Serious Flaws Found in Popular PAX Payment Terminals

A team of researchers from the Polish company STM Cyber uncovered serious vulnerabilities in payment terminals manufactured by the Chinese firm PAX. These vulnerabilities enable cybercriminals to execute arbitrary code on PoS terminals.

The experts employed reverse engineering to scrutinize the security of Android-based devices, given their rapid proliferation across Poland. During this analysis, they identified six critical flaws, which we will examine in greater detail.

Information about one of the vulnerabilities (CVE-2023-42133) is currently withheld as a precaution. The others are as follows:

  • CVE-2023-42134 and CVE-2023-42135 (CVSS 7.6) – Local execution of root-level code through kernel parameter injection in fastboot (affecting PAX A920Pro/PAX A50).
  • CVE-2023-42136 (CVSS 8.8) – Privilege escalation from any user/application to system user via the binder service (affecting all PAX PoS devices based on Android).
  • CVE-2023-42137 (CVSS 8.8) – Privilege escalation from system user to root through unsafe operations in the systool_server daemon (affecting all PAX PoS devices based on Android).
  • CVE-2023-4818 (CVSS 7.3) – Downgrading the bootloader due to incorrect tokenization (affecting PAX A920).
    Successful exploitation of these vulnerabilities allows attackers to elevate their privileges to root level and circumvent sandbox protection, effectively gaining unrestricted access to perform any operations.

The range of malicious activities includes tampering with payment transactions to “alter the data sent by the commercial application to the secure processor, including the transaction amount,” as noted by security researchers Adam Klish and Hubert Jasudowicz.

It’s important to note that exploiting CVE-2023-42136 and CVE-2023-42137 requires access to the device’s shell, while the remaining three necessitate physical access to the device’s USB port.

STM Cyber researchers disclosed these vulnerabilities to PAX Technology in early May 2023, and in November, PAX released patches to rectify these security shortcomings.