Research & Development
$ #


Local code execution as root via kernel parameter injection in fastboot

7.6 (High)


POS terminals PAX A920Pro / A50 / A77

PayDroid 8.1.0_Sagittarius_11.1.50_20230614 or lower

Adam Kliś, Hubert Jasudowicz and other members of STM Cyber R&D

Contents of an unsigned “partition” named exsn are concatenated to the kernel argument list. By flashing this exsn partition, it’s possible to inject arbitrary kernel arguments, resulting in arbitrary code execution. The attacker must have physical USB access to the device in order to exploit this vulnerability.

The Vulnerability writeup with a PoC can be found on the blog post:

  • 07-04-2023 - first contact with vendor briefly describing vulnerabilities (no reply)
  • 08-05-2023 - second attempt of contact with vendor (successful)
  • 10-05-2023 - sent technical details explaining all vulnerabilities (with PoC)
  • 01-08-2023 - contacted CERT.PL to assign CVEs (instant reply)
  • 09-10-2023 - further contact with PAX to fix found vulnerabilities
  • 30-11-2023 - STM Cyber verifies patches
  • 15-01-2024 - public release