CVE-2023-42137

Name

Privilege escalation from system/shell user to root via insecure systool_server daemon

CVSS score

8.8 (High)

CVSS vector

CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

Product name

Android-based PAX POS devices

Confirmed exploitable versions

confirmed on PayDroid 11.1.50_20230614, all PayDroids before 20230718 can be affected

Researcher

Adam Kliś, Hubert Jasudowicz and other members of STM Cyber R&D

Blog posts

https://blog.stmcyber.com/pax-pos-cves-2023#CVE-2023-42137

Description

systool_server is a PayDroid system system daemon exposed via binder IPC, running with root privileges. It exposes an API for execution of miniunz command with user-controlled directories. An attacker can inject an arbitrary amount of parameters, including additional command flags. Furthermore, given that the attacker has control over both the source directory and the destination directory (/tmp), they can manipulate this situation by crafting malicious symbolic links within the /tmp directory. This allows the attacker to overwrite arbitrary files, potentially leading to the escalation of privileges.

The attacker must have shell access to the device in order to exploit this vulnerability.

Proof-of-concept

The vulnerability writeup with a PoC can be found on the blog post:
https://blog.stmcyber.com/pax-pos-cves-2023#CVE-2023-42137

Timeline

07-04-2023 - first contact with vendor briefly describing vulnerabilities (no reply)
08-05-2023 - second attempt of contact with vendor (successful)
10-05-2023 - sent technical details explaining all vulnerabilities (with PoC)
01-08-2023 - contacted CERT.PL to assign CVEs (instant reply)
09-10-2023 - further contact with PAX to fix found vulnerabilities
30-11-2023 - STM Cyber verifies patches
15-01-2024 - public release

References

https://blog.stmcyber.com/pax-pos-cves-2023/
https://cert.pl/en/posts/2024/01/CVE-2023-4818/
https://cert.pl/posts/2024/01/CVE-2023-4818/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-42137