Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-233

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18025.20214 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Contact us

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18025.20214

Architecture

x64

MD5

07150beff8254eca82fbe186937f361e

Proof-of-Concept file information

File name

2024-233.accdb

MD5

23b589cf90e30c5ace4a7e66d9d96592

Exception details

ExceptionAddress: 00007ffb0d66a7dd (mso20win32client!CrashWithRecovery+0x000000000000004d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000

Stack trace

Child-SP RetAddr : Args to Child : Call Site
000000df`9c0f7130 00007ffb`0d8a8ad6 : 00000211`01483052 00000000`00000000 00007ffb`0dc4af90 000000df`9c0f72c8 : mso20win32client!CrashWithRecovery+0x4d
000000df`9c0f7190 00007ffb`d1921ee9 : 00000000`00000016 00000000`00000000 00000000`00000000 00000000`00000016 : mso20win32client!EnableAbortRedirectLiblet::Uninit+0x93
000000df`9c0f7200 00007ffb`d1905011 : 00000000`65722001 00000000`00000000 00000000`00000000 000000df`9c0f72b0 : ucrtbase!raise+0x1d9
000000df`9c0f7280 00007ff7`4c2acb5a : 00000000`00000003 00000000`00000003 ffffffff`fffffffe 00000211`e75d5ff0 : ucrtbase!abort+0x31
000000df`9c0f72b0 00007ffb`d1921f37 : 00000000`65722065 00000000`00000000 00000211`89d0ffc8 00000000`00000000 : msaccess!SetEnumIntlView+0x202a
000000df`9c0f72e0 00007ff7`4c0b61d4 : 00000000`65722065 00000000`00000000 00007ffb`0dc4af90 00000000`00000000 : ucrtbase!terminate+0x17
000000df`9c0f7310 00007ff7`4c0b7687 : 00000000`00000000 00000000`00000000 00000000`00000000 000000df`9c0f73d0 : msaccess!JETESLoadProjectTypeLib+0x40d4
000000df`9c0f7350 00007ff7`4c0b6660 : 00000211`89d0ff60 00000211`85f34f90 000076ef`9710bd2a 00007ffb`d3b67776 : msaccess!JETESLoadProjectTypeLib+0x5587
000000df`9c0f73b0 00007ff7`4c0b5bd1 : 00000211`89d0dfe0 00000211`89d0dfe0 00000211`85199df0 00000000`00000000 : msaccess!JETESLoadProjectTypeLib+0x4560
000000df`9c0f73e0 00007ff7`4c0b8b92 : 00000000`00000000 000000df`9c0f7950 00000000`00000000 00000211`c2150000 : msaccess!JETESLoadProjectTypeLib+0x3ad1
000000df`9c0f7410 00007ff7`4c09ffa8 : 00000000`00000000 00000000`00000001 00000000`00000001 00007ff7`4cb1053f : msaccess!JETESLoadProjectTypeLib+0x6a92
000000df`9c0f74c0 00007ff7`4c8ffe6b : 00000211`edeeed60 00007ff7`4cce01f0 00000211`85199df0 00007ff7`4c91bd90 : msaccess!ReleaseAccessIconResource+0x25aa8
000000df`9c0f74f0 00007ff7`4c91bc28 : 00000000`00000000 00007ff7`4cce01f0 00000211`edeeed60 00007ff7`4c8fec3e : msaccess!OpenHscrEmbedded+0x53dfb
000000df`9c0f7520 00007ff7`4c91bf35 : 00000211`85199df0 00000000`00000000 00000211`85199df0 000000df`9c0f7950 : msaccess!OpenHscrEmbedded+0x6fbb8
000000df`9c0f7580 00007ff7`4c09fdcd : 00000000`00000000 00000211`85199df0 00000211`85199df0 00007ffb`d10cb4a1 : msaccess!OpenHscrEmbedded+0x6fec5
000000df`9c0f75b0 00007ff7`4c09c289 : 00000211`ca342f30 00000211`f2a75fe8 00000000`00000000 00000000`00000411 : msaccess!ReleaseAccessIconResource+0x258cd
000000df`9c0f7800 00007ff7`4c90c43f : 00000211`00000001 00000000`00000000 00000000`00008004 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x21d89
000000df`9c0f7870 00007ff7`4c94a634 : 00000000`00000000 00000000`00008004 000000df`9c0f7ef9 00000211`fb87b860 : msaccess!OpenHscrEmbedded+0x603cf
000000df`9c0f78e0 00007ff7`4c5220e6 : 000000df`9c0f7d98 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!OpenHscrEmbedded+0x9e5c4
000000df`9c0f7d40 00007ff7`4c0ad380 : 00000211`83ae4ec0 000000df`9c0f7f00 00007ffb`d19988c0 000000df`9c0f7f00 : msaccess!MSAU_GetSizeList+0x2746
000000df`9c0f7e90 00007ff7`4c0ac7c0 : 00000000`00000000 00000000`00000000 00000211`83ae4ec0 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x32e80
000000df`9c0f7f60 00007ff7`4c925b5a : 00000211`83ae4f18 00000000`00000000 00000211`83ae4ec0 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x322c0
000000df`9c0f8260 00007ff7`4c0b0a7e : 00000211`cdd56d70 000000df`9c0f8960 00000211`cdd56d70 00000000`00000000 : msaccess!OpenHscrEmbedded+0x79aea
000000df`9c0f8420 00007ff7`4c0a1de6 : 000000df`9c0f85d0 000000df`9c0f8708 00000211`840d2f70 000000df`9c0f8708 : msaccess!ReleaseAccessIconResource+0x3657e
000000df`9c0f8570 00007ff7`4c246d2e : 000000df`9c0f8960 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x278e6
000000df`9c0f8690 00007ff7`4c242e71 : 000000df`9c0fc530 00000000`00000000 00007ffb`d3b40000 000000df`9c0fde70 : msaccess!MSAU_ErrSortStringArray+0x345ce
000000df`9c0fc4d0 00007ff7`4c23cbab : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30711
000000df`9c0fdd80 00007ff7`4c24374a : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x2a44b
000000df`9c0ff460 00007ff7`4c50030b : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fea
000000df`9c0ff980 00007ff7`4c50140e : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5c8cb
000000df`9c0ffb20 00007ff7`4c072612 : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5d9ce
000000df`9c0ffc00 00007ffb`d27bdbe7 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x12612
000000df`9c0ffc40 00007ffb`d3c1fbec : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
000000df`9c0ffc70 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Download PoC