The Android-based PoS (point-of-sale) terminals from PAX Technology are affected by a series of vulnerabilities that can be exploited to execute arbitrary code or commands, penetration testing firm STM Cyber reports.
Headquartered in China, PAX manufactures payment terminals, PIN pads, and PoS hardware and software, which are sold globally. The PoS devices from PAX run on PayDroid, which is based on Android.
According to STM Cyber, while sandboxing prevents applications on the terminal from interacting with one another, an attacker with root access could tamper with any application, including the payment process.
Although the attacker would not be able to access decrypted payment information, they could modify the transaction amount and other related data, STM Cyber, which has identified six vulnerabilities in the PAX PoS devices, explains in a technical report that also includes proof-of-concept (PoC) exploits.
Three of the issues, the firm says, can be exploited by attackers with physical USB access to the vulnerable device.
The first of the bugs, CVE-2023-4818, allows an attacker to downgrade the bootloader of PAX A920 devices to a previous, potentially vulnerable version. Signature checks, however, only allow the loading of bootloaders signed by PAX.
The second issue, CVE-2023-42134, allows an attacker to inject kernel arguments and execute arbitrary code with root privileges on any PAX PoS device. The bug can be exploited in fastboot mode by executing a hidden command to overwrite an unsigned partition.
Next in line is CVE-2023-42135, a similar kernel argument injection flaw leading to code execution by flashing a different unsigned partition. The issue impacts PAX A920Pro/A50 devices.
Impacting all PAX PoS terminals, two other vulnerabilities can be exploited by attackers with shell access to a vulnerable device to execute arbitrary commands, STM Cyber explains.
Tracked as CVE-2023-42136, the first of these bugs allows an attacker to inject shell commands that start with a specific word, bypassing existing checks and gaining ‘system’ privileges.
An attacker can exploit the second flaw, CVE-2023-42137, to overwrite arbitrary files and potentially elevate their privileges to system or root.
Details on the sixth security defect, which is tracked as CVE-2023-42133, have not been released.
STM Cyber reported the vulnerabilities to PAX in May 2023 and informed CERT Poland in August. PAX has released patches for all vulnerabilities.