Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

Many point of sale (POS) devices are going towards Android based systems instead of obscure custom made things. The authors of this post decided to review the PAX POS system for vulnerabilities. In part 1 of this post, they decided to go through mechanisms for attackers with local access to backdoor the device.

In fastboot, the hidden custom command oem paxassert can be used to overwrite the pax1 partition. This is a special partition that doesn't contain a filesystem but is a configuration map. Some values from this map are used in kernel parameters. From this, it is possible to inject our own kernel parameters to get root with a custom rootfs. For more information on the technique, they linked alphsecurity.

The unsigned partition exsn also had information concatenated to the kernel parameters. So, by flashing this partition, it's possible to get code execution using the same technique as before. In practice, adding spaces can be easily used to escape the context to add arbitrary parameters.

Within one of the Android apps, there is a command injection issue. It checks to see if the command starts with dumpsysx. However, simply appending a semi colon after this can be used to execute arbitrary commands afterwards. The PoC is done via ADB so I don't know how exploitable this actually is.

systool_server is a daemon exposed via Android binder with root privileges. It exposes the miniunz, where an attacker can add an arbitrary amount of flags and the input/output directory. Using this and symbolic links, it is possible to get an arbitrary file write primitive, since it's running as root.

The systool_server tool performs multiple checks for verifying the uid to ensure only specific users can execute this API. However, these can be bypassed with LD_PRELOAD. Honestly, I don't understand HOW this bypass works but that's what they claim.

There finally issue is a downgrade attack to a older signed/vulnerable version. TBH, being able to downgrade is a very common thing for functionality. For instance, what if the version you have doesn't work and you want to go backwards? Not a trivial thing to fix.

Overall, many of these attacks were interesting! Backdooring a device like this could be used to steal sensitive card information. Additionally, they have one CVE that is undisclosed that I'm curious to see what it is later!