Microsoft Access Improper Input Validation Vulnerability

Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-240

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18025.20140 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18025.20140

Architecture

x64

MD5

b01e7ffb56cef062e8e3585e054c7d35

Proof-of-Concept file information

File name

2024-240.accdb

MD5

7927b0f2297ee569d2a477e086261d8e

Exception details

ExceptionAddress: 00007ff70ec0dfe6 (msaccess!WizChooseColor+0x000000000001b8f6)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000050
Attempt to read from address 0000000000000050

Stack trace

Child-SP          RetAddr               : Args to Child                                                           : Call Site
000000cd`4fef4010 00007ff7`0ec0f158     : 000000cd`00000000 00000000`00000000 00000000`00000000 00000205`00000000 : msaccess!WizChooseColor+0x1b8f6
000000cd`4fef4200 00007ff7`0ec07c45     : 00000000`0000005a 000000cd`4fef47e0 00000000`00000018 00000205`0049414e : msaccess!WizChooseColor+0x1ca68
000000cd`4fef4330 00007ff7`0e9853fe     : 00000000`01200ae4 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!WizChooseColor+0x15555
000000cd`4fef46e0 00007ffb`27b05801     : 00000000`009d02ae 00000000`00000000 00000000`0000003d 00000000`00000000 : msaccess!JETESLoadProjectTypeLib+0x732fe
000000cd`4fef4a30 00007ffb`27b0509c     : 00000000`00000388 00007ff7`0e985160 00000000`009d02ae 00000000`80000000 : USER32!UserCallWinProcCheckWow+0x341
000000cd`4fef4b90 00007ffb`27b362c3     : 00000000`00000000 00000000`00000000 00000000`00000000 0000002f`00000058 : USER32!DispatchClientMessage+0x9c
000000cd`4fef4bf0 00007ffb`27e63654     : 00007ffb`27e5f4c0 00000000`009d02ae 00000000`0000000f 00000000`00000000 : USER32!_fnDWORD+0x33
000000cd`4fef4c50 00007ffb`251018b4     : 00007ffb`27b034b8 00000000`00000001 00000205`60744b40 00000000`017b0832 : ntdll!KiUserCallbackDispatcherContinue
000000cd`4fef4cd8 00007ffb`27b034b8     : 00000000`00000001 00000205`60744b40 00000000`017b0832 00007ffb`27af9630 : win32u!NtUserDispatchMessage+0x14
000000cd`4fef4ce0 00007ffb`27af893e     : 000000cd`4fef4db0 00000000`014d0b4c 00000205`60744b40 00000000`00000000 : USER32!DispatchMessageWorker+0x348
000000cd`4fef4d60 00007ffb`27b0fd37     : 00000000`00000000 00000000`00000001 00000000`00000001 00000000`00000008 : USER32!DialogBox2+0x2ba
000000cd`4fef4e10 00007ffb`27b56b5c     : 00000205`0077eda0 00000000`014d0b4c 00007ffa`6192d180 00007ffa`61180000 : USER32!InternalDialogBox+0x8f
000000cd`4fef4e70 00007ffb`27b56ad8     : 00007ffa`6192d180 000000cd`4fef5040 00000205`0077eda0 00000000`00000000 : USER32!DialogBoxIndirectParamAorW+0x6c
000000cd`4fef4eb0 00007ffa`61f4e77d     : 00007ffa`6192d180 00000205`0077eda0 00000000`00010007 00007ffa`6121367a : USER32!DialogBoxIndirectParamW+0x18
000000cd`4fef4ef0 00007ffa`61937bf6     : 00000000`014d0b4c 00000000`00010007 000000cd`4fef51a0 00000000`0000001c : mso!IsolationAwareDialogBoxIndirectParamW+0x89
