32155681-33e8-4d0d-b9f6-c822851e7321

RtsPer.sys :inline :inline

Description

The Realtek SD card reader driver, RtsPer.sys, has been found to contain multiple critical vulnerabilities (CVE-2022-25476, CVE-2022-25477, CVE-2022-25478, CVE-2022-25479, CVE-2022-25480, CVE-2024-40431, CVE-2024-40432) that allow non-privileged users to leak kernel memory, write to arbitrary kernel memory, and access physical memory via DMA. These flaws affect various SD card reader models (including RTS5227, RTS5228, RTS522A, RTS5249, RTS524A, RTS5250, RTS525A, RTS5287, RTS5260, RTS5261, RTS5264) used by major OEMs such as Dell, Lenovo, HP, and MSI. The vulnerabilities enable kernel memory leaks, arbitrary kernel memory writes, PCI configuration space manipulation, and DMA controller access from user mode. Due to the driver's widespread use, the impact is significant, potentially allowing privilege escalation and system compromise. Realtek has addressed these issues in driver version 10.0.26100.21374 or higher, released in July or August.

  • UUID: 32155681-33e8-4d0d-b9f6-c822851e7321
  • Created: 2024-09-10
  • Author: Michael M.
  • Acknowledgement: |

DownloadBlock

This download link contains the vulnerable driver!

Commands

sc.exe create RtsPer.sys binPath=C:\windows\temp\RtsPer.sys type=kernel && sc.exe start RtsPer.sys
Use CasePrivilegesOperating System
Elevate privilegeskernelWindows 10

Detections

YARA 🏹

Expand

Exact Match

with header and size limitation

Threat Hunting

without header and size limitation

Renamed

for renamed driver files

Sigma 🛡️

Expand

Names

detects loading using name only

Hashes

detects loading using hashes only

Sysmon 🔎

Expand

Block

on hashes

Alert

on hashes

Resources


  • https://www.linkedin.com/pulse/vulnerabilities-realtek-sd-card-reader-driver-part-1-myngerbayev-czqmf, https://github.com/zwclose/realteksd

    • Known Vulnerable Samples

    PropertyValue
    Filename
    Creation Timestamp2024-04-16 20:33:34
    MD5807a860e330865e932e17b8a699ff5ea
    SHA1c07c37bab9208dceca35fbe154684ed6c6450e5c
    SHA256a1fa7d8275ccd14a6adc438ef4b950e7de4ed26fcbe4b3e184243663b03c83d6
    Authentihash MD54873b596b473865c3e1ebbcc31a5420a
    Authentihash SHA1c7425bd2d79ed34c9ec48d04c4a4df05daa8f024
    Authentihash SHA256e060b051d0b8eca8490347f679e63391c792b6b37684e11301f4ed187173c3fd
    RichPEHeaderHash MD5eadf48169fc6b63020316d58dc79ce25
    RichPEHeaderHash SHA180b16ed98156fca3615d88125c2278562ff8e11e
    RichPEHeaderHash SHA2560f4b1fd8b6a12c0818da3090410616c36c287b923d3786b8c812eaf6a6be829c
    CompanyRealtek Semiconductor Corporation
    DescriptionRTS PCIE READER Driver
    ProductWindows (R) Win 7 DDK driver
    OriginalFilenameRTSPER.SYS

