Microsoft Access Improper Input Validation Vulnerability

Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-223

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18025.20214 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18025.20214

Architecture

x64

MD5

07150beff8254eca82fbe186937f361e

Proof-of-Concept file information

File name

2024-223.accdb

MD5

3ac725a1d7e22fa6411c7a634093d5a1

Exception details

ExceptionAddress: 00007ffb0d11a7dd (mso20win32client!CrashWithRecovery+0x000000000000004d)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000

Stack trace

Child-SP          RetAddr               : Args to Child                                                           : Call Site
000000f9`aacf1a00 00007ffb`0d358ad6     : 000002b5`01483052 00000000`00000000 00007ffb`0d6faf90 000000f9`aacf1b98 : mso20win32client!CrashWithRecovery+0x4d
000000f9`aacf1a60 00007ffb`d1921ee9     : 00000000`00000016 000002b5`50183888 00000000`00000000 00000000`00000016 : mso20win32client!EnableAbortRedirectLiblet::Uninit+0x93
000000f9`aacf1ad0 00007ffb`d1905011     : 000002b5`502bf801 000002b5`00000000 00000000`00000000 000000f9`aacf1b80 : ucrtbase!raise+0x1d9
000000f9`aacf1b50 00007ff7`4c2acb5a     : 00000000`00000003 00000000`00000003 ffffffff`fffffffe 000002b5`4332cff0 : ucrtbase!abort+0x31
000000f9`aacf1b80 00007ffb`d1921f37     : 000002b5`502bf888 000002b5`50183888 00000000`00000084 000002b5`50183888 : msaccess!SetEnumIntlView+0x202a
000000f9`aacf1bb0 00007ff7`4c306371     : 000002b5`502bf888 00000000`fffffffe 00007ffb`0d6faf90 01010101`01010101 : ucrtbase!terminate+0x17
000000f9`aacf1be0 00007ff7`4c3087b2     : 000002b5`502bf888 00000000`00000000 00000000`00000084 000000f9`aacf4260 : msaccess!SizeCallback+0x50f51
000000f9`aacf1c10 00007ff7`4c5dca90     : 000000f9`aacf1cb8 000002b5`000a6860 00000000`00000084 00000000`00000003 : msaccess!SizeCallback+0x53392
000000f9`aacf1c70 00007ff7`4c5dcb40     : 000002b5`43314fd0 000000f9`aacf2b78 000000f9`aacf2b78 00000000`00000002 : msaccess!AccessLoadString+0x25ce0
000000f9`aacf2b30 00007ff7`4c5e3f86     : 000002b5`746b1f70 00000000`0000000c 000000f9`aacf5b60 00000000`00000001 : msaccess!AccessLoadString+0x25d90
000000f9`aacf39f0 00007ff7`4c5e340d     : 00000000`00000000 00000000`00000000 000002b5`43bfbfd6 00000000`00000001 : msaccess!AccessLoadString+0x2d1d6
000000f9`aacf41b0 00007ff7`4c5dba62     : 00000000`10000102 000002b5`000a6860 00000000`00008004 00000000`00000000 : msaccess!AccessLoadString+0x2c65d
000000f9`aacf5ab0 00007ff7`4c390d0e     : 000002b5`000a6860 000002b5`218fcfa8 000002b5`000a6860 000002b5`000a6860 : msaccess!AccessLoadString+0x24cb2
000000f9`aacf5ed0 00007ff7`4c390ba1     : 00007ffb`0443423c 00007ffb`d3b45f8b 00007ff7`4c853cfc 00007ff7`4c635c7c : msaccess!SizeCallback+0xdb8ee
000000f9`aacf60c0 00007ff7`4c85ad77     : 00000000`00000000 000002b5`43bfbfd6 000000f9`aacf6678 00000000`00000015 : msaccess!SizeCallback+0xdb781
000000f9`aacf6120 00007ff7`4c85b8a0     : 000002b5`000a6860 00000000`00000000 000002b5`7dad5fd0 000002b5`000a6860 : msaccess!FUniqueIndexTableFieldEx+0xfc247
000000f9`aacf65b0 00007ff7`4c81dc50     : 000002b5`000a6860 000000f9`aacf6690 00000000`00000000 000002b5`4f741f00 : msaccess!FUniqueIndexTableFieldEx+0xfcd70
000000f9`aacf6640 00007ff7`4c850956     : 000002b5`7dad5fd0 00000000`00008004 000002b5`7dfbff40 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xbf120
000000f9`aacf66c0 00007ff7`4c63536d     : 000002b5`43bfbfc8 00000000`00000000 000002b5`4812af90 00000000`ffffffef : msaccess!FUniqueIndexTableFieldEx+0xf1e26
000000f9`aacf6720 00007ffb`04467504     : 00000000`00000000 000002b5`4812af90 000000f9`aacf6770 000002b5`01b73f90 : msaccess!AccessLoadString+0x7e5bd
000000f9`aacf6750 00007ffb`0441e8b5     : 00000000`00000000 00000000`00000000 000002b5`4812ae78 00000000`00000000 : VBE7!CProjitemDocument::LoadDocItem+0x58
000000f9`aacf6790 00007ffb`045cf624     : 00000000`00000000 00000000`00000000 000002b5`48044498 00000000`00000001 : VBE7!HostGetBaseClassTypeInfo3+0xf5
000000f9`aacf67f0 00007ffb`045cb071     : 000002b5`427959d0 000000f9`aacf6a78 000000f9`aacf6d60 000002b5`74530000 : VBE7!IMPMGR::HookUpBaseTypeInfo+0xb8
