Description
The Realtek SD card reader driver, RtsPer.sys, has been found to contain multiple critical vulnerabilities (CVE-2022-25476, CVE-2022-25477, CVE-2022-25478, CVE-2022-25479, CVE-2022-25480, CVE-2024-40431, CVE-2024-40432) that allow non-privileged users to leak kernel memory, write to arbitrary kernel memory, and access physical memory via DMA. These flaws affect various SD card reader models (including RTS5227, RTS5228, RTS522A, RTS5249, RTS524A, RTS5250, RTS525A, RTS5287, RTS5260, RTS5261, RTS5264) used by major OEMs such as Dell, Lenovo, HP, and MSI. The vulnerabilities enable kernel memory leaks, arbitrary kernel memory writes, PCI configuration space manipulation, and DMA controller access from user mode. Due to the driver's widespread use, the impact is significant, potentially allowing privilege escalation and system compromise. Realtek has addressed these issues in driver version 10.0.26100.21374 or higher, released in July or August.
- UUID: 32155681-33e8-4d0d-b9f6-c822851e7321
- Created: 2024-09-10
- Author: Michael M.
- Acknowledgement: |
DownloadBlock
This download link contains the vulnerable driver!
Commands
sc.exe create RtsPer.sys binPath=C:\windows\temp\RtsPer.sys type=kernel && sc.exe start RtsPer.sys
Use Case | Privileges | Operating System |
---|
Elevate privileges | kernel | Windows 10 |
Detections
Sigma 🛡️
Expand
Names
detects loading using name only
Hashes
detects loading using hashes only
Resources
https://www.linkedin.com/pulse/vulnerabilities-realtek-sd-card-reader-driver-part-1-myngerbayev-czqmf, https://github.com/zwclose/realteksdKnown Vulnerable Samples
Download
Certificates
Expand
Certificate 08ad40b260d29c4c9f5ecda9bd93aed9
Field | Value |
---|
ToBeSigned (TBS) MD5 | 5d8003a64dfa5a4d88365da1566038cb |
ToBeSigned (TBS) SHA1 | 79465b56bc7ad55a37bdf633943da8bfc84db228 |
ToBeSigned (TBS) SHA256 | 84bdc82e2f2a7f7aaa782667dac556ffcb2b33240c1f9c0a00a3264526a98332 |
Subject | C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1 |
ValidFrom | 2021-04-29 00:00:00 |
ValidTo | 2036-04-28 23:59:59 |
Signature | 3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e |
SignatureAlgorithmOID | 1.2.840.113549.1.1.12 |
IsCertificateAuthority | True |
SerialNumber | 08ad40b260d29c4c9f5ecda9bd93aed9 |
Version | 3 |
Certificate 0f91ac8781452e9478fdb90d5a52336c
Field | Value |
---|
ToBeSigned (TBS) MD5 | d1102ab7eca2c12f5ea6139a3850d349 |
ToBeSigned (TBS) SHA1 | 68282349416ecb82b2f09607f8a3bf5f1168c7fb |
ToBeSigned (TBS) SHA256 | bb2578b6f4cbce34d5b35d0d43e46a868257f9c8aa4cbae9b7065f6061e1fc87 |
Subject | ??=TW, ??=Private Organization, serialNumber=22671299, C=TW, L=Hsinchu, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp. |
ValidFrom | 2023-06-15 00:00:00 |
ValidTo | 2026-06-15 23:59:59 |
Signature | 4e8d4307ac16ffe234a0c43c75ded55cae08624ce02cdcd029c0db935fa519b01b17fe75b7ddf45f8f3bdd71b1f60c48168fe17c00620a8adc188d85f8ff318178776c2c451a083bc6b410d8f675e183ccb39ebf429cb6f114692d78111b12ea934835a078ec05d01ddab4c2e8fa7937a264b1abfa0633075bc48baf85c95023baabf10a60338cdcd6689a69970fa041a2954241e56ee8b463738bd0b5526496944489aa22b4f68884146fddcab8da5486930a4218017e4d9e881c53aa22468eb9098a04a31387030571bff83ae8ec0c659c3c72b0cb88a702c6f8a894f74e710b35a2b710a094540397a0c0481b9eb1241ee5976b045b30c032cb2c5a5e2df6899c8c60cea