PAX Paydroid Vulnerabilities Advisory 2023
Summary
This advisory shows the results of a vulnerability research which was conducted on PayDroid_7.1.1_Virgo_V04.5.02_20220722 running on the A930 terminal. As a result of this research 3 vulnerabilities were identified (CVE-2023-27197, CVE-2023-27198, CVE-2023-27199). As per communication with the vendor, CVE-2023-27197 and CVE-2023-27199 were duplicates to another researcher’s report but they didn’t have a CVE ID assigned.
The impact of those vulnerabilities varies between unauthorized command execution and privilege escalation. An attacker who is able to chain some of those vulnerabilities is able to gain RCE as root on a production mode POS.
Vulnerabilities
Privilege Escalation Using Exported Dangerous Function with Insufficient Checks
CVE ID: CVE-2023-27197
CVSS Score: 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Category: CWE-749: Exposed Dangerous Method or Function
PAX A930 device with PayDroid_7.1.1_Virgo_V04.5.02_20220722 can allow an attacker to gain root access by running a crafted binary leveraging an exported function from a shared library. The attacker must have shell access to the device in order to exploit this vulnerability.
Command Execution Through ADB Daemon
CVE ID: CVE-2023-27198
CVSS Score: 4.3 (AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L)
Category: CWE-78: Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’)
PAX A930 device with PayDroid_7.1.1_Virgo_V04.5.02_20220722 can allow the execution of arbitrary commands by using the exec service and including a specific word in the command to be executed. The attacker must have physical USB access to the device in order to exploit this vulnerability.
Authorization Checks Bypass and Privilege Escalation With LD_PRELOAD
CVE ID: CVE-2023-27199
CVSS Score: 8.4 (AV:L/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Category: CWE-749: Exposed Dangerous Method or Function
PAX A930 device with PayDroid_7.1.1_Virgo_V04.5.02_20220722 can allow an attacker to compile a malicious shared library and use LD_PRELOAD to bypass authorization checks enforced by functions exported by shared libraries and/or gain root access by force calling an exported function from a shared library. The attacker must have shell access to the device in order to exploit this vulnerability.
Affected Systems
These vulnerabilities were discovered on PAX A930 running PayDroid_7.1.1_Virgo_V04.5.02_20220722. However, they may affect other terminals and versions. Please refer to PAX Technology for clarification on vulnerable terminals and/or versions and their respective patched version.
Disclosure Timeline
- Discovery: August 25, 2022
- Reported to Vendor: September 22, 2022
- Patching: September 25, 2022 - March 2, 2023
- Disclosure: March 31, 2023
Acknowledgement
Saif Aziz (@wr3nchsr) of CyShield
Disclaimer
CYSHIELD FOR TECHNOLOGY S.A.E (CYSHIELD) are keen to share our expertise widely and to enrich public knowledge, through disseminating cyber security culture awareness. CYSHEILD relies on information provided by the vendor / product manufacturer when listing fixed versions, products or releases. CYSHIELD does not verify this contained information, except otherwise when specifically stipulated in the advisory text and contractually required or explicitly agreed in a written form by the vendor / product manufacturer to undertake as such. Unconfirmed vendor / product manufacturer fixes might be ineffective, incomplete, inaccurate or easy to bypass and it is the vendor’s / product manufacturer’s liability to ensure all the discovered vulnerabilities found by CYSHIELD are resolved properly. CYSHIELD accepts zero liability, financial or otherwise, from any material and consequential losses, loss of life or reputational loss arising from or as a result of misuse of the information or code contained or mentioned in its advisories. It is the vendor’s / product manufacturer’s liability not CYSHIELD to ensure their products’ security before, during and after release to market.