Microsoft Access Improper Input Validation Vulnerability

Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-247

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18227.20162 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18227.20162

Architecture

x64

MD5

9d92f762057999f2b18e8f0dc15a1de8

Proof-of-Concept file information

File name

2024-247.accdb

MD5

3674188d66250a37bfc91ecea55f5546

Exception details

ExceptionAddress: 00007fffbcc4fd6d (mso20win32client!CrashWithRecovery+0x000000000000004d)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000

Stack trace

Child-SP          RetAddr               : Args to Child                                                           : Call Site
0000002d`0daf7120 00007fff`bce71b66     : 000001a3`01483052 00000000`00000000 00000000`00000000 00000000`00000000 : mso20win32client!CrashWithRecovery+0x4d
0000002d`0daf7180 00007ff8`726f1ee9     : 00000000`00000016 00000000`00000000 00000000`00000000 00000000`00000016 : mso20win32client!EnableAbortRedirectLiblet::Uninit+0x93
0000002d`0daf71f0 00007ff8`726d5011     : 000001a3`49b45f01 00000000`00000000 00000000`00000000 0000002d`0daf72a0 : ucrtbase!raise+0x1d9
0000002d`0daf7270 00007ff7`0c56e0ba     : 00007fff`00000003 00000000`00000003 ffffffff`fffffffe 000001a3`29940ff0 : ucrtbase!abort+0x31
0000002d`0daf72a0 00007ff8`726f1f37     : 000001a3`49b45fc8 00000000`00000000 00000000`0c000002 00000000`0c000001 : msaccess!SetEnumIntlView+0x202a
0000002d`0daf72d0 00007ff7`0c37771a     : 000001a3`49b45fc8 00007fff`bd22c560 00000000`00000000 00000000`12000001 : ucrtbase!terminate+0x17
0000002d`0daf7300 00007ff7`0c378d9a     : 00000000`00000000 00000000`00000000 00000000`00000000 0000002d`0daf73d0 : msaccess!JETESLoadProjectTypeLib+0x3f9a
0000002d`0daf7350 00007ff7`0c377d34     : 000001a3`49b45f60 000001a3`1a583f90 00005a01`674e17a1 00007ff8`74ee7776 : msaccess!JETESLoadProjectTypeLib+0x561a
0000002d`0daf73b0 00007ff7`0c3772c1     : 000001a3`49b43fe0 000001a3`49b43fe0 000001a3`3be66df0 00000000`00000000 : msaccess!JETESLoadProjectTypeLib+0x45b4
0000002d`0daf73e0 00007ff7`0c37a292     : 00000000`00000000 0000002d`0daf7950 0000002d`0daf7d98 000001a3`76980000 : msaccess!JETESLoadProjectTypeLib+0x3b41
0000002d`0daf7410 00007ff7`0c361668     : 00000000`00000000 00000000`00000001 00000000`00000001 00007ff7`0cdd35af : msaccess!JETESLoadProjectTypeLib+0x6b12
0000002d`0daf74c0 00007ff7`0cbc3c1b     : 000001a3`26193d60 00007ff7`0cfa61b8 000001a3`3be66df0 00007ff7`0cbdf7dc : msaccess!ReleaseAccessIconResource+0x259e8
0000002d`0daf74f0 00007ff7`0cbdf668     : 0000002d`0daf7d98 00007ff7`0cfa61b8 000001a3`26193d60 00007ff7`0cbc29ee : msaccess!OpenHscrEmbedded+0x53d6b
0000002d`0daf7520 00007ff7`0cbdf985     : 000001a3`3be66df0 00000000`00000000 000001a3`3be66df0 0000002d`0daf7950 : msaccess!OpenHscrEmbedded+0x6f7b8
0000002d`0daf7580 00007ff7`0c36148d     : 00000000`00000000 000001a3`3be66df0 000001a3`3be66df0 00007ff8`7286b591 : msaccess!OpenHscrEmbedded+0x6fad5
0000002d`0daf75b0 00007ff7`0c35d949     : 000001a3`3417cf30 000001a3`4c17bfe8 00000000`00000000 00000000`00000411 : msaccess!ReleaseAccessIconResource+0x2580d
0000002d`0daf7800 00007ff7`0cbd01f7     : 000001a3`00000001 00000000`00000000 00000000`00008004 00007ff7`0c41ced8 : msaccess!ReleaseAccessIconResource+0x21cc9
0000002d`0daf7870 00007ff7`0cc0e0c6     : 00000000`00000000 00000000`00008004 0000002d`0daf7ef9 000001a3`48dbb860 : msaccess!OpenHscrEmbedded+0x60347
0000002d`0daf78e0 00007ff7`0c7e5b76     : 0000002d`0daf7d98 00000000`00000000 0000002d`0daf7ef9 000001a3`48dbb860 : msaccess!OpenHscrEmbedded+0x9e216
0000002d`0daf7d40 00007ff7`0c36ea60     : 000001a3`2e4b8ec0 0000002d`0daf7f00 00007ff8`727688c0 0000002d`0daf7f00 : msaccess!MSAU_GetSizeList+0x2726
0000002d`0daf7e90 00007ff7`0c36dea3     : 00000000`00000000 00000000`00000000 000001a3`2e4b8ec0 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x32de0
0000002d`0daf7f60 00007ff7`0cbe95a5     : 000001a3`2e4b8f18 00000000`00000000 000001a3`2e4b8ec0 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x32223
0000002d`0daf8260 00007ff7`0c3720f1     : 00000000`00000002 0000002d`0daf8790 00000000`00000002 00000000`00000000 : msaccess!OpenHscrEmbedded+0x796f5
0000002d`0daf8420 00007ff7`0c36348e     : 0000002d`0daf85c0 0000002d`0daf86f8 000001a3`32bc1f70 0000002d`0daf86f8 : msaccess!ReleaseAccessIconResource+0x36471
0000002d`0daf8560 00007ff7`0c508775     : 0000002d`0daf8790 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x2780e
0000002d`0daf8680 00007ff7`0c504855     : 0000002d`0dafc360 00000000`00000000 00007ff8`74f9fbcc 0000002d`0dafdca0 : msaccess!MSAU_ErrSortStringArray+0x34605
0000002d`0dafc300 00007ff7`0c4fe5e7     : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x306e5
0000002d`0dafdbb0 00007ff7`0c50512a     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!MSAU_ErrSortStringArray+0x2a477
0000002d`0daff290 00007ff7`0c7c2e8f     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fba
0000002d`0daff7b0 00007ff7`0c7c3fa5     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5cdef
0000002d`0daff950 00007ff7`0c333c72     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5df05
0000002d`0daffa30 00007ff8`72f7e8d7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x13c72
0000002d`0daffa70 00007ff8`74f9fbcc     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
0000002d`0daffaa0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Analysis

Download PoC