4b74edd958daf0a33a243d77ac6505e07c64e5169557c3b625a0639930ed78819591e7055ce9af999612fa381bcf851d1a8ee7dc165872ac33f32dfaf48638d28c379a2a7925cc2031394f6a768eeafc6424facd0e23f3812ed77a7578fd9b29edf338388177a3f71c50cf036ff06b5564c296ebe9c6614d0b5f87ffdf81748de0d916ae5a8f24db0263f214706d21c15bd447a8df0ad10f0f1d59ec09cb9c403b80206e3d74b525dbc96129e19caf89251412539b94ec8e92c67bbca3e00a94f7b19b935aa8305ee44696232c88e1f46508d5b0b25e364482a82256449d2ed4fca4b613c30540a58043d4a92687d525305296f236f14dd49a478 |
SignatureAlgorithmOID | 1.2.840.113549.1.1.11 |
IsCertificateAuthority | False |
SerialNumber | 0f91ac8781452e9478fdb90d5a52336c |
Version | 3 |
Imports
Expand
- cng.sys
- ntoskrnl.exe
- HAL.dll
Imported Functions
Expand
- BCryptSetProperty
- BCryptImportKeyPair
- BCryptGenerateSymmetricKey
- BCryptDestroySecret
- BCryptDeriveKey
- BCryptCloseAlgorithmProvider
- BCryptExportKey
- BCryptGenRandom
- BCryptOpenAlgorithmProvider
- BCryptGenerateKeyPair
- BCryptFinalizeKeyPair
- BCryptGetProperty
- BCryptDestroyKey
- BCryptSecretAgreement
- BCryptEncrypt
- IofCallDriver
- IoCsqInsertIrp
- IoIs32bitProcess
- MmMapLockedPagesSpecifyCache
- IofCompleteRequest
- ExRaiseStatus
- KeWaitForSingleObject
- KeInsertQueueDpc
- KeDelayExecutionThread
- IoAllocateWorkItem
- RtlAnsiStringToUnicodeString
- KeAcquireSpinLockRaiseToDpc
- ZwQueryKey
- ObQueryNameString
- ZwCreateFile
- MmBuildMdlForNonPagedPool
- ObfDereferenceObject
- RtlFreeUnicodeString
- RtlInitUnicodeString
- ZwCreateKey
- wcscpy_s
- IoOpenDeviceRegistryKey
- wcscat_s
- IoDeleteDevice
- RtlQueryRegistryValues
- ZwPowerInformation
- KeReleaseSpinLock
- ZwFlushKey
- KeSetEvent
- RtlInitAnsiString
- ObReferenceObjectByHandle
- swprintf_s
- ZwDeleteKey
- ZwEnumerateKey
- MmGetSystemRoutineAddress
- IoFreeWorkItem
- ZwQueryValueKey
- ExFreePoolWithTag
- IoQueueWorkItem
- ZwClose
- ZwSetValueKey
- IoInvalidateDeviceRelations
- ZwOpenKey
- RtlCompareMemory
- wcsncpy_s
- IoBuildPartialMdl
- IoInvalidateDeviceState
- strncpy_s
- DbgPrint
- IoRegisterDeviceInterface
- KeInitializeDpc
- IoCsqRemoveNextIrp
- KeInitializeTimerEx
- IoAttachDeviceToDeviceStack
- KeInitializeSemaphore
- IoRegisterShutdownNotification
- IoCsqInitialize
- RtlIsNtDdiVersionAvailable
- KeInitializeEvent
- ZwEnumerateValueKey
- MmMapIoSpace
- MmUnmapIoSpace
- ExFreePool
- IoSetDeviceInterfaceState
- IoDisconnectInterrupt
- PoRequestPowerIrp
- IoBuildDeviceIoControlRequest
- PoSetPowerState
- RtlGetVersion
- KeCancelTimer
- ObfReferenceObject
- IoUnregisterShutdownNotification
- ExUuidCreate
- IoGetAttachedDeviceReference
- IoCancelIrp
- KeSetTimerEx
- PoCallDriver
- PoStartNextPowerIrp
- PsCreateSystemThread
- PsTerminateSystemThread
- IoGetDmaAdapter
- MmUnlockPages
- IoConnectInterrupt
- IoFreeIrp
- MmFreeContiguousMemory
- MmGetPhysicalAddress
- KeAcquireSpinLockAtDpcLevel
- IoGetDeviceProperty
- IoAllocateIrp
- KeReleaseSpinLockFromDpcLevel
- IoBuildSynchronousFsdRequest
- MmAllocateContiguousMemory
- RtlUnicodeToMultiByteN
- ExAllocatePoolWithTag
- KeQueryActiveProcessors
- KeBugCheckEx
- ZwSetSecurityObject
- IoDeviceObjectType
- IoCreateDevice
- ObOpenObjectByPointer
- RtlGetDaclSecurityDescriptor
- RtlGetGroupSecurityDescriptor
- RtlGetOwnerSecurityDescriptor
- RtlGetSaclSecurityDescriptor
- SeCaptureSecurityDescriptor
- _snwprintf
