This was problematic because the tablet’s firmware update process, which scans the EXPORT directory for updates, required a file named exactly update.zip to trigger an installation. By downloading an unencrypted firmware image from Ratta Software’s update page, Maginnes was able to dissect the tablet’s software. By sending a small “dummy” file named update.zip followed immediately by a malicious update.zip containing a backdoor, Maginnes manipulated the server’s file-handling logic. Using reverse-engineering tools like jadx, Maginnes traced the port to a custom HTTP server embedded in the app, designed to handle device-to-device file sharing over Wi-Fi. The malicious firmware was signed using publicly available debug keys, a flaw carried over from earlier SuperNote models, as noted in prior research. Security researcher Prizm Labs has discovered a serious flaw in the SuperNote A6 X2 Nomad, a well-known 7.8-inch E-Ink tablet made by Ratta Software. The server on port 60002 was found to process custom HTTP headers, enabling unauthenticated file uploads to the device’s INBOX directory. The flaw, now assigned CVE-2025-32409, could allow a malicious attacker on the same network to fully compromise the device without any user interaction, potentially installing a rootkit that grants complete control. The dummy file completed its transfer first, freeing up the update.zip name just in time for the malicious file to claim it during the copy process. The discovery, detailed technical analysis highlights significant security oversights in the tablet’s design, raising concerns for users who rely on the device for note-taking and academic work. This 0-click remote code execution (RCE) vulnerability underscores the risks of unauthenticated network services and lax firmware security in IoT devices. To create the malicious firmware, Maginnes used a flashable Android rootkit and a simple C-based reverse shell payload. The tablet’s firmware update files are typically 1.1GB, meaning uploads are slow. While users receive an opt-out prompt during a hotplug event, the update installs after 30 seconds unless manually canceled—a low barrier for an unsuspecting user. Maginnes tested the system’s limits by attempting a path traversal attack, appending “dot-dot-slashes” (e.g., ../../../../sdcard/EXPORT/testfile.txt) to the file path. The attack succeeded, allowing files to be written to the EXPORT directory, which is accessible via the tablet’s user interface. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Once in the EXPORT directory, the firmware would install automatically during a hotplug event (e.g., connecting a USB-C cable) or a reboot. Repackaging the firmware required Multi Image Kitchen, though compatibility issues with modern Java Development Kits (JDKs) posed a challenge.
This Cyber News was published on cybersecuritynews.com. Publication date: Sat, 12 Apr 2025 11:05:19 +0000