6 vulnerabilities in PAX hardware at once give attackers full carte blanche for fraud.
A group of researchers from the Polish company STM Cyber has discovered serious vulnerabilities in payment terminals manufactured by the Chinese company PAX. With their help, cybercriminals can execute arbitrary code on PoS terminals.
Experts used reverse engineering to investigate the security of Android-based devices, due to their rapid spread across Poland. During this process, they identified as many as six critical flaws, which we will discuss in more detail later.
Information about one of the vulnerabilities (CVE-2023-42133) is not yet disclosed as a precaution. The rest are the following:
Successful use of these vulnerabilities allows attackers to increase their privileges to the root level and bypass the sandbox protection, effectively gaining unlimited access to perform any operations.
The list of malicious actions includes interfering with payment transactions to "change the data that a merchant application sends to a secure processor, including the transaction amount," noted security researchers Adam Klisch and Hubert Yasudovich.
It is worth noting that to exploit CVE-2023-42136 and CVE-2023-42137, an attacker needs access to the device's shell, while the other three require physical access to the device's USB port.
STM Cyber researchers uncovered the vulnerabilities of PAX Technology in early May 2023, and in November the latter released patches that address these security flaws.
A group of researchers from the Polish company STM Cyber has discovered serious vulnerabilities in payment terminals manufactured by the Chinese company PAX. With their help, cybercriminals can execute arbitrary code on PoS terminals.
Experts used reverse engineering to investigate the security of Android-based devices, due to their rapid spread across Poland. During this process, they identified as many as six critical flaws, which we will discuss in more detail later.
Information about one of the vulnerabilities (CVE-2023-42133) is not yet disclosed as a precaution. The rest are the following:
- CVE-2023-42134 и CVE-2023-42135 (CVSS 7.6) - local code execution with root rights via injection of kernel parameters in fastboot (affects PAX A920Pro/PAX A50).
- CVE-2023-42136 (CVSS 8.8) - Privilege escalation from any user/application to a system user using the binder service (affects all PAX PoS devices based on Android).
- CVE-2023-42137 (CVSS 8.8) - Privilege escalation from system user to root using unsafe operations in the systool_server daemon (affects all PAX PoS devices based on Android).
- CVE-2023-4818 (CVSS 7.3 — - downgrade of the loader version due to incorrect tokenization (affects PAX A920).
Successful use of these vulnerabilities allows attackers to increase their privileges to the root level and bypass the sandbox protection, effectively gaining unlimited access to perform any operations.
The list of malicious actions includes interfering with payment transactions to "change the data that a merchant application sends to a secure processor, including the transaction amount," noted security researchers Adam Klisch and Hubert Yasudovich.
It is worth noting that to exploit CVE-2023-42136 and CVE-2023-42137, an attacker needs access to the device's shell, while the other three require physical access to the device's USB port.
STM Cyber researchers uncovered the vulnerabilities of PAX Technology in early May 2023, and in November the latter released patches that address these security flaws.
