Microsoft Access Improper Input Validation Vulnerability

Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-224

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18025.20214 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18025.20214

Architecture

x64

MD5

07150beff8254eca82fbe186937f361e

Proof-of-Concept file information

File name

2024-224.accdb

MD5

5c1a0dce4832d4ee9fe7cf0c86d68b17

Exception details

ExceptionAddress: 00007ffb0d11a7dd (mso20win32client!CrashWithRecovery+0x000000000000004d)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000

Stack trace

Child-SP          RetAddr               : Args to Child                                                           : Call Site
00000062`fb715b60 00007ffb`0d358ad6     : 000001c5`01483052 00000000`00000000 00007ffb`0d6faf90 00000062`fb715cf8 : mso20win32client!CrashWithRecovery+0x4d
00000062`fb715bc0 00007ffb`d1921ee9     : 00000000`00000016 00000000`00000000 00000000`00000000 00000000`00000016 : mso20win32client!EnableAbortRedirectLiblet::Uninit+0x93
00000062`fb715c30 00007ffb`d1905011     : 000001c5`e0b78f01 00000000`00000000 00000000`00000000 00000062`fb715ce0 : ucrtbase!raise+0x1d9
00000062`fb715cb0 00007ff7`4c2acb5a     : 00000000`00000003 00000000`00000003 ffffffff`fffffffe 000001c5`d5456ff0 : ucrtbase!abort+0x31
00000062`fb715ce0 00007ffb`d1921f37     : 000001c5`e0b78fc8 00000000`00000000 00000000`15000001 00000000`00000000 : msaccess!SetEnumIntlView+0x202a
00000062`fb715d10 00007ff7`4c0b6039     : 000001c5`e0b78fc8 00000000`00000000 00007ffb`0d6faf90 00000000`ffffffff : ucrtbase!terminate+0x17
00000062`fb715d40 00007ff7`4c0b76c7     : 00000000`00000000 00000000`00000000 00000000`00000000 00007ff7`4c85845c : msaccess!JETESLoadProjectTypeLib+0x3f39
00000062`fb715d90 00007ff7`4c0b6660     : 000001c5`e0b78f60 000001c5`fe0dcf90 0000fbad`038faa0c 00000025`fb715f20 : msaccess!JETESLoadProjectTypeLib+0x55c7
00000062`fb715df0 00007ff7`4c0b5bd1     : 000001c5`e0b76fe0 000001c5`e0b76fe0 00000062`fb715ec0 00000000`00000000 : msaccess!JETESLoadProjectTypeLib+0x4560
00000062`fb715e20 00007ff7`4c0b5d0d     : 000001c5`d9d6fec0 00000062`fb7166b8 000001c5`a0ed5860 000001c5`a0ed5860 : msaccess!JETESLoadProjectTypeLib+0x3ad1
00000062`fb715e50 00007ff7`4c0a1ad7     : 000001c5`e08a2fd0 000001c5`ef76cfe2 000001c5`ef76cfe2 00000062`fb7163da : msaccess!JETESLoadProjectTypeLib+0x3c0d
00000062`fb715e90 00007ff7`4c859ee4     : 00000000`00000000 00000000`00008000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x275d7
00000062`fb716000 00007ff7`4c85b843     : 000001c5`a0ed5860 00000000`00000000 000001c5`ec37afd0 000001c5`a0ed5860 : msaccess!FUniqueIndexTableFieldEx+0xfb3b4
00000062`fb7165f0 00007ff7`4c81dc50     : 000001c5`a0ed5860 00000062`fb7166d0 00000000`00000000 000001c5`cd3c9f00 : msaccess!FUniqueIndexTableFieldEx+0xfcd13
00000062`fb716680 00007ff7`4c850956     : 000001c5`ec37afd0 00000000`00008000 000001c5`ef925f40 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xbf120
00000062`fb716700 00007ff7`4c63536d     : 000001c5`ef76cfd8 00000000`00000000 000001c5`f4683f90 00000000`ffffffef : msaccess!FUniqueIndexTableFieldEx+0xf1e26
00000062`fb716760 00007ffb`04467504     : 00000000`00000000 000001c5`f4683f90 00000062`fb7167b0 000001c5`c5f82f90 : msaccess!AccessLoadString+0x7e5bd
00000062`fb716790 00007ffb`0441e8b5     : 00000000`00000000 00000000`00000000 000001c5`f4683e78 00000000`00000000 : VBE7!CProjitemDocument::LoadDocItem+0x58
00000062`fb7167d0 00007ffb`045cf624     : 00000000`00000000 00000000`00000000 000001c5`f4574498 00000000`00000001 : VBE7!HostGetBaseClassTypeInfo3+0xf5
00000062`fb716830 00007ffb`045cb071     : 000001c5`ef2959d0 00000062`fb716ab8 00000062`fb716da0 000001c5`a0a20000 : VBE7!IMPMGR::HookUpBaseTypeInfo+0xb8
00000062`fb7168a0 00007ffb`045cad91     : 000001c5`ef2959d0 00007ffb`00000010 000001c5`a0a20000 00000000`00000000 : VBE7!IMPMGR::LoadTypeInfo+0xe5
