Multiple vulnerabilities in the Realtek SD card reader driver, RtsPer.sys, affect laptops from major brands like Dell and Lenovo.
These flaws have existed for years, allowing users to exploit the system to access kernel memory and manipulate physical memory through Direct Memory Access (DMA).
First discovered in January 2022 by Zwclose, the issues stemmed from a loose Access Control List (ACL) on a device object.
While Realtek released a fix in April 2022, a serious DMA vulnerability remained unresolved until further investigation revealed more problems.
CVE-2022-25477: Leaking Driver Logs
The driver logs extensively, CVE-2022-25477, which weakens Kernel Address Space Layout Randomization (KASLR) by revealing kernel mode object addresses.
Loose ACLs on the device object allow any user to access the logs. The updated version encrypts these logs to block unauthorized access.
Code Snippet:
struct LogDescriptor {
ULONG Size;
PVOID Buffer;
} desc;
desc.Buffer = log;
desc.Size = sizeof(log);CVE-2022-25478: Accessing PCI Config Space
RtsPer.sys lets users access the PCI configuration space with control codes that can cause system instability. Writing random values to Base Address Registers (BARs), CVE-2022-25478, can trigger interrupt storms, making the operating system unusable.
Code Snippet:
PCI_COMMON_HEADER PciHeader;
DWORD BytesReturned;
struct PCIDescriptor {
WORD CfgSpaceOffset;
BYTE Length;
PCI_COMMON_HEADER PciHeader;
} PCIDesc;
PCIDesc.CfgSpaceOffset = 0;
PCIDesc.Length = sizeof(PciHeader);CVE-2022-25479: Leaking Kernel Pool and Stack
CVE-2022-25479 enables kernel memory leaks from the stack and heaps due to improperly handled SCSI commands. Attackers can extract sensitive information by manipulating data buffer sizes.
Code Snippet:
SCSI_PASS_THROUGH_DIRECT Scsi;
CHAR PoolContent[0x88] = {};
Scsi.DataBuffer = PoolContent;
Scsi.DataTransferLength = 0x8 + 0x80;CVE-2022-25480 & CVE-2024-40432: Writing Beyond SystemBuffer
CVE-2022-25480 and CVE-2024-40432 involve mishandling of sense data and protocol arguments, allowing indirect writes to kernel memory. They exploit unchecked offsets to redirect data writes beyond intended buffers.
Code Snippet:
SCSI_PASS_THROUGH_DIRECT Scsi;
Scsi.SenseInfoOffset = 0xFFFFFFFF; // Rogue offsetCVE-2024-40431: Arbitrary Kernel Memory Write
CVE-2024-40431 is the most dangerous vulnerability, allowing arbitrary writes to kernel memory by exploiting predictable SystemBuffer addresses. It combines stack leaks with rogue offsets for precise memory manipulation.
Code Snippet:
const int SYSBUFF_OFFSET = 0x210;
ULONG_PTR ci_g_CiOptions = 0xfffff8067445a478; // Example target address
ULONG_PTR CiOptionsOffset = ci_g_CiOptions – PrevSysBuffer;
const int SYSBUFF_OFFSET = 0x210;
ULONG_PTR ci_g_CiOptions = 0xfffff8067445a478; // Example target address
ULONG_PTR CiOptionsOffset = ci_g_CiOptions – PrevSysBuffer;
The Realtek SD card reader driver is commonly used in many laptop models, including Dell and Lenovo devices, making it vulnerable to widespread issues. Realtek is releasing updates to address these vulnerabilities, so users should promptly update their drivers to protect against potential exploits. This situation highlights the importance of regular security audits and updates for hardware drivers across devices.
Follow Us on: Twitter, Instagram, Facebook to get the latest security news!
Leave A Comment