Microsoft Access Improper Input Validation Vulnerability

Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-232

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18025.20214 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18025.20214

Architecture

x64

MD5

07150beff8254eca82fbe186937f361e

Proof-of-Concept file information

File name

2024-232.accdb

MD5

11f2877514be9c37a633ef2ff94e531b

Exception details

ExceptionAddress: 00007ffb0d26a7dd (mso20win32client!CrashWithRecovery+0x000000000000004d)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000

Stack trace

Child-SP          RetAddr               : Args to Child                                                           : Call Site
000000a8`ef5272f0 00007ffb`0d4a8ad6     : 00000207`01483052 00000000`00000000 00007ffb`0d84af90 000000a8`ef527488 : mso20win32client!CrashWithRecovery+0x4d
000000a8`ef527350 00007ffb`d1921ee9     : 00000000`00000016 00000000`00000000 00000000`00000000 00000000`00000016 : mso20win32client!EnableAbortRedirectLiblet::Uninit+0x93
000000a8`ef5273c0 00007ffb`d1905011     : 00000207`37d3cf01 00000000`00000000 00000000`00000000 000000a8`ef527470 : ucrtbase!raise+0x1d9
000000a8`ef527440 00007ff7`4c2acb5a     : 00000000`00000003 00000000`00000003 ffffffff`fffffffe 00000207`59f9cff0 : ucrtbase!abort+0x31
000000a8`ef527470 00007ffb`d1921f37     : 00000207`37d3cfc8 00000000`00000000 00000000`10800004 00000000`00000000 : msaccess!SetEnumIntlView+0x202a
000000a8`ef5274a0 00007ff7`4c0b6039     : 00000207`37d3cfc8 00000000`00000000 00007ffb`0d84af90 00000000`ffffffff : ucrtbase!terminate+0x17
000000a8`ef5274d0 00007ff7`4c0b76c7     : 00000000`00000000 00000000`00000000 00000000`00000000 000000a8`ef5275a0 : msaccess!JETESLoadProjectTypeLib+0x3f39
000000a8`ef527520 00007ff7`4c0b6660     : 00000207`37d3cf60 00000207`3c43ef90 00001ba3`5aff4798 00007ffb`d3b67776 : msaccess!JETESLoadProjectTypeLib+0x55c7
000000a8`ef527580 00007ff7`4c0b5bd1     : 00000207`37d3afe0 00000207`37d3afe0 00000207`416f6df0 00000000`00000000 : msaccess!JETESLoadProjectTypeLib+0x4560
000000a8`ef5275b0 00007ff7`4c0b8b92     : 00000000`00000000 000000a8`ef527b20 00000000`00000000 00000207`7ea90000 : msaccess!JETESLoadProjectTypeLib+0x3ad1
000000a8`ef5275e0 00007ff7`4c09ffa8     : 00000000`00000000 00000000`00000000 00000000`00000001 00007ff7`4cb1053f : msaccess!JETESLoadProjectTypeLib+0x6a92
000000a8`ef527690 00007ff7`4c8ffe6b     : 00000207`37d32d60 00007ff7`4cce0258 00000207`416f6df0 00007ff7`4c91bd90 : msaccess!ReleaseAccessIconResource+0x25aa8
000000a8`ef5276c0 00007ff7`4c91bc28     : 00000000`00000000 00007ff7`4cce0258 00000207`37d32d60 00007ff7`4c8fec3e : msaccess!OpenHscrEmbedded+0x53dfb
000000a8`ef5276f0 00007ff7`4c91bf35     : 00000207`416f6df0 00000000`00000000 00000207`416f6df0 000000a8`ef527b20 : msaccess!OpenHscrEmbedded+0x6fbb8
000000a8`ef527750 00007ff7`4c09fdcd     : 00000000`00000000 00000207`416f6df0 00000207`416f6df0 00007ffb`d10cb4a1 : msaccess!OpenHscrEmbedded+0x6fec5
000000a8`ef527780 00007ff7`4c09c289     : 00000207`368e6f30 00000207`48baefe8 00000000`00000000 00000000`00000411 : msaccess!ReleaseAccessIconResource+0x258cd
000000a8`ef5279d0 00007ff7`4c90c43f     : 00000207`00000001 00000000`00000000 00000000`00008000 00007ff7`4c15c508 : msaccess!ReleaseAccessIconResource+0x21d89
000000a8`ef527a40 00007ff7`4c94a634     : 00000000`00000000 00000000`00008000 000000a8`ef5280c9 00000207`3988b860 : msaccess!OpenHscrEmbedded+0x603cf
000000a8`ef527ab0 00007ff7`4c5220b5     : 000000a8`ef527f68 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!OpenHscrEmbedded+0x9e5c4
000000a8`ef527f10 00007ff7`4c0ad380     : 00000207`4156aec0 000000a8`ef5280d0 00007ffb`d19988c0 000000a8`ef5280d0 : msaccess!MSAU_GetSizeList+0x2715
000000a8`ef528060 00007ff7`4c0ac7c0     : 00000000`00000000 00000000`00000000 00000207`4156aec0 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x32e80
000000a8`ef528130 00007ff7`4c925b5a     : 00000207`4156af18 00000000`00000000 00000207`4156aec0 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x322c0
000000a8`ef528430 00007ff7`4c0b0a7e     : 00000207`0bddcd70 000000a8`ef528b30 00000207`0bddcd70 00000000`00000000 : msaccess!OpenHscrEmbedded+0x79aea
000000a8`ef5285f0 00007ff7`4c0a1de6     : 000000a8`ef5287a0 000000a8`ef5288d8 00000207`2ca0cf70 000000a8`ef5288d8 : msaccess!ReleaseAccessIconResource+0x3657e
000000a8`ef528740 00007ff7`4c246d2e     : 000000a8`ef528b30 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x278e6
000000a8`ef528860 00007ff7`4c242e71     : 000000a8`ef52c700 00000000`00000000 00007ffb`d3b40000 000000a8`ef52e040 : msaccess!MSAU_ErrSortStringArray+0x345ce
000000a8`ef52c6a0 00007ff7`4c23cbab     : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30711
000000a8`ef52df50 00007ff7`4c24374a     : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x2a44b
000000a8`ef52f630 00007ff7`4c50030b     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fea
000000a8`ef52fb50 00007ff7`4c50140e     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5c8cb
000000a8`ef52fcf0 00007ff7`4c072612     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5d9ce
000000a8`ef52fdd0 00007ffb`d27bdbe7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x12612
000000a8`ef52fe10 00007ffb`d3c1fbec     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
000000a8`ef52fe40 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Analysis

Download PoC