Research & Development
$ #


Privilege escalation from system/shell user to root via insecure systool_server daemon

8.8 (High)


Android-based PAX POS devices

confirmed on PayDroid 11.1.50_20230614, all PayDroids before 20230718 can be affected

Adam Kliƛ, Hubert Jasudowicz and other members of STM Cyber R&D

systool_server is a PayDroid system system daemon exposed via binder IPC, running with root privileges. It exposes an API for execution of miniunz command with user-controlled directories. An attacker can inject an arbitrary amount of parameters, including additional command flags. Furthermore, given that the attacker has control over both the source directory and the destination directory (/tmp), they can manipulate this situation by crafting malicious symbolic links within the /tmp directory. This allows the attacker to overwrite arbitrary files, potentially leading to the escalation of privileges.

The attacker must have shell access to the device in order to exploit this vulnerability.

The vulnerability writeup with a PoC can be found on the blog post:

  • 07-04-2023 - first contact with vendor briefly describing vulnerabilities (no reply)
  • 08-05-2023 - second attempt of contact with vendor (successful)
  • 10-05-2023 - sent technical details explaining all vulnerabilities (with PoC)
  • 01-08-2023 - contacted CERT.PL to assign CVEs (instant reply)
  • 09-10-2023 - further contact with PAX to fix found vulnerabilities
  • 30-11-2023 - STM Cyber verifies patches
  • 15-01-2024 - public release