Microsoft Access Improper Input Validation Vulnerability

Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-234

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18025.20214 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18025.20214

Architecture

x64

MD5

07150beff8254eca82fbe186937f361e

Proof-of-Concept file information

File name

2024-234.accdb

MD5

f6cc9488585661667f51b2655af8c0e5

Exception details

ExceptionAddress: 00007ffb0d66a7dd (mso20win32client!CrashWithRecovery+0x000000000000004d)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000

Stack trace

Child-SP          RetAddr               : Args to Child                                                           : Call Site
000000b9`7dd017d0 00007ffb`0d8a8ad6     : 00000248`01483052 00000000`00000000 00007ffb`0dc4af90 000000b9`7dd01968 : mso20win32client!CrashWithRecovery+0x4d
000000b9`7dd01830 00007ffb`d1921ee9     : 00000000`00000016 00000000`00000000 00000000`00000000 00000000`00000016 : mso20win32client!EnableAbortRedirectLiblet::Uninit+0x93
000000b9`7dd018a0 00007ffb`d1905011     : 00000000`ffffe801 00000000`00000000 00000000`00000000 000000b9`7dd01950 : ucrtbase!raise+0x1d9
000000b9`7dd01920 00007ff7`4c2acb5a     : 00000000`00000003 00000000`00000003 ffffffff`fffffffe 00000248`2490cff0 : ucrtbase!abort+0x31
000000b9`7dd01950 00007ffb`d1921f37     : 00000000`ffffe801 00000000`00000000 00000248`248f8f90 00000000`00000000 : msaccess!SetEnumIntlView+0x202a
000000b9`7dd01980 00007ff7`4c0b61d4     : 00000000`ffffe801 00000000`ffffffff 00007ffb`0dc4af90 00000000`00000000 : ucrtbase!terminate+0x17
000000b9`7dd019b0 00007ff7`4c14f928     : 000000b9`7dd01a68 00000000`00000000 00000000`00000000 000000b9`7dd04010 : msaccess!JETESLoadProjectTypeLib+0x40d4
000000b9`7dd019f0 00007ff7`4c5dcc4a     : 000000b9`7dd01a68 00000248`248f8f90 000000b9`7dd01a68 00000000`00000006 : msaccess!JETESLoadProjectTypeLib+0x9d828
000000b9`7dd01a20 00007ff7`4c5dcb40     : 00000248`248fafe0 000000b9`7dd02928 000000b9`7dd02928 00000000`00000004 : msaccess!AccessLoadString+0x25e9a
000000b9`7dd028e0 00007ff7`4c5e3f86     : 00000248`4ce21f70 00000000`0000000c 000000b9`7dd05910 00000000`00000001 : msaccess!AccessLoadString+0x25d90
000000b9`7dd037a0 00007ff7`4c5e340d     : 00000000`00000000 00000000`00000000 00000248`7d1bffd6 00000000`00000001 : msaccess!AccessLoadString+0x2d1d6
000000b9`7dd03f60 00007ff7`4c5dba62     : 00000000`10000102 00000248`08492860 00000000`00008004 00000000`00000000 : msaccess!AccessLoadString+0x2c65d
000000b9`7dd05860 00007ff7`4c390d0e     : 00000248`08492860 00000248`08492860 00000248`1ae38e40 00000248`1ae38e40 : msaccess!AccessLoadString+0x24cb2
000000b9`7dd05c80 00007ff7`4c390ba1     : 00007ffb`0478423c 00007ffb`d3b45f8b 00007ff7`4c853cfc 00007ff7`4c635c7c : msaccess!SizeCallback+0xdb8ee
000000b9`7dd05e70 00007ff7`4c85ad77     : 00000000`00000000 00000248`7d1bffd6 000000b9`7dd06428 00000000`00000009 : msaccess!SizeCallback+0xdb781
000000b9`7dd05ed0 00007ff7`4c85b8a0     : 00000248`08492860 00000000`00000000 00000248`17d41fd0 00000248`08492860 : msaccess!FUniqueIndexTableFieldEx+0xfc247
000000b9`7dd06360 00007ff7`4c81dc50     : 00000248`08492860 000000b9`7dd06440 00000000`00000000 00000248`5d39ef00 : msaccess!FUniqueIndexTableFieldEx+0xfcd70
000000b9`7dd063f0 00007ff7`4c850956     : 00000248`17d41fd0 00000000`00008004 00000248`16a4af40 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xbf120
000000b9`7dd06470 00007ff7`4c63536d     : 00000248`7d1bffc8 00000000`00000000 00000248`207abf90 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xf1e26
000000b9`7dd064d0 00007ffb`047b7504     : 00000000`00000000 00000248`207abf90 000000b9`7dd06520 00000248`179b1f90 : msaccess!AccessLoadString+0x7e5bd
000000b9`7dd06500 00007ffb`0476e8b5     : 00000000`00000000 00000000`00000000 00000248`207abe78 00000000`00000000 : VBE7!CProjitemDocument::LoadDocItem+0x58
000000b9`7dd06540 00007ffb`0491f624     : 00000000`00000000 00000000`00000000 00000248`20636498 00000000`00000001 : VBE7!HostGetBaseClassTypeInfo3+0xf5
