Research & Development
$ #


Signed partition overwrite and subsequently local code execution as root via hidden bootloader command

7.6 (High)


POS terminals PAX A920Pro / A50 / A77

PayDroid_8.1.0_Sagittarius_V11.1.45_20230314 or lower

Adam Kliƛ, Hubert Jasudowicz and other members of STM Cyber R&D

By executing the hidden oem paxassert command in fastboot mode, it's possible to overwrite the unsigned pax1 partition. This results in injection of kernel arguments, resulting in arbitrary code execution. The attacker must have physical USB access to the device in order to exploit this vulnerability.

The Vulnerability writeup with a PoC can be found on the blog post:

  • 07-04-2023 - first contact with vendor briefly describing vulnerabilities (no reply)
  • 08-05-2023 - second attempt of contact with vendor (successful)
  • 10-05-2023 - sent technical details explaining all vulnerabilities (with PoC)
  • 01-08-2023 - contacted CERT.PL to assign CVEs (instant reply)
  • 09-10-2023 - further contact with PAX to fix found vulnerabilities
  • 30-11-2023 - STM Cyber verifies patches
  • 15-01-2024 - public release