Microsoft Access Improper Input Validation Vulnerability

Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-231

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18025.20214 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18025.20214

Architecture

x64

MD5

07150beff8254eca82fbe186937f361e

Proof-of-Concept file information

File name

2024-231.accdb

MD5

05be0a9018c2e1f7991901037ba11f07

Exception details

ExceptionAddress: 00007ffb0d26a7dd (mso20win32client!CrashWithRecovery+0x000000000000004d)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000

Stack trace

Child-SP          RetAddr               : Args to Child                                                           : Call Site
000000e2`d4dd15e0 00007ffb`0d4a8ad6     : 00000206`01483052 00000000`00000000 00007ffb`0d84af90 000000e2`d4dd1778 : mso20win32client!CrashWithRecovery+0x4d
000000e2`d4dd1640 00007ffb`d1921ee9     : 00000000`00000016 00000206`729fdb78 00000000`00000000 00000000`00000016 : mso20win32client!EnableAbortRedirectLiblet::Uninit+0x93
000000e2`d4dd16b0 00007ffb`d1905011     : 00000206`72a89b01 00000206`00000000 00000000`00000000 000000e2`d4dd1760 : ucrtbase!raise+0x1d9
000000e2`d4dd1730 00007ff7`4c2acb5a     : 00000000`00000003 00000000`00000003 ffffffff`fffffffe 00000206`62222ff0 : ucrtbase!abort+0x31
000000e2`d4dd1760 00007ffb`d1921f37     : 00000206`72a89b78 00000206`729fdb78 00000000`00000083 00000206`729fdb78 : msaccess!SetEnumIntlView+0x202a
000000e2`d4dd1790 00007ff7`4c306371     : 00000206`72a89b78 00000000`fffffffd 00007ffb`0d84af90 01010101`01010101 : ucrtbase!terminate+0x17
000000e2`d4dd17c0 00007ff7`4c3087b2     : 00000206`72a89b78 00000000`00000000 00000000`00000083 00000206`00000000 : msaccess!SizeCallback+0x50f51
000000e2`d4dd17f0 00007ff7`4c5dca90     : 000000e2`d4dd1898 00000206`2ef7a860 00000000`00000083 00000000`0000fa47 : msaccess!SizeCallback+0x53392
000000e2`d4dd1850 00007ff7`4c5dcb40     : 00000206`72a7f778 000000e2`d4dd2758 000000e2`d4dd2758 00000000`0000324f : msaccess!AccessLoadString+0x25ce0
000000e2`d4dd2710 00007ff7`4c5dcb40     : 00000206`72a69888 000000e2`d4dd3618 000000e2`d4dd3618 00000000`00000001 : msaccess!AccessLoadString+0x25d90
000000e2`d4dd35d0 00007ff7`4c5dcb40     : 00000206`5fa2cff0 000000e2`d4dd44d8 000000e2`d4dd44d8 00000000`0000ffe2 : msaccess!AccessLoadString+0x25d90
000000e2`d4dd4490 00007ff7`4c5e3f86     : 00000206`1d2c1f70 00000000`0000000c 000000e2`d4dd74c0 00000000`00000001 : msaccess!AccessLoadString+0x25d90
000000e2`d4dd5350 00007ff7`4c5e340d     : 00000000`00000000 00000000`00000000 000000e2`d4dd7cd0 00000000`00000001 : msaccess!AccessLoadString+0x2d1d6
000000e2`d4dd5b10 00007ff7`4c5dba62     : 00000000`00020102 00000206`2ef7a860 00000000`00008000 00000000`00000000 : msaccess!AccessLoadString+0x2c65d
000000e2`d4dd7410 00007ff7`4c390d0e     : 00000206`68107f40 000000e2`d4dd7850 000036bf`37b069ec 00000000`00000102 : msaccess!AccessLoadString+0x24cb2
000000e2`d4dd7830 00007ff7`4c3cfce5     : 006f0073`006f0072 004a002e`00740066 004e002e`00740065 00760069`00740061 : msaccess!SizeCallback+0xdb8ee
000000e2`d4dd7a20 00007ff7`4c15c508     : 00000206`2ef7a860 00007ff7`4c8ffde7 00000000`00000003 000000e2`00000000 : msaccess!WizChooseColor+0x3d5f5
000000e2`d4dd7a90 00007ff7`4c94a899     : 00000000`00000000 00000000`00008000 000000e2`d4dd80f9 00000206`2ef7a860 : msaccess!JETESLoadProjectTypeLib+0xaa408
000000e2`d4dd7ae0 00007ff7`4c5220b5     : 000000e2`d4dd7f98 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!OpenHscrEmbedded+0x9e829
000000e2`d4dd7f40 00007ff7`4c0ad380     : 00000206`5c018ec0 000000e2`d4dd8100 00007ffb`d19988c0 000000e2`d4dd8100 : msaccess!MSAU_GetSizeList+0x2715
000000e2`d4dd8090 00007ff7`4c0ac7c0     : 00000000`00000000 00000000`00000000 00000206`5c018ec0 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x32e80
000000e2`d4dd8160 00007ff7`4c925b5a     : 00000206`5c018f18 00000000`00000000 00000206`5c018ec0 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x322c0
000000e2`d4dd8460 00007ff7`4c0b0a7e     : 00000206`28bfad70 000000e2`d4dd8b60 00000206`28bfad70 00000000`00000000 : msaccess!OpenHscrEmbedded+0x79aea
000000e2`d4dd8620 00007ff7`4c0a1de6     : 000000e2`d4dd87d0 000000e2`d4dd8908 00000206`2f57cf70 000000e2`d4dd8908 : msaccess!ReleaseAccessIconResource+0x3657e
000000e2`d4dd8770 00007ff7`4c246d2e     : 000000e2`d4dd8b60 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x278e6
000000e2`d4dd8890 00007ff7`4c242e71     : 000000e2`d4ddc730 00000000`00000000 00007ffb`d3b40000 000000e2`d4dde070 : msaccess!MSAU_ErrSortStringArray+0x345ce
000000e2`d4ddc6d0 00007ff7`4c23cbab     : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30711
000000e2`d4dddf80 00007ff7`4c24374a     : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x2a44b
000000e2`d4ddf660 00007ff7`4c50030b     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fea
000000e2`d4ddfb80 00007ff7`4c50140e     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5c8cb
000000e2`d4ddfd20 00007ff7`4c072612     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5d9ce
000000e2`d4ddfe00 00007ffb`d27bdbe7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x12612
000000e2`d4ddfe40 00007ffb`d3c1fbec     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
000000e2`d4ddfe70 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Analysis

Download PoC