Contents

PAX Paydroid Vulnerabilities Advisory 2022

Summary

This advisory shows the results of a vulnerability research which was conducted on PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 running on the A930 terminal. As a result of this research 4 vulnerabilities were identified (CVE-2022-26579, CVE-2022-26580, CVE-2022-26581, CVE-2022-26582).

The impact of those vulnerabilities varies between unauthorized command execution, privilege escalation and signature check bypass. An attacker who is able to chain some of those vulnerabilities is able to gain RCE as root and install unsigned applications (ex: credit card sniffer) on a production mode POS.

Exploit Chain Showcase

Vulnerabilities

Application Signature Verification Bypass

CVE ID: CVE-2022-26579

CVSS Score: 7.9 (AV:L/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:N)

Category: CWE-345: Insufficient Verification of Data Authenticity

PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow a root privileged attacker to install unsigned packages. The attacker must have shell access to the device and gain root privileges in order to exploit this vulnerability.

Command Injection in ADB Daemon

CVE ID: CVE-2022-26580

CVSS Score: 4.3 (AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)

Category: CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow the execution of specific command injections on selected binaries in the ADB daemon shell service. The attacker must have physical USB access to the device in order to exploit this vulnerability.

Multiple Unauthorized Backdoor Functionalities in ADB Daemon

CVE ID: CVE-2022-26581

CVSS Score: 3.5 (AV:P/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L)

Category: CWE-912: Hidden Functionality, CWE-862: Missing Authorization

PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an unauthorized attacker to perform privileged actions through the execution of specific binaries listed in ADB daemon. The attacker must have physical USB access to the device in order to exploit this vulnerability.

Privilege Escalation Through Command Injection in Systool Client

CVE ID: CVE-2022-26582

CVSS Score: 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Category: CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)

PAX A930 device with PayDroid_7.1.1_Virgo_V04.3.26T1_20210419 can allow an attacker to gain root access through command injection in systool client. The attacker must have shell access to the device in order to exploit this vulnerability.

Affected Systems and Mitigations

These vulnerabilities were discovered on PAX A930 running PayDroid_7.1.1_Virgo_V04.3.26T1_20210419. However, they may affect other terminals and versions. Please refer to PAX Technology for clarification on vulnerable terminals and/or versions and their respective patched version.

Disclosure Timeline

  • Discovery: November 01, 2021
  • Vendor Meeting: November 17, 2021
  • Patching: November 25, 2021 - January 09, 2022
  • Disclosure: December 12, 2022

Acknowledgement

Saif Aziz (@wr3nchsr) of CyShield

Disclaimer

CYSHIELD FOR TECHNOLOGY S.A.E (CYSHIELD) are keen to share our expertise widely and to enrich public knowledge, through disseminating cyber security culture awareness. CYSHEILD relies on information provided by the vendor / product manufacturer when listing fixed versions, products or releases. CYSHIELD does not verify this contained information, except otherwise when specifically stipulated in the advisory text and contractually required or explicitly agreed in a written form by the vendor / product manufacturer to undertake as such. Unconfirmed vendor / product manufacturer fixes might be ineffective, incomplete, inaccurate or easy to bypass and it is the vendor’s / product manufacturer’s liability to ensure all the discovered vulnerabilities found by CYSHIELD are resolved properly. CYSHIELD accepts zero liability, financial or otherwise, from any material and consequential losses, loss of life or reputational loss arising from or as a result of misuse of the information or code contained or mentioned in its advisories. It is the vendor’s / product manufacturer’s liability not CYSHIELD to ensure their products’ security before, during and after release to market.