000000cd`4fef4f40 00007ffa`61954395     : 00000000`00000000 00000000`00000000 00000000`00000000 000000cd`4fef5710 : mso!std::_Func_impl_no_alloc<`Mso::TellMe::GetResultGroupTypeString'::`2'::<lambda_1>,bool,_GUID const & __ptr64,_GUID const & __ptr64>::_Do_call+0xb46
000000cd`4fef50e0 00007ffa`6195404c     : 00000000`00000000 000000cd`4fef5520 00000000`6b379c6d 00000000`00000000 : mso!CSmartTagTokenProperties::CSmartTagTokenProperties+0xcfd
000000cd`4fef5410 00007ffa`61f4dd31     : 00007ffb`00000004 00000000`00000000 000000cd`4fef56c0 000000cd`4fef5bc0 : mso!CSmartTagTokenProperties::CSmartTagTokenProperties+0x9b4
000000cd`4fef5670 00007ffa`6a24f9d1     : 00000205`69d59fe0 00007ffa`6ad185fc 00000000`00000d40 00007ffa`6afa1a7c : mso!Mso::Alerts::MsoAlertApi::LDoAlertTFCWAHrEx+0x101
000000cd`4fef5730 00007ff7`0eca74af     : 00000205`490f3880 00000000`00000000 00000000`00000000 00007ffb`00000c8b : mso30win32client!LDoAlertTFCWAHrEx+0xe1
000000cd`4fef57e0 00007ff7`0eca70a0     : 00000000`014d0b4c 00000000`00000001 00000000`00000001 00000000`00000000 : msaccess!FGetDlgHelp+0x80f
000000cd`4fef5b30 00007ff7`0eca8d51     : ffffffff`ffffffff 00007ff7`0f76ab00 00000205`41a1cef0 00000000`00000000 : msaccess!FGetDlgHelp+0x400
000000cd`4fef7e50 00007ff7`0eb0b8df     : 00000000`014d0b4c 00000000`00000001 00000000`00000001 00000000`00010007 : msaccess!FGetDlgHelp+0x20b1
000000cd`4fef8020 00007ff7`0e8eaa97     : 00000205`41a1cef0 00007ff7`0f76ab00 00000000`00000030 00000000`00000000 : msaccess!SetEnumIntlView+0xdaf
000000cd`4fef8130 00007ff7`0e8e9e25     : 00000205`267c0d30 00000000`01200ae4 00000205`267c0d30 00007ffa`614006e6 : msaccess!ReleaseAccessIconResource+0x10597
000000cd`4fef8300 00007ff7`0eb0cd53     : 00000205`267c0d30 00000205`00000000 00000000`01200ae4 00007ffa`61400e67 : msaccess!ReleaseAccessIconResource+0xf925
000000cd`4fef8330 00007ff7`0f18c59a     : 00000205`7084f860 000000cd`4fef8440 00000000`00000001 00007ffa`61400fc5 : msaccess!SetEnumIntlView+0x2223
000000cd`4fef8360 00007ff7`0eaa7df8     : 00000000`00000075 000000cd`4fef8460 000000cd`4fef8440 ffffffff`ffffffff : msaccess!OpenHscrEmbedded+0x8052a
000000cd`4fef83b0 00007ff7`0eaa2e71     : 000000cd`4fefc250 00000000`00000000 00007ffb`27d00000 000000cd`4fefdb90 : msaccess!MSAU_ErrSortStringArray+0x35698
000000cd`4fefc1f0 00007ff7`0ea9cbab     : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30711
000000cd`4fefdaa0 00007ff7`0eaa374a     : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x2a44b
000000cd`4feff180 00007ff7`0ed6030b     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fea
000000cd`4feff6a0 00007ff7`0ed6140e     : 00000000`00000000 00000000`00000000 00007ff7`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5c8cb
000000cd`4feff840 00007ff7`0e8d2612     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5d9ce
000000cd`4feff910 00007ffb`27a0dbe7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x12612
000000cd`4feff950 00007ffb`27d85a4c     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
000000cd`4feff980 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Analysis

Download PoC