Added pictures and greetz

This commit is contained in:
Giulio 2020-10-07 12:15:33 +02:00
parent b745de4c5f
commit af80c09f5a
2 changed files with 13 additions and 7 deletions

View File

@ -1,3 +1,5 @@
### Greetz
Most work [done by me](https://lsd.cat). Special thanks to [cogitoergor00t](https://twitter.com/cogitoergor00t) and all the [JBZ crew](https://twitter.com/jbzteam).
## Intro ## Intro
[PAX](https://www.pax.com.cn/) is a Chinese manufacturer of payment devices, and as per their claim they have sold more than 34 million units in 110 countries. [PAX](https://www.pax.com.cn/) is a Chinese manufacturer of payment devices, and as per their claim they have sold more than 34 million units in 110 countries.
@ -22,6 +24,9 @@ Other models might be running ProlinOS too but their specification is not detail
For this research, I have bought a S900 from eBay and was lucky enough to find a used model targeted at developers. I will specify when something applies only to the developer model and not the production ones, although very little differs in terms of vulnerabilities. For this research, I have bought a S900 from eBay and was lucky enough to find a used model targeted at developers. I will specify when something applies only to the developer model and not the production ones, although very little differs in terms of vulnerabilities.
## Pictures
![PAX S900 from eBay](https://git.lsd.cat/g/pax-pwn/raw/master/images/s900.jpg)
## Resources ## Resources
Before starting the analysis, I found the following resources very useful: Before starting the analysis, I found the following resources very useful:
@ -36,7 +41,6 @@ PDF:
Files: Files:
* [https://dl.cloudwalk.io/util/term-assist.zip](https://dl.cloudwalk.io/util/term-assist.zip) * [https://dl.cloudwalk.io/util/term-assist.zip](https://dl.cloudwalk.io/util/term-assist.zip)
* [https://dl.cloudwalk.io/util/xcb-with-driver.zip](https://dl.cloudwalk.io/util/xcb-with-driver.zip) * [https://dl.cloudwalk.io/util/xcb-with-driver.zip](https://dl.cloudwalk.io/util/xcb-with-driver.zip)
*
FCC Documents: FCC Documents:
* [https://fccid.io/V5PS900](https://fccid.io/V5PS900) * [https://fccid.io/V5PS900](https://fccid.io/V5PS900)
@ -47,8 +51,6 @@ It's possible to see clearly from the `Internal Photos` PDF that the device has
## Hardware Info ## Hardware Info
The device has a color display, WiFi, GSM, Bluetooth, an AC charging port, and two mini USB ports. From the specifications, one is used for serial communication and the other one for USB communication. It has a Broadcom BCM5892, 128MB of flash and 64MB of RAM. The device has a color display, WiFi, GSM, Bluetooth, an AC charging port, and two mini USB ports. From the specifications, one is used for serial communication and the other one for USB communication. It has a Broadcom BCM5892, 128MB of flash and 64MB of RAM.
## ProlinOS ## ProlinOS
ProlinOS is a minimal Linux distribution, probably derived from Android. ProlinOS is a minimal Linux distribution, probably derived from Android.
@ -61,7 +63,7 @@ The development kit found online is composed of a GUI called `TermAssist` on Win
It turns out, that, although `xcb` calls itself `Xos Communication Bridge` it's just a slightly modified version android `ADB`. It turns out, that, although `xcb` calls itself `Xos Communication Bridge` it's just a slightly modified version android `ADB`.
I reversed the client and modified `python-adb` accordingly (and also added code to make it work over serial interface). I reversed the client and modified `python-adb` accordingly (and also added code to make it work over serial interface). [Here's the repository for the custom client](https://git.lsd.cat/g/prolin-xcb-client). [Pull request](https://github.com/google/python-adb/pull/178) to add serial support to `python-adb`.
`shell` functionality has been removed, as many others, but `push`, `pull`, `ls` and port forwarding are still available even if not present in the program help. `shell` functionality has been removed, as many others, but `push`, `pull`, `ls` and port forwarding are still available even if not present in the program help.
Supposedly, `xcb` is intended only for adding applications to the device (which needs to be signed), updating ProlinOS (again, signed stuff), adding assets to existing applications (images, front, etc all unsigned) and eventually adding user-provided keys for signing packages. It is yet unclear to me if user-provided keys need to be signed by the manufacturer and in which format they are to be supplied because I didn't look into it. Supposedly, `xcb` is intended only for adding applications to the device (which needs to be signed), updating ProlinOS (again, signed stuff), adding assets to existing applications (images, front, etc all unsigned) and eventually adding user-provided keys for signing packages. It is yet unclear to me if user-provided keys need to be signed by the manufacturer and in which format they are to be supplied because I didn't look into it.
@ -176,7 +178,7 @@ Although ELF files need to be signed in order to be executed (later we'll see ho
`installer`, which is the executable being called by `xcbd` (the `xcb` daemon server, like `adbd`) is responsible for verifying binary files before adding them. This does not mean that the kernel doesn't check again (it does) but means that ELF signature verification is available via userspace and is provided by a kernel module. `installer`, which is the executable being called by `xcbd` (the `xcb` daemon server, like `adbd`) is responsible for verifying binary files before adding them. This does not mean that the kernel doesn't check again (it does) but means that ELF signature verification is available via userspace and is provided by a kernel module.
It simply open the device `/dev/verify`, use some `ioctl` calls and send the executable files. Depending on the `ioctl` results it is possible to determine if a binary file has been correctly signed. As per the signature format, it's possible to guess that it is simply made by an RSA 2048 signature appended at the end of the file plus the string `SIGNED_VER:00001`. It simply opens the device `/dev/verify`, uses some `ioctl` calls and send the executable file. Depending on the `ioctl` results it is possible to determine if a binary file has been correctly signed. As per the signature format, it's possible to guess that it is simply made by an RSA 2048 signature appended at the end of the file plus the string `SIGNED_VER:00001`.
## Privilege Escalation ## Privilege Escalation
@ -356,6 +358,10 @@ libosal.so -> Shared library, provides the OsPicc* functions trough interactin
For the magnetic stripe reader the family of functions is `OSMsr*` that uses the `/dev/msr` device and for SmartCards there are the `OsIcc*` functions that use the `/dev/usercard` device. For the magnetic stripe reader the family of functions is `OSMsr*` that uses the `/dev/msr` device and for SmartCards there are the `OsIcc*` functions that use the `/dev/usercard` device.
The graphic interface library is `libxui.so`. The graphic interface library is `libxui.so`.
## Further Reasearch
By finding a vulnerability in a Merchant App, in `libosal.so` or in one in the kernel drivers a remote attack via a payment vector is theoretically possible. Unfortunately, due to the lack of second hand production PoS in the used market, I'm unable to get a test device with a working Merchant App unless I open a contract with a bank (which I don't want to). If anyone has contacts or is willing to provide one, or need assistance for futher research drop me an email or a tweet.
## Reporting
I tried contacting several times PAX Global via email and never got a reply related to anything: neither about the security vulneabilities, neither on inquiries about the source code fot the GPL licensed software (Linux/U-Boot).

BIN
s900.jpg Normal file

Binary file not shown.

After

Width:  |  Height:  |  Size: 3.1 MiB