Realtek HD Audio Control Panel 2.1.3.2 Local Code Excution advisory, fuzzing, code execution, exploit, LCE, RTHDCPL.exe, RTHDCPL FMA-2010-012 Realtek HD Audio Control Panel 2.1.3.2 http://www.realtek.com RTHDCPL.exe 2.1.3.2 0F37BA18845A56347B66D290EBFDEBCA Windows XP SP3 Home Edition Windows XP SP3 Professional Edition 2010.08.24 n/a 2010.11.14 Local Code Execution in Realtek HD Audio Control Panel 2.1.3.2 LCE Realtek HD Audio Control Panel 2.1.3.2 is module installed with drivers pack for Realtek Audio Card, and is used as a panel for audio configuration. It has buffer overflow vulnerability which is triggered during starting module with extended input arguments. User supplied buffer is copied into a local (on stack) buffer, no boundary check is performed. Too long data overwrites both return address and SEH handler which makes it very easy to run custom code via trusted Realtek application. image01s.png 100 58 image01.png Data move Data move image02s.png 100 58 image02.png SEH override SEH override image03s.png 100 75 image03.png Application Application image04s.png 100 24 image04.png EIP owned EIP owned