A flaw in the PAX PoS terminal allows attackers to tamper with transactions


PAX Technology’s point-of-sale (PoS) terminals are affected by a collection of high-severity vulnerabilities that could be weaponized by threat actors to execute arbitrary code.

The STM Cyber ​​​​R&D team, which reverse engineered the Chinese company’s Android devices for their rapid deployment in Poland, said it has been excavated half a dozen defects that allow escalation of privilege and local code execution from the bootloader.

Details about one of the vulnerabilities (CVE-2023-42133) are currently hidden. The other shortcomings are mentioned below –

  • CVE-2023-42134 and CVE-2023-42135 (CVSS score: 7.6) – Local code execution as root via kernel parameter injection in fastboot (Impacts PAX A920Pro/PAX A50)
  • CVE-2023-42136 (CVSS score: 8.8) – Escalation of privileges from any user/application to system user via shell injection binder-exposed service (affects all Android-based PAX PoS devices)
  • CVE-2023-42137 (CVSS score: 8.8) – Escalation of privileges from system/shell user to root via unsafe operations in systool_server daemon (affects all Android-based PAX PoS devices)
  • CVE-2023-4818 (CVSS score: 7.3) – Bootloader downgrade via incorrect tokenization (Impacts PAX A920)

Successful exploitation of the above vulnerabilities could allow an attacker to escalate their privileges to root and bypass sandbox protections, essentially giving them carte blanche access to perform any operation.

This includes interfering with payment transactions to “alter data sent by the merchant application to the [Secure Processor]including the transaction amount,” said security researchers Adam Kliś and Hubert Jasudowicz.

It is worth noting that exploiting CVE-2023-42136 and CVE-2023-42137 requires an attacker to have shell access to the device, while the remaining three require the threat actor to have physical USB access to them.

The Warsaw-based penetration testing company said it responsibly disclosed the flaws to PAX Technology in early May 2023, with patches released by the latter in November 2023.

#flaw #PAX #PoS #terminal #attackers #tamper #transactions

Notify of
Inline Feedbacks
View all comments
Previous Post
Free Discovery And Risk Reduction Automation

Combating IP leaks in AI applications with free detection and risk reduction automation

Next Post
Art of Privilege Escalation

Webinar: The art of escalating privilege

Related Posts