SuperNote Nomad E-ink Tablet One-Click RCE via SuperSocket Path Traversal

Critical Vulnerability Information Vulnerability Overview Target Device: SuperNote Nomad E-ink Tablet Vulnerability Type: One-click Remote Code Execution (RCE) Affected Version: Android 4.2.2 Discovery Process 1. Recon: - Scanned using nmap and found port 6002 open. - Port 6002 is associated with the SuperSocket service in SuperNote software. 2. Locating SuperSocket Listener: - Confirmed that port 6002 is listened to by a service named . 3. Service Identification: - Analyzed source code and found that the function is used to execute commands. - The function contains a logical flaw that allows triggering exceptions via specific parameters. 4. File Upload: - Exploited the vulnerability to upload malicious files to the device’s directory. - Used a path traversal vulnerability to overwrite system files. 5. Exploitation Strategy: - Created a small image file with a specific name to trigger the vulnerability. - Leveraged file operations during the update process to overwrite critical system files. Disclosure Timeline July 28, 2014: Vulnerability reported to Blotto Software. September 2, 2014: Blotto Software confirmed the issue and began remediation. September 29, 2014: PRIZM Labs provided a detailed report to Blotto Software’s “Techboard” team. October 3, 2014: Blotto Software responded, requesting more time for internal testing and validation. October 9, 2014: PRIZM Labs agreed to close the vulnerability before public disclosure. October 9, 2014: Public disclosure of the vulnerability report. Key Points One-click RCE: Attackers can execute arbitrary code on the device with a single click. Path Traversal: Exploited path traversal to overwrite system files. File Operation Flaw: Logical error in the function enables abuse of file operations.

Goal Reached Thanks to every supporter — we hit 100%!

SuperNote Nomad E-ink Tablet One-Click RCE via SuperSocket Path Traversal