Ratta SuperNote A6 X2 Nomad Remote Code Execution Vulnerability

A remote code execution vulnerability exists in the Ratta SuperNote A6 X2 Nomad tablet, running Android 11, prior to December 2024. The issue arises because an arbitrary firmware image, signed with debug keys, can be sent to TCP port 60002. This is made possible by a combination of directory traversal and improper concurrency handling, allowing the malicious firmware to be placed in the correct update location on the device.

Impact

Exploitation of this vulnerability allows for remote code execution on the affected device, with the potential to install a rootkit that could be activated during normal device use.

Reproduction

The vulnerability can be reproduced by sending a crafted file through the device's WiFi Direct file-sharing feature. The file must be named in a way that exploits the directory traversal vulnerability, allowing it to be written to the EXPORT directory, where the device's firmware update process will automatically pick it up and install it. After the file is received, the update process can be monitored to ensure the malicious payload is executed.

Remediation

Users are advised to update their devices to the December 2024 firmware release, which addresses this vulnerability.