    Download

    Certificates

    Expand
    Certificate 08ad40b260d29c4c9f5ecda9bd93aed9
    FieldValue
    ToBeSigned (TBS) MD55d8003a64dfa5a4d88365da1566038cb
    ToBeSigned (TBS) SHA179465b56bc7ad55a37bdf633943da8bfc84db228
    ToBeSigned (TBS) SHA25684bdc82e2f2a7f7aaa782667dac556ffcb2b33240c1f9c0a00a3264526a98332
    SubjectC=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1
    ValidFrom2021-04-29 00:00:00
    ValidTo2036-04-28 23:59:59
    Signature3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e
    SignatureAlgorithmOID1.2.840.113549.1.1.12
    IsCertificateAuthorityTrue
    SerialNumber08ad40b260d29c4c9f5ecda9bd93aed9
    Version3
    Certificate 0f91ac8781452e9478fdb90d5a52336c
    FieldValue
    ToBeSigned (TBS) MD5d1102ab7eca2c12f5ea6139a3850d349
    ToBeSigned (TBS) SHA168282349416ecb82b2f09607f8a3bf5f1168c7fb
    ToBeSigned (TBS) SHA256bb2578b6f4cbce34d5b35d0d43e46a868257f9c8aa4cbae9b7065f6061e1fc87
    Subject??=TW, ??=Private Organization, serialNumber=22671299, C=TW, L=Hsinchu, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.
    ValidFrom2023-06-15 00:00:00
    ValidTo2026-06-15 23:59:59
    Signature4e8d4307ac16ffe234a0c43c75ded55cae08624ce02cdcd029c0db935fa519b01b17fe75b7ddf45f8f3bdd71b1f60c48168fe17c00620a8adc188d85f8ff318178776c2c451a083bc6b410d8f675e183ccb39ebf429cb6f114692d78111b12ea934835a078ec05d01ddab4c2e8fa7937a264b1abfa0633075bc48baf85c95023baabf10a60338cdcd6689a69970fa041a2954241e56ee8b463738bd0b5526496944489aa22b4f68884146fddcab8da5486930a4218017e4d9e881c53aa22468eb9098a04a31387030571bff83ae8ec0c659c3c72b0cb88a702c6f8a894f74e710b35a2b710a094540397a0c0481b9eb1241ee5976b045b30c032cb2c5a5e2df6899c8c60cea4b74edd958daf0a33a243d77ac6505e07c64e5169557c3b625a0639930ed78819591e7055ce9af999612fa381bcf851d1a8ee7dc165872ac33f32dfaf48638d28c379a2a7925cc2031394f6a768eeafc6424facd0e23f3812ed77a7578fd9b29edf338388177a3f71c50cf036ff06b5564c296ebe9c6614d0b5f87ffdf81748de0d916ae5a8f24db0263f214706d21c15bd447a8df0ad10f0f1d59ec09cb9c403b80206e3d74b525dbc96129e19caf89251412539b94ec8e92c67bbca3e00a94f7b19b935aa8305ee44696232c88e1f46508d5b0b25e364482a82256449d2ed4fca4b613c30540a58043d4a92687d525305296f236f14dd49a478
    SignatureAlgorithmOID1.2.840.113549.1.1.11
    IsCertificateAuthorityFalse
    SerialNumber0f91ac8781452e9478fdb90d5a52336c
    Version3

