Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-253

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18227.20162 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Contact us

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18227.20162

Architecture

x64

MD5

9d92f762057999f2b18e8f0dc15a1de8

Proof-of-Concept file information

File name

2024-253.accdb

MD5

b8d300d87d61c3ee0ebdefb5704ab2eb

Exception details

ExceptionAddress: 00007fffbcc4fd6d (mso20win32client!CrashWithRecovery+0x000000000000004d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000

Stack trace

Child-SP RetAddr : Args to Child : Call Site
000000eb`d02ff530 00007fff`bce71b66 : 00000292`01483052 00000000`00000000 00000000`00000000 00000000`00000000 : mso20win32client!CrashWithRecovery+0x4d
000000eb`d02ff590 00007ff8`726f1ee9 : 00000000`00000016 00000292`52f03b78 00000000`00000000 00000000`00000016 : mso20win32client!EnableAbortRedirectLiblet::Uninit+0x93
000000eb`d02ff600 00007ff8`726d5011 : 00000292`52fa1b01 00000292`00000000 00000000`00000000 000000eb`d02ff6b0 : ucrtbase!raise+0x1d9
000000eb`d02ff680 00007ff7`0c56e0ba : 00007fff`00000003 00000000`00000003 ffffffff`fffffffe 00000292`4fef9ff0 : ucrtbase!abort+0x31
000000eb`d02ff6b0 00007ff8`726f1f37 : 00000292`52fa1b78 00000292`52f03b78 00000000`00000000 00000292`52f97778 : msaccess!SetEnumIntlView+0x202a
000000eb`d02ff6e0 00007ff7`0c5c7ed1 : 00000292`52fa1b78 00007fff`bd22c560 00000292`52f03b78 00000000`00000083 : ucrtbase!terminate+0x17
000000eb`d02ff710 00007ff7`0c5ca322 : 00000292`52fa1b78 00000000`00000000 00000000`00000083 00000292`00000000 : msaccess!SizeCallback+0x513e1
000000eb`d02ff740 00007ff7`0c89f79e : 000000eb`d02ff7e8 00000292`3de27860 00000000`00000083 00000000`0000fa46 : msaccess!SizeCallback+0x53832
000000eb`d02ff7a0 00007ff7`0c89f846 : 00000292`52f97778 000000eb`d03006b8 000000eb`d03006b8 00000000`0000324f : msaccess!AccessLoadString+0x25afe
000000eb`d0300670 00007ff7`0c89f846 : 00000292`52f81888 000000eb`d0301588 000000eb`d0301588 00000000`00000001 : msaccess!AccessLoadString+0x25ba6
000000eb`d0301540 00007ff7`0c89f846 : 00000292`440b2fe0 000000eb`d0302458 000000eb`d0302458 00000000`0000ffe2 : msaccess!AccessLoadString+0x25ba6
000000eb`d0302410 00007ff7`0c89f846 : 00000292`52ebbbb8 000000eb`d0303328 000000eb`d0303328 00000000`0000000a : msaccess!AccessLoadString+0x25ba6
000000eb`d03032e0 00007ff7`0c89f846 : 00000292`43d32ff0 000000eb`d03041f8 000000eb`d03041f8 00000000`00000000 : msaccess!AccessLoadString+0x25ba6
000000eb`d03041b0 00007ff7`0c8a6d2a : 00000000`0000000c 00000292`6b913f70 000000eb`d03071f0 00000000`00000001 : msaccess!AccessLoadString+0x25ba6
000000eb`d0305080 00007ff7`0c8a61a8 : 00000000`00000000 00000000`00000000 000000eb`d0307a00 00000000`00000001 : msaccess!AccessLoadString+0x2d08a
000000eb`d0305840 00007ff7`0c89e772 : 00000000`00020102 00000292`3de27860 00000000`00008000 00000000`00000000 : msaccess!AccessLoadString+0x2c508
000000eb`d0307140 00007ff7`0c652af6 : 00000000`00000000 01c10369`cf3f3500 01c10369`9c468040 00000000`00000000 : msaccess!AccessLoadString+0x24ad2
000000eb`d0307560 00007ff7`0c691e81 : 006f0073`006f0072 004a002e`00740066 004e002e`00740065 00760069`00740061 : msaccess!SizeCallback+0xdc006
000000eb`d0307750 00007ff7`0c41ced8 : 00000292`3de27860 00007ff7`0cbc3b97 00000000`00000003 000000eb`00000000 : msaccess!WizChooseColor+0x3d971
000000eb`d03077c0 00007ff7`0cc0e369 : 00000000`00000000 00000000`00008000 000000eb`d0307e29 00000292`3de27860 : msaccess!JETESLoadProjectTypeLib+0xa9758
000000eb`d0307810 00007ff7`0c7e5b45 : 000000eb`d0307cc8 00000000`00000000 000000eb`d0307e29 00000292`3de27860 : msaccess!OpenHscrEmbedded+0x9e4b9
000000eb`d0307c70 00007ff7`0c36ea60 : 00000292`22913ec0 000000eb`d0307e30 00007ff8`727688c0 000000eb`d0307e30 : msaccess!MSAU_GetSizeList+0x26f5
000000eb`d0307dc0 00007ff7`0c36dea3 : 00000000`00000000 00000000`00000000 00000292`22913ec0 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x32de0
000000eb`d0307e90 00007ff7`0cbe95a5 : 00000292`22913f18 00000000`00000000 00000292`22913ec0 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x32223
000000eb`d0308190 00007ff7`0c3720f1 : 00000000`00000002 000000eb`d03086c0 00000000`00000002 00000000`00000000 : msaccess!OpenHscrEmbedded+0x796f5
000000eb`d0308350 00007ff7`0c36348e : 000000eb`d03084f0 000000eb`d0308628 00000292`27caff70 000000eb`d0308628 : msaccess!ReleaseAccessIconResource+0x36471
000000eb`d0308490 00007ff7`0c508775 : 000000eb`d03086c0 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x2780e
000000eb`d03085b0 00007ff7`0c504855 : 000000eb`d030c290 00000000`00000000 00007ff8`74f9fbcc 000000eb`d030dbd0 : msaccess!MSAU_ErrSortStringArray+0x34605
000000eb`d030c230 00007ff7`0c4fe5e7 : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x306e5
000000eb`d030dae0 00007ff7`0c50512a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!MSAU_ErrSortStringArray+0x2a477
000000eb`d030f1c0 00007ff7`0c7c2e8f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fba
000000eb`d030f6e0 00007ff7`0c7c3fa5 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5cdef
000000eb`d030f880 00007ff7`0c333c72 : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5df05
000000eb`d030f960 00007ff8`72f7e8d7 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x13c72
000000eb`d030f9a0 00007ff8`74f9fbcc : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
000000eb`d030f9d0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Download PoC