- RtlLengthSecurityDescriptor
- SeExports
- RtlCreateSecurityDescriptor
- _wcsnicmp
- wcschr
- RtlAbsoluteToSelfRelativeSD
- RtlAddAccessAllowedAce
- RtlLengthSid
- IoIsWdmVersionAvailable
- RtlSetDaclSecurityDescriptor
- PsGetVersion
- ExAllocatePoolWithQuotaTag
- ZwQuerySystemInformation
- IoFreeMdl
- KeClearEvent
- KeReleaseSemaphore
- ProbeForWrite
- IoAllocateMdl
- KeWaitForMultipleObjects
- MmProbeAndLockPages
- KeReadStateEvent
- __C_specific_handler
- PsGetCurrentThreadId
- IoDetachDevice
- KeGetCurrentIrql
- KeStallExecutionProcessor
- READ_PORT_UCHAR
- WRITE_PORT_ULONG
- KfRaiseIrql
- KfLowerIrql
- HalSetBusDataByOffset
- HalGetBusDataByOffset
Exported Functions
Expand
Sections
Expand
- .text
- .rdata
- .data
- .pdata
- PAGE
- INIT
- .rsrc
- .reloc
Signature
Expand
{
"Certificates": [
{
"IsCertificateAuthority": true,
"SerialNumber": "08ad40b260d29c4c9f5ecda9bd93aed9",
"Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
"Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
"TBS": {
"MD5": "5d8003a64dfa5a4d88365da1566038cb",
"SHA1": "79465b56bc7ad55a37bdf633943da8bfc84db228",
"SHA256": "84bdc82e2f2a7f7aaa782667dac556ffcb2b33240c1f9c0a00a3264526a98332",
"SHA384": "65b1d4076a89ae273f57e6eeedecb3eae129b4168f76fa7671914cdf461d542255c59d9b85b916ae0ca6fc0fcf7a8e64"
},
"ValidFrom": "2021-04-29 00:00:00",
"ValidTo": "2036-04-28 23:59:59",
"Version": 3
},
{
"IsCertificateAuthority": false,
"SerialNumber": "0f91ac8781452e9478fdb90d5a52336c",
"Signature": "4e8d4307ac16ffe234a0c43c75ded55cae08624ce02cdcd029c0db935fa519b01b17fe75b7ddf45f8f3bdd71b1f60c48168fe17c00620a8adc188d85f8ff318178776c2c451a083bc6b410d8f675e183ccb39ebf429cb6f114692d78111b12ea934835a078ec05d01ddab4c2e8fa7937a264b1abfa0633075bc48baf85c95023baabf10a60338cdcd6689a69970fa041a2954241e56ee8b463738bd0b5526496944489aa22b4f68884146fddcab8da5486930a4218017e4d9e881c53aa22468eb9098a04a31387030571bff83ae8ec0c659c3c72b0cb88a702c6f8a894f74e710b35a2b710a094540397a0c0481b9eb1241ee5976b045b30c032cb2c5a5e2df6899c8c60cea4b74edd958daf0a33a243d77ac6505e07c64e5169557c3b625a0639930ed78819591e7055ce9af999612fa381bcf851d1a8ee7dc165872ac33f32dfaf48638d28c379a2a7925cc2031394f6a768eeafc6424facd0e23f3812ed77a7578fd9b29edf338388177a3f71c50cf036ff06b5564c296ebe9c6614d0b5f87ffdf81748de0d916ae5a8f24db0263f214706d21c15bd447a8df0ad10f0f1d59ec09cb9c403b80206e3d74b525dbc96129e19caf89251412539b94ec8e92c67bbca3e00a94f7b19b935aa8305ee44696232c88e1f46508d5b0b25e364482a82256449d2ed4fca4b613c30540a58043d4a92687d525305296f236f14dd49a478",
"SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
"Subject": "??=TW, ??=Private Organization, serialNumber=22671299, C=TW, L=Hsinchu, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.",
"TBS": {
"MD5": "d1102ab7eca2c12f5ea6139a3850d349",
"SHA1": "68282349416ecb82b2f09607f8a3bf5f1168c7fb",
"SHA256": "bb2578b6f4cbce34d5b35d0d43e46a868257f9c8aa4cbae9b7065f6061e1fc87",
"SHA384": "63da1b0575cea0554b39993f2d281005f78037a0976d33c2be717c690588f4033cd3f5f6dde258c47e0169b209d23e4c"
},
"ValidFrom": "2023-06-15 00:00:00",
"ValidTo": "2026-06-15 23:59:59",
"Version": 3
}
],
"CertificatesInfo": "",
"Signer": [
{
"Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
"SerialNumber": "0f91ac8781452e9478fdb90d5a52336c",
"Version": 1
}
],
"SignerInfo": ""
}
source
last_updated: 2025-01-13