00000062`fb7168e0 00007ffb`045cbbc4     : 000001c5`ef2959d0 00000000`00000010 000001c5`00000000 00000062`fb7169b8 : VBE7!IMPMGR::GetTypeInfo+0xcd
00000062`fb716950 00007ffb`045cc1e1     : 000001c5`ef2959d0 00007ffb`00000000 00000062`fb7169b8 00000062`fb716ab8 : VBE7!IMPMGR::GetCoClassTypeInfoOfBase+0x78
00000062`fb716990 00007ffb`045cf3ed     : 000001c5`ef2959d0 00000062`fb716b08 00000062`fb716b20 00000001`00000001 : VBE7!IMPMGR::GetBaseTypeInfoAttribute+0x65
00000062`fb716ae0 00007ffb`0456b8a3     : 000001c5`ef2959d0 000001c5`b31eabe0 00000062`fb716be0 000001c5`b3870fd0 : VBE7!IMPMGR::Write+0x1f5
00000062`fb716b30 00007ffb`045738a5     : 000001c5`e7d66c40 000001c5`b31eabe0 000001c5`00000000 000001c5`80cc7f60 : VBE7!BASIC_TYPEROOT::WriteParts+0x583
00000062`fb716bf0 00007ffb`04573430     : 000001c5`e7d66c40 000001c5`b31eabe0 000001c5`00000000 00000062`fb716c58 : VBE7!BASIC_TYPEROOT::WriteToStream+0xe5
00000062`fb716c30 00007ffb`04545292     : 000001c5`e7d66c40 000001c5`eb0eef00 00000062`fb716f80 00000062`fb7172e8 : VBE7!BASIC_TYPEROOT::Write+0x1b0
00000062`fb716d70 00007ffb`04544c3a     : 000001c5`ef02ff80 000001c5`eb0eef00 00000062`fb710001 000001c5`00000001 : VBE7!ExecProj::SaveModule+0x32a
00000062`fb7173c0 00007ffb`0443423c     : 000001c5`ef02ff80 00000000`00000000 00000062`00000001 000001c5`a0ed5860 : VBE7!ExecProj::Save+0x1da
00000062`fb7179f0 00007ff7`4c6377a8     : 000001c5`f456ef38 00007ffb`0445e621 000001c5`efd1c8b0 000001c5`f456ef38 : VBE7!Project::StgSave+0x134
00000062`fb717ad0 00007ff7`4c853cfc     : 00000000`00000000 00000000`00000000 000001c5`f456ef38 000001c5`f456ef38 : msaccess!AccessLoadString+0x809f8
00000062`fb717b40 00007ff7`4c635c7c     : 000001c5`ef925f40 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf51cc
00000062`fb717c10 00007ff7`4c851808     : 000001c5`ef925f70 00000000`80004005 000001c5`ef925f40 00000000`00000000 : msaccess!AccessLoadString+0x7eecc
00000062`fb718000 00007ff7`4c852164     : 000001c5`ef925f40 00000062`fb718150 00000000`00000000 000001c5`00000000 : msaccess!FUniqueIndexTableFieldEx+0xf2cd8
00000062`fb7180b0 00007ff7`4c817f3b     : 00000000`00000000 000001c5`d51a2fa0 00000000`00000001 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf3634
00000062`fb718150 00007ff7`4c0ad6f0     : 000001c5`d9d6fec0 000001c5`d9d6fec0 000001c5`d9d6fec0 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xb940b
00000062`fb718290 00007ff7`4c925b8f     : 00000000`00000000 000001c5`d9d6fec0 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x331f0
00000062`fb7182d0 00007ff7`4c0b0a7e     : 000001c5`ac74ad70 00000062`fb7189d0 000001c5`ac74ad70 00000000`00000000 : msaccess!OpenHscrEmbedded+0x79b1f
00000062`fb718490 00007ff7`4c0a1de6     : 00000062`fb718640 00000062`fb718778 000001c5`d8a04f70 00000062`fb718778 : msaccess!ReleaseAccessIconResource+0x3657e
00000062`fb7185e0 00007ff7`4c246d2e     : 00000062`fb7189d0 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x278e6
00000062`fb718700 00007ff7`4c242e71     : 00000062`fb71c5a0 00000000`00000000 00007ffb`d3b40000 00000062`fb71dee0 : msaccess!MSAU_ErrSortStringArray+0x345ce
00000062`fb71c540 00007ff7`4c23cbab     : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30711
00000062`fb71ddf0 00007ff7`4c24374a     : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x2a44b
00000062`fb71f4d0 00007ff7`4c50030b     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fea
00000062`fb71f9f0 00007ff7`4c50140e     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5c8cb
00000062`fb71fb90 00007ff7`4c072612     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5d9ce
00000062`fb71fc70 00007ffb`d27bdbe7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x12612
00000062`fb71fcb0 00007ffb`d3c1fbec     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
00000062`fb71fce0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Analysis

Download PoC