Microsoft Access Improper Input Validation Vulnerability

Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-243

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18025.20214 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18025.20214

Architecture

x64

MD5

07150beff8254eca82fbe186937f361e

Proof-of-Concept file information

File name

2024-243.accdb

MD5

8ce956c95e59431aedd72aaf6f5f206f

Exception details

ExceptionAddress: 00007ff74c5f9df7 (msaccess!AccessLoadString+0x0000000000043047)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000008
Attempt to read from address 0000000000000008

Stack trace

Child-SP          RetAddr               : Args to Child                                                           : Call Site
000000ce`1c97fea0 00007ff7`4c5e4256     : 00007ff7`4c50581e 00007ff7`4c505a96 00007ff7`4cbf7950 00000000`00000200 : msaccess!AccessLoadString+0x43047
000000ce`1c981aa0 00007ff7`4c5dc456     : 000000ce`1c981c48 00000000`00000020 000000ce`1c981c48 00000000`0100100a : msaccess!AccessLoadString+0x2d4a6
000000ce`1c981c00 00007ff7`4c5dcb40     : 000000ce`1c982b08 000001ed`5e810860 000000ce`1c982b08 00000000`0000ffa5 : msaccess!AccessLoadString+0x256a6
000000ce`1c982ac0 00007ff7`4c5e3f86     : 000001ed`23461f70 00000000`0000000c 000000ce`1c985af0 00000000`00000001 : msaccess!AccessLoadString+0x25d90
000000ce`1c983980 00007ff7`4c5e340d     : 00000000`00000000 00000000`00000000 000000ce`1c98670e 00000000`00000001 : msaccess!AccessLoadString+0x2d1d6
000000ce`1c984140 00007ff7`4c5dba62     : 00000000`10000102 000001ed`5e810860 00000000`00008004 00000000`00000000 : msaccess!AccessLoadString+0x2c65d
000000ce`1c985a40 00007ff7`4c390d0e     : 000001ed`5e810860 000001ed`7c23efa8 000001ed`5e810860 000001ed`5e810860 : msaccess!AccessLoadString+0x24cb2
000000ce`1c985e60 00007ff7`4c390ba1     : 00007ffb`0443423c 00007ffb`d3b45f8b 00007ff7`4c853cfc 00007ff7`4c635c7c : msaccess!SizeCallback+0xdb8ee
000000ce`1c986050 00007ff7`4c85ad77     : 00000000`00000000 000000ce`1c98670e 000000ce`1c986608 00000000`0000000f : msaccess!SizeCallback+0xdb781
000000ce`1c9860b0 00007ff7`4c85b8a0     : 000001ed`5e810860 00000000`00000000 000001ed`05dfbfd0 000001ed`5e810860 : msaccess!FUniqueIndexTableFieldEx+0xfc247
000000ce`1c986540 00007ff7`4c81dc50     : 000001ed`5e810860 000000ce`1c986620 00000000`00000000 00007ff7`4c94f383 : msaccess!FUniqueIndexTableFieldEx+0xfcd70
000000ce`1c9865d0 00007ff7`4c850956     : 000001ed`05dfbfd0 00000000`00008004 000001ed`71702f40 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xbf120
000000ce`1c986650 00007ff7`4c63536d     : 000000ce`1c986700 00000000`00000000 000001ed`76d75f90 00007ffb`00000027 : msaccess!FUniqueIndexTableFieldEx+0xf1e26
000000ce`1c9866b0 00007ffb`0446756a     : 00000000`00000000 000001ed`76d75f90 000000ce`1c986750 000001ed`70e12f90 : msaccess!AccessLoadString+0x7e5bd
000000ce`1c9866e0 00007ffb`0441e8b5     : 00000000`00000000 00000000`00000000 000001ed`76d75e78 00007ff7`4c8509f6 : VBE7!CProjitemDocument::LoadDocItem+0xbe
000000ce`1c986770 00007ffb`045cf624     : 00000000`00000000 00000000`00000000 000001ed`76c68498 00000000`00000001 : VBE7!HostGetBaseClassTypeInfo3+0xf5
000000ce`1c9867d0 00007ffb`045cb071     : 000001ed`7295f9d0 00000000`00000001 00000000`000003eb 00000000`5a3420fb : VBE7!IMPMGR::HookUpBaseTypeInfo+0xb8
000000ce`1c986840 00007ffb`045cad91     : 000001ed`7295f9d0 00000000`00000010 000001ed`76c68498 00000000`00000000 : VBE7!IMPMGR::LoadTypeInfo+0xe5
000000ce`1c986880 00007ffb`045cbbc4     : 000001ed`7295f9d0 000001ed`00000010 000000ce`00000000 000000ce`1c986958 : VBE7!IMPMGR::GetTypeInfo+0xcd
000000ce`1c9868f0 00007ffb`045cc1e1     : 000001ed`7295f9d0 000000ce`00000000 000000ce`1c986958 00007ffb`107f0e5d : VBE7!IMPMGR::GetCoClassTypeInfoOfBase+0x78
