Realtek Audio Control Panel 1.0.1.65 Local Code Excution
advisory, fuzzing, code execution, exploit, LCE, RTLCPL, RTLCPL.exe
Realtek Audio Control Panel 1.0.1.65 Local Code Excution
FMA-2010-010
Realtek Audio Control Panel
1.0.1.65
http://www.realtek.com
RTLCPL.exe
1.0.1.65
C1E3CF28AAA41F1F1E3AA9D110D9447C
Windows XP SP3 Home Edition
Windows XP SP3 Professional Edition
2010.08.24
n/a
2010.11.14
Local Code Execution in Realtek Audio Control Panel 1.0.1.65
LCE
Realtek Audio Control Panel 1.0.1.65 is a module installed with drivers pack for Realtek Audio Card, and is used as a panel for audio configuration. It has buffer overflow vulnerability which is triggered during starting module with extended input arguments.
User supplied buffer is copied into a local (on stack) buffer, no boundary check is performed. Too long data overwrites both return address and SEH handler which makes it very easy to run custom code via trusted Realtek application.
image01s.png
100
68
image01.png
Data move
Data move
image02s.png
100
68
image02.png
SEH override
SEH override
image03s.png
73
100
image03.png
Version
Version
image04s.png
100
24
image04.png
EIP owned
EIP owned
image05s.png
100
61
image05.png
Crash
Crash