CVE-2023-42135

Name

Local code execution as root via kernel parameter injection in fastboot

CVSS score

7.6 (High)

CVSS vector

CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Product name

POS terminals PAX A920Pro / A50 / A77

Confirmed exploitable versions

PayDroid 8.1.0_Sagittarius_11.1.50_20230614 or lower

Researcher

Adam Kliś, Hubert Jasudowicz and other members of STM Cyber R&D

Blog posts

https://blog.stmcyber.com/pax-pos-cves-2023#CVE-2023-42135

Description

Contents of an unsigned “partition” named exsn are concatenated to the kernel argument list. By flashing this exsn partition, it’s possible to inject arbitrary kernel arguments, resulting in arbitrary code execution. The attacker must have physical USB access to the device in order to exploit this vulnerability.

Proof-of-concept

The Vulnerability writeup with a PoC can be found on the blog post:
https://blog.stmcyber.com/pax-pos-cves-2023#CVE-2023-42135

Timeline

07-04-2023 - first contact with vendor briefly describing vulnerabilities (no reply)
08-05-2023 - second attempt of contact with vendor (successful)
10-05-2023 - sent technical details explaining all vulnerabilities (with PoC)
01-08-2023 - contacted CERT.PL to assign CVEs (instant reply)
09-10-2023 - further contact with PAX to fix found vulnerabilities
30-11-2023 - STM Cyber verifies patches
15-01-2024 - public release

References

https://blog.stmcyber.com/pax-pos-cves-2023/
https://cert.pl/en/posts/2024/01/CVE-2023-4818/
https://cert.pl/posts/2024/01/CVE-2023-4818/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42135