    Imports

    Expand
    • cng.sys
    • ntoskrnl.exe
    • HAL.dll

    Imported Functions

    Expand
    • BCryptSetProperty
    • BCryptImportKeyPair
    • BCryptGenerateSymmetricKey
    • BCryptDestroySecret
    • BCryptDeriveKey
    • BCryptCloseAlgorithmProvider
    • BCryptExportKey
    • BCryptGenRandom
    • BCryptOpenAlgorithmProvider
    • BCryptGenerateKeyPair
    • BCryptFinalizeKeyPair
    • BCryptGetProperty
    • BCryptDestroyKey
    • BCryptSecretAgreement
    • BCryptEncrypt
    • IofCallDriver
    • IoCsqInsertIrp
    • IoIs32bitProcess
    • MmMapLockedPagesSpecifyCache
    • IofCompleteRequest
    • ExRaiseStatus
    • KeWaitForSingleObject
    • KeInsertQueueDpc
    • KeDelayExecutionThread
    • IoAllocateWorkItem
    • RtlAnsiStringToUnicodeString
    • KeAcquireSpinLockRaiseToDpc
    • ZwQueryKey
    • ObQueryNameString
    • ZwCreateFile
    • MmBuildMdlForNonPagedPool
    • ObfDereferenceObject
    • RtlFreeUnicodeString
    • RtlInitUnicodeString
    • ZwCreateKey
    • wcscpy_s
    • IoOpenDeviceRegistryKey
    • wcscat_s
    • IoDeleteDevice
    • RtlQueryRegistryValues
    • ZwPowerInformation
    • KeReleaseSpinLock
    • ZwFlushKey
    • KeSetEvent
    • RtlInitAnsiString
    • ObReferenceObjectByHandle
    • swprintf_s
    • ZwDeleteKey
    • ZwEnumerateKey
    • MmGetSystemRoutineAddress
    • IoFreeWorkItem
    • ZwQueryValueKey
    • ExFreePoolWithTag
    • IoQueueWorkItem
    • ZwClose
    • ZwSetValueKey
    • IoInvalidateDeviceRelations
    • ZwOpenKey
    • RtlCompareMemory
    • wcsncpy_s
    • IoBuildPartialMdl
    • IoInvalidateDeviceState
    • strncpy_s
    • DbgPrint
    • IoRegisterDeviceInterface
    • KeInitializeDpc
    • IoCsqRemoveNextIrp
    • KeInitializeTimerEx
    • IoAttachDeviceToDeviceStack
    • KeInitializeSemaphore
    • IoRegisterShutdownNotification
    • IoCsqInitialize
    • RtlIsNtDdiVersionAvailable
    • KeInitializeEvent
    • ZwEnumerateValueKey
    • MmMapIoSpace
    • MmUnmapIoSpace
    • ExFreePool
    • IoSetDeviceInterfaceState
    • IoDisconnectInterrupt
    • PoRequestPowerIrp
    • IoBuildDeviceIoControlRequest
    • PoSetPowerState
    • RtlGetVersion
    • KeCancelTimer
    • ObfReferenceObject
    • IoUnregisterShutdownNotification
    • ExUuidCreate
    • IoGetAttachedDeviceReference
    • IoCancelIrp
    • KeSetTimerEx
    • PoCallDriver
    • PoStartNextPowerIrp
    • PsCreateSystemThread
    • PsTerminateSystemThread
    • IoGetDmaAdapter
    • MmUnlockPages
    • IoConnectInterrupt
    • IoFreeIrp
    • MmFreeContiguousMemory
    • MmGetPhysicalAddress
    • KeAcquireSpinLockAtDpcLevel
    • IoGetDeviceProperty
    • IoAllocateIrp
    • KeReleaseSpinLockFromDpcLevel
    • IoBuildSynchronousFsdRequest
    • MmAllocateContiguousMemory
    • RtlUnicodeToMultiByteN
    • ExAllocatePoolWithTag
    • KeQueryActiveProcessors
    • KeBugCheckEx
    • ZwSetSecurityObject
    • IoDeviceObjectType
    • IoCreateDevice
    • ObOpenObjectByPointer
    • RtlGetDaclSecurityDescriptor
    • RtlGetGroupSecurityDescriptor
    • RtlGetOwnerSecurityDescriptor
    • RtlGetSaclSecurityDescriptor
    • SeCaptureSecurityDescriptor
    • _snwprintf
    • RtlLengthSecurityDescriptor
    • SeExports
    • RtlCreateSecurityDescriptor
    • _wcsnicmp
    • wcschr
    • RtlAbsoluteToSelfRelativeSD
    • RtlAddAccessAllowedAce
    • RtlLengthSid
    • IoIsWdmVersionAvailable
    • RtlSetDaclSecurityDescriptor
    • PsGetVersion
    • ExAllocatePoolWithQuotaTag
    • ZwQuerySystemInformation
    • IoFreeMdl
    • KeClearEvent
    • KeReleaseSemaphore
    • ProbeForWrite
    • IoAllocateMdl
    • KeWaitForMultipleObjects
    • MmProbeAndLockPages
    • KeReadStateEvent
    • __C_specific_handler
    • PsGetCurrentThreadId
    • IoDetachDevice
    • KeGetCurrentIrql
    • KeStallExecutionProcessor
    • READ_PORT_UCHAR
    • WRITE_PORT_ULONG
    • KfRaiseIrql
    • KfLowerIrql
    • HalSetBusDataByOffset
    • HalGetBusDataByOffset

    Exported Functions

    Expand

    Sections

    Expand
    • .text
    • .rdata
    • .data
    • .pdata
    • PAGE
    • INIT
    • .rsrc
    • .reloc

