Research & Development
$ #


Privilege escalation from any user/application to system via shell injection binder-exposed service

8.8 (High)


Android-based PAX POS devices

confirmed on PayDroid 11.1.50_20230614, all PayDroids before 20230718 can be affected

Adam Kliś, Hubert Jasudowicz and other members of STM Cyber R&D

PayDroid service named PaxSmartDeviceServcie (typo intended) is vulnerable to shell injection, escalating any user to system account. The attacker must have any shell access to the device in order to exploit this vulnerability.

The vulnerability writeup with a PoC can be found on the blog post:

  • 07-04-2023 - first contact with vendor briefly describing vulnerabilities (no reply)
  • 08-05-2023 - second attempt of contact with vendor (successful)
  • 10-05-2023 - sent technical details explaining all vulnerabilities (with PoC)
  • 01-08-2023 - contacted CERT.PL to assign CVEs (instant reply)
  • 09-10-2023 - further contact with PAX to fix found vulnerabilities
  • 30-11-2023 - STM Cyber verifies patches
  • 15-01-2024 - public release