Realtek Audio Microphone Calibration 1.1.1.6 Local Code Excution advisory, fuzzing, code execution, exploit, LCE, MicCal, MicCal.exe FMA-2010-011 Realtek Audio Microphone Calibration 1.1.1.6 http://www.realtek.com MicCal.exe 1.1.1.6 D3FB45B90F195FE86D9949A4B62CBBD6 Windows XP SP3 Home Edition Windows XP SP3 Professional Edition 2010.08.24 n/a 2010.11.14 Local Code Execution in Realtek Audio Microphone Calibration 1.1.1.6 LCE Realtek Audio Microphone Calibration 1.1.1.6 is module installed with drivers pack for Realtek Audio Card, and is used for microphone calibration. It has buffer overflow vulnerability which is triggered during starting module with extended input arguments. User supplied buffer is copied into a local (on stack) buffer, no boundary check is performed. Too long data overwrites both return address and SEH handler which makes it very easy to run custom code via trusted Realtek application. image01s.png 100 58 image01.png Data move Data move image02s.png 100 58 image02.png SEH override SEH override image03s.png 100 74 image03.png Application Application image04s.png 100 24 image04.png EIP owned EIP owned