A group of researchers from the Polish company STM Cyber has discovered a serious vulnerability in payment terminals made by the Chinese company Pax. This vulnerability allows cybercriminals to execute arbitrary code on POS terminals.
The researchers used reverse engineering to investigate the security of Android devices, particularly due to their rapid distribution in Poland. Through this process, they uncovered six critical security flaws in the Pax payment terminals.
While one of the vulnerabilities, CVE-2023-42133, has not yet been disclosed, the other vulnerabilities are as follows:
- CVE-2023-42134 and CVE-2023-42135: These vulnerabilities allow for local execution of ROOT code through the injection of the nucleus in FASTBOOT, affecting the PAX A920PRO and PAX A50 devices.
- CVE-2023-42136: This vulnerability increases privileges from any user/application to the system user using the Binder service, impacting all PAX POS devices based on Android.
- CVE-2023-42137: This vulnerability increases privileges from the System user to Root using unsafe operations in the Systool_Server demon, affecting all PAX POS devices based on Android.
- CVE-2023-4818: This vulnerability, which affects the PAX A920 device, is caused by improper tokenization, resulting in a decrease in security.
Exploiting these vulnerabilities successfully allows attackers to elevate their privileges to the level of Root, bypassing sandbox protection and gaining unlimited access to all operations.
According to the security researchers Adam Klish and Hubert Yasudovich, these malicious actions include interfering in payment operations by manipulating the data sent to a protected processor, such as the transaction amount.
It is important to note that CVE-2023-42136 and CVE-2023-42137 require shell access to the device for exploitation, while the other three vulnerabilities require physical access to the USB device.
STM Cyber researchers uncovered these vulnerabilities in Pax Technology’s payment terminals in early May 2023. In November of the same year, Pax issued corrections to address these security flaws.