000000b9`7dd065a0 00007ffb`0491b071     : 00000248`1797f9d0 000000b9`7dd06828 000000b9`7dd06b20 00000248`4cca0000 : VBE7!IMPMGR::HookUpBaseTypeInfo+0xb8
000000b9`7dd06610 00007ffb`0491ad91     : 00000248`1797f9d0 00007ffb`00000010 00000248`4cca0000 00000000`00000000 : VBE7!IMPMGR::LoadTypeInfo+0xe5
000000b9`7dd06650 00007ffb`0491bbc4     : 00000248`1797f9d0 00000000`00000010 00000248`00000000 000000b9`7dd06728 : VBE7!IMPMGR::GetTypeInfo+0xcd
000000b9`7dd066c0 00007ffb`0491c1e1     : 00000248`1797f9d0 00007ffb`00000000 000000b9`7dd06728 000000b9`7dd06828 : VBE7!IMPMGR::GetCoClassTypeInfoOfBase+0x78
000000b9`7dd06700 00007ffb`0491f3ed     : 00000248`1797f9d0 000000b9`7dd06878 000000b9`7dd06890 00000001`00000001 : VBE7!IMPMGR::GetBaseTypeInfoAttribute+0x65
000000b9`7dd06850 00007ffb`048bb8a3     : 00000248`1797f9d0 00000248`1bbc8be0 000000b9`7dd06950 00000248`5eef4fd0 : VBE7!IMPMGR::Write+0x1f5
000000b9`7dd068a0 00007ffb`048c38a5     : 00000248`15a11c40 00000248`1bbc8be0 00000248`00000000 00000248`1bbc4f60 : VBE7!BASIC_TYPEROOT::WriteParts+0x583
000000b9`7dd06960 00007ffb`048c3430     : 00000248`15a11c40 00000248`1bbc8be0 00000248`00000000 000000b9`7dd069c8 : VBE7!BASIC_TYPEROOT::WriteToStream+0xe5
000000b9`7dd069a0 00007ffb`04895292     : 00000248`15a11c40 00000248`16e7cf00 000000b9`7dd06d00 000000b9`7dd07058 : VBE7!BASIC_TYPEROOT::Write+0x1b0
000000b9`7dd06ae0 00007ffb`04894c3a     : 00000248`1af94f80 00000248`16e7cf00 000000b9`7dd0000b 00000248`00000001 : VBE7!ExecProj::SaveModule+0x32a
000000b9`7dd07130 00007ffb`0478423c     : 00000248`1af94f80 00000000`00000000 000000b9`00000001 00000248`08492860 : VBE7!ExecProj::Save+0x1da
000000b9`7dd07760 00007ff7`4c6377a8     : 00000248`20630f38 00007ffb`047ae621 00000248`1af998b0 00000248`20630f38 : VBE7!Project::StgSave+0x134
000000b9`7dd07840 00007ff7`4c853cfc     : 00000000`00000000 00000000`00000000 00000248`20630f38 00000248`20630f38 : msaccess!AccessLoadString+0x809f8
000000b9`7dd078b0 00007ff7`4c635c7c     : 00000248`16a4af40 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf51cc
000000b9`7dd07980 00007ff7`4c851808     : 00000248`16a4af70 00000000`80004005 00000248`16a4af40 00000000`00000000 : msaccess!AccessLoadString+0x7eecc
000000b9`7dd07d70 00007ff7`4c852164     : 00000248`16a4af40 000000b9`7dd07ec0 00000000`00000000 00000248`00000000 : msaccess!FUniqueIndexTableFieldEx+0xf2cd8
000000b9`7dd07e20 00007ff7`4c817f3b     : 00000000`00000000 00000248`5e0ccfa0 00000000`00000001 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf3634
000000b9`7dd07ec0 00007ff7`4c0ad6f0     : 00000248`0e1c4ec0 00000248`0e1c4ec0 00000248`0e1c4ec0 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xb940b
000000b9`7dd08000 00007ff7`4c925b8f     : 00000000`00000000 00000248`0e1c4ec0 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x331f0
000000b9`7dd08040 00007ff7`4c0b0a7e     : 00000248`587e2d70 000000b9`7dd08740 00000248`587e2d70 00000000`00000000 : msaccess!OpenHscrEmbedded+0x79b1f
000000b9`7dd08200 00007ff7`4c0a1de6     : 000000b9`7dd083b0 000000b9`7dd084e8 00000248`71486f70 000000b9`7dd084e8 : msaccess!ReleaseAccessIconResource+0x3657e
000000b9`7dd08350 00007ff7`4c246d2e     : 000000b9`7dd08740 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x278e6
000000b9`7dd08470 00007ff7`4c242e71     : 000000b9`7dd0c310 00000000`00000000 00007ffb`d3b40000 000000b9`7dd0dc50 : msaccess!MSAU_ErrSortStringArray+0x345ce
000000b9`7dd0c2b0 00007ff7`4c23cbab     : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30711
000000b9`7dd0db60 00007ff7`4c24374a     : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x2a44b
000000b9`7dd0f240 00007ff7`4c50030b     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fea
000000b9`7dd0f760 00007ff7`4c50140e     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5c8cb
000000b9`7dd0f900 00007ff7`4c072612     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5d9ce
000000b9`7dd0f9e0 00007ffb`d27bdbe7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x12612
000000b9`7dd0fa20 00007ffb`d3c1fbec     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
000000b9`7dd0fa50 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Analysis

Download PoC