000000ce`1c986930 00007ffb`045de934     : 000001ed`7295f9d0 000000ce`1c986b08 000000ce`000000d7 000000ce`00000001 : VBE7!IMPMGR::GetBaseTypeInfoAttribute+0x65
000000ce`1c986a80 00007ffb`045da1a3     : 000001ed`7295b980 000001ed`ffffffff 00007ffb`045e2980 000001ed`5b4ddfd0 : VBE7!BASIC_TYPESRC::ListAttributesOfHdefn+0x254
000000ce`1c986c70 00007ffb`0458adc7     : 000001ed`7295b980 000001ed`5b4ddfd0 00000000`00000000 000001ed`6411af70 : VBE7!BASIC_TYPESRC::SaveAsText+0x73
000000ce`1c986cd0 00007ffb`04573703     : 000001ed`6a765f40 000001ed`5b4ddfd0 00000000`00000000 000001ed`5b4ddfd0 : VBE7!BASIC_TYPEINFO::SaveAsText+0x9f
000000ce`1c986d10 00007ffb`04545292     : 000001ed`6a769c40 000001ed`713a8f00 000000ce`1c987060 000000ce`1c9873c8 : VBE7!BASIC_TYPEROOT::Write+0x483
000000ce`1c986e50 00007ffb`04544c3a     : 000001ed`7259df80 000001ed`713a8f00 000000ce`1c980009 000001ed`00000001 : VBE7!ExecProj::SaveModule+0x32a
000000ce`1c9874a0 00007ffb`0443423c     : 000001ed`7259df80 00000000`00000000 000000ce`00000001 000001ed`5e810860 : VBE7!ExecProj::Save+0x1da
000000ce`1c987ad0 00007ff7`4c6377a8     : 000001ed`76c62f38 00007ffb`0445e621 000001ed`725a08b0 000001ed`76c62f38 : VBE7!Project::StgSave+0x134
000000ce`1c987bb0 00007ff7`4c853cfc     : 00000000`00000000 00000000`00000000 000001ed`76c62f38 000001ed`76c62f38 : msaccess!AccessLoadString+0x809f8
000000ce`1c987c20 00007ff7`4c635c7c     : 000001ed`71702f40 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf51cc
000000ce`1c987cf0 00007ff7`4c851808     : 000001ed`71702f70 00000000`80004005 000001ed`71702f40 00000000`00000000 : msaccess!AccessLoadString+0x7eecc
000000ce`1c9880e0 00007ff7`4c852164     : 000001ed`71702f40 000000ce`1c988230 00000000`00000000 000001ed`00000000 : msaccess!FUniqueIndexTableFieldEx+0xf2cd8
000000ce`1c988190 00007ff7`4c817f3b     : 00000000`00000000 000001ed`5a516fa0 00000000`00000001 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf3634
000000ce`1c988230 00007ff7`4c0ad6f0     : 000001ed`367fbec0 000001ed`367fbec0 000001ed`367fbec0 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xb940b
000000ce`1c988370 00007ff7`4c925b8f     : 00000000`00000000 000001ed`367fbec0 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x331f0
000000ce`1c9883b0 00007ff7`4c0b0a7e     : 000001ed`2eee0d70 000000ce`1c988ab0 000001ed`2eee0d70 00000000`00000000 : msaccess!OpenHscrEmbedded+0x79b1f
000000ce`1c988570 00007ff7`4c0a1de6     : 000000ce`1c988720 000000ce`1c988858 000001ed`3342ef70 000000ce`1c988858 : msaccess!ReleaseAccessIconResource+0x3657e
000000ce`1c9886c0 00007ff7`4c246d2e     : 000000ce`1c988ab0 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x278e6
000000ce`1c9887e0 00007ff7`4c242e71     : 000000ce`1c98c680 00000000`00000000 00007ffb`d3b40000 000000ce`1c98dfc0 : msaccess!MSAU_ErrSortStringArray+0x345ce
000000ce`1c98c620 00007ff7`4c23cbab     : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30711
000000ce`1c98ded0 00007ff7`4c24374a     : 00000000`00000000 00000000`00000000 00000000`00000001 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x2a44b
000000ce`1c98f5b0 00007ff7`4c50030b     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fea
000000ce`1c98fad0 00007ff7`4c50140e     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5c8cb
000000ce`1c98fc70 00007ff7`4c072612     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5d9ce
000000ce`1c98fd50 00007ffb`d27bdbe7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x12612
000000ce`1c98fd90 00007ffb`d3c1fbec     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
000000ce`1c98fdc0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Analysis

Download PoC