Realtek rtl819x Jungle SDK Unauthenticated Kernel Memory Read/Write Vulnerability in Wi-Fi Driver

A vulnerability exists in the rtl8192cd Wi-Fi kernel driver within the Realtek rtl819x Jungle SDK, all known versions through v3.4.14B. The driver fails to implement access control for two debug IOCTLs, write_mem (0x89F5) and read_mem (0x89F6), allowing local users to read or write arbitrary kernel memory. This oversight can be exploited to gain root privileges. The vulnerability arises because the debug IOCTLs are included in all production builds, without conditional compilation for debugging purposes.

Impact

Exploitation of this vulnerability allows for unauthorized reading and writing of kernel memory, leading to local privilege escalation by overwriting kernel task structures and credentials, with a reference exploit achieving root access.

Reproduction

The vulnerability can be reproduced by compiling the reference exploit 'kpwn.c' using an ARM cross-compiler, and then executing it as an unprivileged user on a device with the vulnerable Realtek rtl8192cd Wi-Fi driver. The exploit automatically detects the necessary offsets and the vulnerable IOCTL interface, reads the current user credentials, and overwrites them to escalate privileges to root.