CVE-2023-42134

Name

Signed partition overwrite and subsequently local code execution as root via hidden bootloader command

CVSS score

7.6 (High)

CVSS vector

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Product name

POS terminals PAX A920Pro / A50 / A77

Confirmed exploitable versions

PayDroid_8.1.0_Sagittarius_V11.1.45_20230314 or lower

Researcher

Adam Kliś, Hubert Jasudowicz and other members of STM Cyber R&D

Blog posts

https://blog.stmcyber.com/pax-pos-cves-2023#CVE-2023-42134

Description

By executing the hidden oem paxassert command in fastboot mode, it's possible to overwrite the unsigned pax1 partition. This results in injection of kernel arguments, resulting in arbitrary code execution. The attacker must have physical USB access to the device in order to exploit this vulnerability.

Proof-of-concept

The Vulnerability writeup with a PoC can be found on the blog post:
https://blog.stmcyber.com/pax-pos-cves-2023#CVE-2023-42134

Timeline

07-04-2023 - first contact with vendor briefly describing vulnerabilities (no reply)
08-05-2023 - second attempt of contact with vendor (successful)
10-05-2023 - sent technical details explaining all vulnerabilities (with PoC)
01-08-2023 - contacted CERT.PL to assign CVEs (instant reply)
09-10-2023 - further contact with PAX to fix found vulnerabilities
30-11-2023 - STM Cyber verifies patches
15-01-2024 - public release

References

https://blog.stmcyber.com/pax-pos-cves-2023/
https://cert.pl/en/posts/2024/01/CVE-2023-4818/
https://cert.pl/posts/2024/01/CVE-2023-4818/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42134