Overview:As productivity nerds, we picked one up in July of 2024 with the goal of using it for its intended purpose: note taking and academic paper reading. However, as hackers at heart, it took all of 24-hours before we abandoned that idea entirely and decided to poke at it. What follows is a blog post detailing how we were able to chain a vulnerability and a handful of misconfigurations into a remotely installable, 0-click rootkit. A malicious attacker on the same network as the victim could fully compromise the target device without any user-interaction. EDIT: This issue was assigned to CVE-2025-32409 after publication.Recon:This research kicked off with an innocent Nmap scan, just to see if anything interesting was listening on the device while in its default configuration. Lo and behold, there was one result which stood out: As shown above, we found port 60002 open and listening. Nmap was unable to identify the service directly, so we decided to investigate this mysterious port a bit further by grabbing a firmware image for the device from Ratta Software's "Updates" page.The firmware was unencrypted, and we were able to mount the various filesystem images and grep through them for anything related to that port number. This led us to the SuperNoteLauncher.apk, which we threw into jadx and started reversing.Reversing The SuperNoteLauncher Locating The Port:After opening the apk in jadx, we first searched for where that port number was specifically being referenced. As shown below, this led us to a static final int named COMMAND_RECEIVE_FILE_PORT.Looking for cross-references, we eventually tracked down where it was being used: com.ratta.supernote.wifip2p.receive. Identifying The Service:At this point, our goal was to better understand the service running on 60002. We can see in the below screenshot that when the port is open, a handful of functions are triggered after something is received over the ServerSocket. Specifically, the code of interest resides in the De...
First seen: 2025-04-10 01:41
Last seen: 2025-04-10 14:44