000000f9`aacf6860 00007ffb`045cad91     : 000002b5`427959d0 00007ffb`00000010 000002b5`74530000 00000000`00000000 : VBE7!IMPMGR::LoadTypeInfo+0xe5
000000f9`aacf68a0 00007ffb`045cbbc4     : 000002b5`427959d0 00000000`00000010 000002b5`00000000 000000f9`aacf6978 : VBE7!IMPMGR::GetTypeInfo+0xcd
000000f9`aacf6910 00007ffb`045cc1e1     : 000002b5`427959d0 00007ffb`00000000 000000f9`aacf6978 000000f9`aacf6a78 : VBE7!IMPMGR::GetCoClassTypeInfoOfBase+0x78
000000f9`aacf6950 00007ffb`045cf3ed     : 000002b5`427959d0 000000f9`aacf6ac8 000000f9`aacf6ae0 00000001`00000001 : VBE7!IMPMGR::GetBaseTypeInfoAttribute+0x65
000000f9`aacf6aa0 00007ffb`0456b8a3     : 000002b5`427959d0 000002b5`3eb66be0 000000f9`aacf6ba0 000002b5`2d481fd0 : VBE7!IMPMGR::Write+0x1f5
000000f9`aacf6af0 00007ffb`045738a5     : 000002b5`33e32c40 000002b5`3eb66be0 000002b5`00000000 000002b5`3e582f60 : VBE7!BASIC_TYPEROOT::WriteParts+0x583
000000f9`aacf6bb0 00007ffb`04573430     : 000002b5`33e32c40 000002b5`3eb66be0 000002b5`00000000 000000f9`aacf6c18 : VBE7!BASIC_TYPEROOT::WriteToStream+0xe5
000000f9`aacf6bf0 00007ffb`04545292     : 000002b5`33e32c40 000002b5`30ac2f00 000000f9`aacf6f40 000000f9`aacf72a8 : VBE7!BASIC_TYPEROOT::Write+0x1b0
000000f9`aacf6d30 00007ffb`04544c3a     : 000002b5`4257ef80 000002b5`30ac2f00 000000f9`aacf0008 000002b5`00000001 : VBE7!ExecProj::SaveModule+0x32a
000000f9`aacf7380 00007ffb`0443423c     : 000002b5`4257ef80 00000000`00000000 000000f9`00000001 000002b5`000a6860 : VBE7!ExecProj::Save+0x1da
000000f9`aacf79b0 00007ff7`4c6377a8     : 000002b5`4803ef38 00007ffb`0445e621 000002b5`3c0a68b0 000002b5`4803ef38 : VBE7!Project::StgSave+0x134
000000f9`aacf7a90 00007ff7`4c853cfc     : 00000000`00000000 00000000`00000000 000002b5`4803ef38 000002b5`4803ef38 : msaccess!AccessLoadString+0x809f8
000000f9`aacf7b00 00007ff7`4c635c7c     : 000002b5`7dfbff40 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf51cc
000000f9`aacf7bd0 00007ff7`4c851808     : 000002b5`7dfbff70 00000000`80004005 000002b5`7dfbff40 00000000`00000000 : msaccess!AccessLoadString+0x7eecc
000000f9`aacf7fc0 00007ff7`4c852164     : 000002b5`7dfbff40 000000f9`aacf8110 00000000`00000000 000002b5`00000000 : msaccess!FUniqueIndexTableFieldEx+0xf2cd8
000000f9`aacf8070 00007ff7`4c817f3b     : 00000000`00000000 000002b5`33eecfa0 00000000`00000001 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf3634
000000f9`aacf8110 00007ff7`4c0ad6f0     : 000002b5`07a8cec0 000002b5`07a8cec0 000002b5`07a8cec0 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xb940b
000000f9`aacf8250 00007ff7`4c925b8f     : 00000000`00000000 000002b5`07a8cec0 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x331f0
000000f9`aacf8290 00007ff7`4c0b0a7e     : 000002b5`00c78d70 000000f9`aacf8990 000002b5`00c78d70 00000000`00000000 : msaccess!OpenHscrEmbedded+0x79b1f
000000f9`aacf8450 00007ff7`4c0a1de6     : 000000f9`aacf8600 000000f9`aacf8738 000002b5`0826ef70 000000f9`aacf8738 : msaccess!ReleaseAccessIconResource+0x3657e
000000f9`aacf85a0 00007ff7`4c246d2e     : 000000f9`aacf8990 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x278e6
000000f9`aacf86c0 00007ff7`4c242e71     : 000000f9`aacfc560 00000000`00000000 00007ffb`d3b40000 000000f9`aacfdea0 : msaccess!MSAU_ErrSortStringArray+0x345ce
000000f9`aacfc500 00007ff7`4c23cbab     : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30711
000000f9`aacfddb0 00007ff7`4c24374a     : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x2a44b
000000f9`aacff490 00007ff7`4c50030b     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fea
000000f9`aacff9b0 00007ff7`4c50140e     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5c8cb
000000f9`aacffb50 00007ff7`4c072612     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5d9ce
000000f9`aacffc30 00007ffb`d27bdbe7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x12612
000000f9`aacffc70 00007ffb`d3c1fbec     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
000000f9`aacffca0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Analysis

Download PoC