CVE-2023-42136

Name

Privilege escalation from any user/application to system via shell injection binder-exposed service

CVSS score

8.8 (High)

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Product name

Android-based PAX POS devices

Confirmed exploitable versions

confirmed on PayDroid 11.1.50_20230614, all PayDroids before 20230718 can be affected

Researcher

Adam Kliś, Hubert Jasudowicz and other members of STM Cyber R&D

Blog posts

https://blog.stmcyber.com/pax-pos-cves-2023#CVE-2023-42136

Description

PayDroid service named PaxSmartDeviceServcie (typo intended) is vulnerable to shell injection, escalating any user to system account. The attacker must have any shell access to the device in order to exploit this vulnerability.

Proof-of-concept

The vulnerability writeup with a PoC can be found on the blog post:
https://blog.stmcyber.com/pax-pos-cves-2023#CVE-2023-42136

Timeline

07-04-2023 - first contact with vendor briefly describing vulnerabilities (no reply)
08-05-2023 - second attempt of contact with vendor (successful)
10-05-2023 - sent technical details explaining all vulnerabilities (with PoC)
01-08-2023 - contacted CERT.PL to assign CVEs (instant reply)
09-10-2023 - further contact with PAX to fix found vulnerabilities
30-11-2023 - STM Cyber verifies patches
15-01-2024 - public release

References

https://blog.stmcyber.com/pax-pos-cves-2023/
https://cert.pl/en/posts/2024/01/CVE-2023-4818/
https://cert.pl/posts/2024/01/CVE-2023-4818/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42136