Realtek Audio Control Panel 1.0.1.65 Local Code Excution advisory, fuzzing, code execution, exploit, LCE, RTLCPL, RTLCPL.exe FMA-2010-010 Realtek Audio Control Panel 1.0.1.65 http://www.realtek.com RTLCPL.exe 1.0.1.65 C1E3CF28AAA41F1F1E3AA9D110D9447C Windows XP SP3 Home Edition Windows XP SP3 Professional Edition 2010.08.24 n/a 2010.11.14 Local Code Execution in Realtek Audio Control Panel 1.0.1.65 LCE Realtek Audio Control Panel 1.0.1.65 is a module installed with drivers pack for Realtek Audio Card, and is used as a panel for audio configuration. It has buffer overflow vulnerability which is triggered during starting module with extended input arguments. User supplied buffer is copied into a local (on stack) buffer, no boundary check is performed. Too long data overwrites both return address and SEH handler which makes it very easy to run custom code via trusted Realtek application. image01s.png 100 68 image01.png Data move Data move image02s.png 100 68 image02.png SEH override SEH override image03s.png 73 100 image03.png Version Version image04s.png 100 24 image04.png EIP owned EIP owned image05s.png 100 61 image05.png Crash Crash