Multiple vulnerabilities have been discovered in the Realtek SD card reader driver, RtsPer.sys, affecting a wide range of laptops from major manufacturers like Dell and Lenovo.
These vulnerabilities have been present for years, allowing non-privileged users to exploit the system by leaking kernel memory and reading and writing physical memory via Direct Memory Access (DMA).
This article delves into the specifics of these vulnerabilities, their potential impacts, and the steps taken to address them.
The vulnerabilities were first identified in January 2022 by Zwclose during an exploration of the Windows Object Manager’s \Device directory.
A permissive Access Control List (ACL) on one of the device objects led to the discovery of flaws in the RtsPer.sys driver.
Despite Realtek releasing a fix in April 2022, a critical DMA vulnerability remained unaddressed until further investigation revealed additional issues.
Protecting Your Networks & Endpoints With UnderDefense MDR – Request Free Demo
CVE-2022-25477: Leaking Driver Logs
The driver logs extensively, CVE-2022-25477, which weakens Kernel Address Space Layout Randomization (KASLR) by exposing the addresses of kernel mode objects.
Due to permissive ACLs on the device object, any user can access the log data. The fixed version encrypts these logs to prevent unauthorized access.
Code Snippet:
struct LogDescriptor {
ULONG Size;
PVOID Buffer;
} desc;
desc.Buffer = log;
desc.Size = sizeof(log);CVE-2022-25478: Accessing PCI Config Space
RtsPer.sys allows access to the PCI configuration space using control codes that can be exploited to cause system instability. Writing random values to Base Address Registers (BARs), CVE-2022-25478, can trigger interrupt storms, rendering the operating system unusable.
Code Snippet:
PCI_COMMON_HEADER PciHeader;
DWORD BytesReturned;
struct PCIDescriptor {
WORD CfgSpaceOffset;
BYTE Length;
PCI_COMMON_HEADER PciHeader;
} PCIDesc;
PCIDesc.CfgSpaceOffset = 0;
PCIDesc.Length = sizeof(PciHeader);CVE-2022-25479: Leaking Kernel Pool and Stack
CVE-2022-25479 allows kernel memory leakage from the stack and heaps through improperly handled SCSI commands. Attackers can extract sensitive information from kernel memory by manipulating data buffer sizes.
Code Snippet:
SCSI_PASS_THROUGH_DIRECT Scsi;
CHAR PoolContent[0x88] = {};
Scsi.DataBuffer = PoolContent;
Scsi.DataTransferLength = 0x8 + 0x80;CVE-2022-25480 & CVE-2024-40432: Writing Beyond SystemBuffer
CVE-2022-25480 and CVE-2024-40432 involve improper handling of sense data and protocol arguments, allowing indirect writes to kernel memory. They exploit unchecked offsets that can redirect data writes beyond intended buffers.Â
Code Snippet:
SCSI_PASS_THROUGH_DIRECT Scsi;
Scsi.SenseInfoOffset = 0xFFFFFFFF; // Rogue offsetCVE-2024-40431: Arbitrary Kernel Memory Write
This is the most dangerous vulnerability, CVE-2024-40431. It allows arbitrary writes to kernel memory by exploiting predictable SystemBuffer addresses. It combines stack leaks with rogue offsets for precise memory manipulation.
Code Snippet:
const int SYSBUFF_OFFSET = 0x210;
ULONG_PTR ci_g_CiOptions = 0xfffff8067445a478; // Example target address
ULONG_PTR CiOptionsOffset = ci_g_CiOptions - PrevSysBuffer;Due to its universal design, the Realtek SD card reader driver is widely used across multiple laptop models.
This broad applicability means vulnerabilities in its core components can have widespread effects. Affected devices include famous Dell and Lenovo models and others equipped with Realtek SD card readers.
Realtek has been working on fixes for these vulnerabilities, with updates being rolled out over an extended period.
Users are advised to update their drivers promptly and protect their systems against potential exploits.Â
These findings underscore the importance of regular security audits and updates for hardware drivers, especially those used across multiple platforms and devices.
Run private, Real-time Malware Analysis in both Windows & Linux VMs. Get a 14-day free trial with ANY.RUN!
