V02.9.99T9_20230919
- **A920:** PayDroid 7.1.2_Aquarius_V02.9.99T9_20230919
### Workarounds
- Restrict physical access to USB ports on POS terminals.
- Disable ADB (Android Debug Bridge) in production environments.
- Monitor for unauthorized reboots into Fastboot mode.
## Detection
- **Indicators of Compromise:** Presence of unexpected files in `/data/local/tmp`, modified kernel parameters in `/proc/cmdline`, or downgraded bootloader versions.
- **Detection Methods:** Security auditing of Binder transactions and monitoring for `oem` specific commands sent over USB.
## References
- Vendor: hxxps://www[.]paxtechnology[.]com/
- Researcher: hxxps://blog[.]stmcyber[.]com/pax-pos-cves-2023/
- CERT PL: hxxps://cert[.]pl/en/posts/2024/01/CVE-2023-4818/
- Technique Reference: hxxps://alephsecurity[.]com/2017/08/30/untethered-initroot/