    Signature

    Expand
    {
  "Certificates": [
    {
      "IsCertificateAuthority": true,
      "SerialNumber": "08ad40b260d29c4c9f5ecda9bd93aed9",
      "Signature": "3a23443d8d0876ee8fbc3a99d356e0021aa5f84834f32cb6e67466f79472b100caaf6c302713129e90449f4bfd9ea37c26d537bc3a5d486d95d53f49f427bb16814550fd9cbdb685e0767e3771cb22f75aaa90cff5936ae3eb20d1d55079889a8a8ac1b6bda148187edcd8801a111918cd61998156f6c9e376e7c4e41b5f43f83e94ff76393d9ed499cf4add28eb5f26a1955848d51afed7273ffd90d17686dd1cb0605cf30da8eee089a1bd39e1384eda6ebb369dfbe521535ac3cae96af1a23edb43b833c84f38149299f5ddce546dd95d02141f40337c03e295b2c221757352cb46d8c4341ca2a54b8dcd6f76372c853f1ace26e918be9007b0437f9588208270f0cccaeffd29355c1f893855f7378a8b09a1cb0be9311aff2e195c3971e1be9ca70a06d62667b792e64e5fde7aac49cf2ea47492addb3ca49c861fe3c1561b2b23ff8fb5ea887b706be6a0bafd3a3f45a6c4e81691528b41c048844b964dab4440e38df01528ceedf11856072a2f10c40c08643c338fae288c3ccb8f880b0dbf3bf4ce1e7b8eefb5ebcbb7f07713e6e7283fac12aea52f226c41f9825c1566cc6c0ecac586c3f626330c074ba0d307026a6a4030484b34a85120bbad1b8508e2590d6dca05502bea4a1c9ea5fda0a71f0674e7f2d65290fdaf854821f9573bb49c03ed8645f4b4616ebf68e2266086eac8afa9fe941de7631b3a8656784e",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.12",
      "Subject": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
      "TBS": {
        "MD5": "5d8003a64dfa5a4d88365da1566038cb",
        "SHA1": "79465b56bc7ad55a37bdf633943da8bfc84db228",
        "SHA256": "84bdc82e2f2a7f7aaa782667dac556ffcb2b33240c1f9c0a00a3264526a98332",
        "SHA384": "65b1d4076a89ae273f57e6eeedecb3eae129b4168f76fa7671914cdf461d542255c59d9b85b916ae0ca6fc0fcf7a8e64"
      },
      "ValidFrom": "2021-04-29 00:00:00",
      "ValidTo": "2036-04-28 23:59:59",
      "Version": 3
    },
    {
      "IsCertificateAuthority": false,
      "SerialNumber": "0f91ac8781452e9478fdb90d5a52336c",
      "Signature": "4e8d4307ac16ffe234a0c43c75ded55cae08624ce02cdcd029c0db935fa519b01b17fe75b7ddf45f8f3bdd71b1f60c48168fe17c00620a8adc188d85f8ff318178776c2c451a083bc6b410d8f675e183ccb39ebf429cb6f114692d78111b12ea934835a078ec05d01ddab4c2e8fa7937a264b1abfa0633075bc48baf85c95023baabf10a60338cdcd6689a69970fa041a2954241e56ee8b463738bd0b5526496944489aa22b4f68884146fddcab8da5486930a4218017e4d9e881c53aa22468eb9098a04a31387030571bff83ae8ec0c659c3c72b0cb88a702c6f8a894f74e710b35a2b710a094540397a0c0481b9eb1241ee5976b045b30c032cb2c5a5e2df6899c8c60cea4b74edd958daf0a33a243d77ac6505e07c64e5169557c3b625a0639930ed78819591e7055ce9af999612fa381bcf851d1a8ee7dc165872ac33f32dfaf48638d28c379a2a7925cc2031394f6a768eeafc6424facd0e23f3812ed77a7578fd9b29edf338388177a3f71c50cf036ff06b5564c296ebe9c6614d0b5f87ffdf81748de0d916ae5a8f24db0263f214706d21c15bd447a8df0ad10f0f1d59ec09cb9c403b80206e3d74b525dbc96129e19caf89251412539b94ec8e92c67bbca3e00a94f7b19b935aa8305ee44696232c88e1f46508d5b0b25e364482a82256449d2ed4fca4b613c30540a58043d4a92687d525305296f236f14dd49a478",
      "SignatureAlgorithmOID": "1.2.840.113549.1.1.11",
      "Subject": "??=TW, ??=Private Organization, serialNumber=22671299, C=TW, L=Hsinchu, O=Realtek Semiconductor Corp., CN=Realtek Semiconductor Corp.",
      "TBS": {
        "MD5": "d1102ab7eca2c12f5ea6139a3850d349",
        "SHA1": "68282349416ecb82b2f09607f8a3bf5f1168c7fb",
        "SHA256": "bb2578b6f4cbce34d5b35d0d43e46a868257f9c8aa4cbae9b7065f6061e1fc87",
        "SHA384": "63da1b0575cea0554b39993f2d281005f78037a0976d33c2be717c690588f4033cd3f5f6dde258c47e0169b209d23e4c"
      },
      "ValidFrom": "2023-06-15 00:00:00",
      "ValidTo": "2026-06-15 23:59:59",
      "Version": 3
    }
  ],
  "CertificatesInfo": "",
  "Signer": [
    {
      "Issuer": "C=US, O=DigiCert, Inc., CN=DigiCert Trusted G4 Code Signing RSA4096 SHA384 2021 CA1",
      "SerialNumber": "0f91ac8781452e9478fdb90d5a52336c",
      "Version": 1
    }
  ],
  "SignerInfo": ""
}

    source

    last_updated: 2025-01-29