OLExplore is the research codebase accompanying the NDSS 2025 paper, “Be Careful of What You Embed: Demystifying OLE Vulnerabilities.”
It targets systematic discovery and analysis of vulnerabilities in the Microsoft Office OLE ecosystem, with a focus on closed-source “superware” surfaces.
Status: core commercial components are still being productized. This repo releases the non‑commercial tooling and PoCs in phases.
- End‑to‑end research pipeline for identifying risky OLE components and validating exploitability.
- Multi‑phase workflow covering discovery, trigger, fuzzing, monitoring, and exploitation analysis.
- Empirical evaluation across Windows environments with confirmed CVEs.
Type‑1: Unintended COM Component Loading
Office loads a CLSID from a document via CoCreateInstance, but compatibility checks are incomplete.
Impact: uninitialized reads, crashes, or logic errors from non‑OLE components.
Example: CVE‑2015‑1770 (OSF.DLL treated as an OLE component).
Type‑2: DLL Preloading Attacks
LoadLibrary is invoked with a non‑qualified path during OLE initialization.
Impact: attacker‑controlled DLL search order → code execution.
Example: CVE‑2023‑35343 (missing mdmcommon.dll).
Type‑3: OLE Data Parsing Errors in IPersistStorage::Load
Opaque binary formats and insufficient validation enable malformed streams.
Impact: memory corruption, stack overflows, or logic faults.
Example: CVE‑2017‑11882 (Equation Editor font name overflow).
| Module | Vuln. Type | Impact | Confirmed Version | Status |
|---|---|---|---|---|
| Windows Runtime | Type-1 | Remote Code Execution | Windows 10 in 2021 | CVE-2022-21878 |
| Windows Runtime | Type-1 | Remote Code Execution | Windows 10 in 2021 | CVE-2022-21888 |
| Windows Runtime | Type-1 | Remote Code Execution | Windows 10 in 2021 | CVE-2022-21971 |
| Windows Runtime | Type-1 | Denial of Service | Windows 10 & Windows Server 2022 | Confirmed |
| Windows Runtime | Type-1 | Denial of Service | Windows 10 & Windows Server 2022 | Confirmed |
| Windows Runtime | Type-1 | Remote Code Execution | Windows 10 in 2021 | CVE-2022-21992 |
| Windows Runtime | Type-1 | Remote Code Execution | Windows 10 in 2021 | CVE-2022-21974 |
| Windows Runtime | Type-1 | Remote Code Execution | Windows 11 & Windows Server in 2023 | CVE-2023-29366 |
| Windows Runtime | Type-1 | Remote Code Execution | Windows 11 & Windows Server in 2023 | CVE-2023-29367 |
| Windows Runtime | Type-1 | Remote Code Execution | Windows 11 & Windows Server in 2023 | CVE-2023-35313 |
| Windows Runtime | Type-1 | Remote Code Execution | Windows 11 & Windows Server in 2023 | CVE-2023-35323 |
| Windows Runtime | Type-1 | Remote Code Execution | Windows 11 & Windows Server in 2023 | CVE-2023-36704 |
| Visual Studio | Type-1 | Remote Code Execution | Visual Studio in 2023 | CVE-2023-28296 |
| Windows Geolocation Service | Type-2 | Remote Code Execution | Windows Server 2019 & 2022 | CVE-2023-35343 |
| Tablet Windows UI App. Core | Type-2 | Remote Code Execution | Windows 11 21H2 & 22H2 | CVE-2023-36898 |
| Windows UI App. Core | Type-2 | Remote Code Execution | Windows Server 2019 & 2022 | CVE-2023-36393 |
| Windows Runtime | Type-2 | Remote Code Execution | Windows 11 23H2 & 22H2 | CVE-2024-21435 |
| Microsoft Exchange Server | Type-2 | Remote Code Execution | Microsoft Exchange Server 2019 | CVE-2024-26198 |
| Windows Runtime | Type-2 | Remote Code Execution | Windows Server 2019 & 2022 | Confirmed |
| Windows Inking COM | Type-3 | Remote Code Execution | Almost all versions of Windows | CVE-2022-23290 |
| Windows Runtime | Type-3 | Denial of Service | Windows 10 & Windows Server 2022 | Confirmed |
| Windows Runtime | Type-3 | Denial of Service | Windows 10 & Windows Server 2022 | Confirmed |
| Windows Runtime | Type-3 | Denial of Service | Windows 10 & Windows Server 2022 | Confirmed |
| Windows Runtime | Type-3 | Denial of Service | Windows 10 & Windows Server 2022 | Confirmed |
| Windows Runtime | Type-3 | Denial of Service | Windows 10 & Windows Server 2022 | Confirmed |
| Windows Runtime | Type-3 | Denial of Service | Windows Server 2022 | Confirmed |
type1&2/— COM/OLE component discovery and interface analysis scripts.type3/— Fuzzing harnesses, coverage helpers, and experiment notebooks.PoCs/— Proof‑of‑concept cases with artifacts and repro notes.
- Release additional PoCs and automation helpers.
- Expand type‑1/type‑2 scripts and documentation.
@article{Tian2025BeCO,
title={Be Careful of What You Embed: Demystifying OLE Vulnerabilities},
author={Yunpeng Tian and Feng Dong and Haoyi Liu and Meng Xu and Zhiniang Peng and Zesen Ye and Shenghui Li and Xiapu Luo and Haoyu Wang},
journal={Proceedings 2025 Network and Distributed System Security Symposium},
year={2025},
url={https://www.ndss-symposium.org/ndss-paper/be-careful-of-what-you-embed-demystifying-ole-vulnerabilities/}
}