Microsoft Access Improper Input Validation Vulnerability

Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-261

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18227.20162 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18227.20162

Architecture

x64

MD5

9d92f762057999f2b18e8f0dc15a1de8

Proof-of-Concept file information

File name

2024-261.accdb

MD5

60d4d9f144af16eeb5522a944259a89b

Exception details

ExceptionAddress: 00007fffbcc4fd6d (mso20win32client!CrashWithRecovery+0x000000000000004d)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000

Stack trace

Child-SP          RetAddr               : Args to Child                                                           : Call Site
000000d7`d5761cc0 00007fff`bce71b66     : 000002d1`01483052 00000000`00000000 00000000`00000000 00000000`00000000 : mso20win32client!CrashWithRecovery+0x4d
000000d7`d5761d20 00007ff8`726f1ee9     : 00000000`00000016 000002d1`fac83ff8 000002d1`98c20000 00000000`00000016 : mso20win32client!EnableAbortRedirectLiblet::Uninit+0x93
000000d7`d5761d90 00007ff8`726d5011     : 00000000`ffffe401 000002d1`00000000 00000000`00000000 000000d7`d5761e40 : ucrtbase!raise+0x1d9
000000d7`d5761e10 00007ff7`0c56e0ba     : 00007fff`00000003 00000000`00000003 ffffffff`fffffffe 000002d1`fac89ff0 : ucrtbase!abort+0x31
000000d7`d5761e40 00007ff8`726f1f37     : 00000000`ffffe402 000002d1`fac83ff8 00000000`00000001 00000000`ffffe402 : msaccess!SetEnumIntlView+0x202a
000000d7`d5761e70 00007ff7`0c3778a9     : 00000000`ffffe402 00007fff`bd22c560 000002d1`fac83ff8 000002d1`e1504f90 : ucrtbase!terminate+0x17
000000d7`d5761ea0 00007ff7`0c4102b4     : 000000d7`d5761f58 000002d1`fac83ff8 000002d1`fac83ff0 000000d7`d5764520 : msaccess!JETESLoadProjectTypeLib+0x4129
000000d7`d5761ee0 00007ff7`0c89f95c     : 000000d7`d5761f58 000002d1`e1504f90 000000d7`d5761f58 00000000`00000000 : msaccess!JETESLoadProjectTypeLib+0x9cb34
000000d7`d5761f10 00007ff7`0c89f846     : 000000d7`d5762e28 00000000`0000009c 000000d7`d5762e28 00000000`00000001 : msaccess!AccessLoadString+0x25cbc
000000d7`d5762de0 00007ff7`0c8a6d2a     : 00000000`0000000c 000002d1`98da3f70 000000d7`d5765e20 00000000`00000001 : msaccess!AccessLoadString+0x25ba6
000000d7`d5763cb0 00007ff7`0c8a61a8     : 00000000`00000000 00000000`00000000 000000d7`d5766a3e 00000000`00000001 : msaccess!AccessLoadString+0x2d08a
000000d7`d5764470 00007ff7`0c89e772     : 00000000`10000102 000002d1`ea8c0860 00000000`00008004 00000000`00000000 : msaccess!AccessLoadString+0x2c508
000000d7`d5765d70 00007ff7`0c652af6     : 000002d1`ea8c0860 000002d1`e8c73fa8 000002d1`e2f16ec0 000002d1`ea8c0860 : msaccess!AccessLoadString+0x24ad2
000000d7`d5766190 00007ff7`0c652989     : 00007fff`b56e423c 00007ff8`74ec5f8b 00007ff7`0cb17b46 00007ff7`0c8f8d91 : msaccess!SizeCallback+0xdc006
000000d7`d5766380 00007ff7`0cb1ebc3     : 00000000`00000000 000000d7`d5766a3e 000000d7`d5766938 00000000`00000014 : msaccess!SizeCallback+0xdbe99
000000d7`d57663e0 00007ff7`0cb1f70c     : 000002d1`ea8c0860 00000000`00000000 000002d1`e37dafd0 000002d1`ea8c0860 : msaccess!FUniqueIndexTableFieldEx+0xfcb63
000000d7`d5766870 00007ff7`0cae155c     : 000002d1`ea8c0860 000000d7`d5766950 00000000`00000000 000002d1`eeab0fd0 : msaccess!FUniqueIndexTableFieldEx+0xfd6ac
000000d7`d5766900 00007ff7`0cb147a6     : 000002d1`e37dafd0 00000000`00008004 000002d1`c475df40 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xbf4fc
000000d7`d5766980 00007ff7`0c8f847d     : 000000d7`d5766a30 00000000`00000000 000002d1`f7989f90 00007fff`0000001b : msaccess!FUniqueIndexTableFieldEx+0xf2746
000000d7`d57669e0 00007fff`b571756a     : 00000000`00000000 000002d1`f7989f90 000000d7`d5766a70 000002d1`a412cf90 : msaccess!AccessLoadString+0x7e7dd
000000d7`d5766a10 00007fff`b56ce8b5     : 00000000`00000000 00000000`00000000 000002d1`f7989e78 00000000`00000000 : VBE7!CProjitemDocument::LoadDocItem+0xbe
000000d7`d5766a90 00007fff`b587f624     : 00000000`00000000 00000000`00000000 000002d1`f7862498 00000000`00000001 : VBE7!HostGetBaseClassTypeInfo3+0xf5
000000d7`d5766af0 00007fff`b587b071     : 000002d1`e31b19d0 000000d7`d5766d78 000000d7`d5767060 000002d1`98c20000 : VBE7!IMPMGR::HookUpBaseTypeInfo+0xb8
000000d7`d5766b60 00007fff`b587ad91     : 000002d1`e31b19d0 00007ff8`00000010 000002d1`98c20000 00000000`00000000 : VBE7!IMPMGR::LoadTypeInfo+0xe5
000000d7`d5766ba0 00007fff`b587bbc4     : 000002d1`e31b19d0 00000000`00000010 000002d1`00000000 000000d7`d5766c78 : VBE7!IMPMGR::GetTypeInfo+0xcd
000000d7`d5766c10 00007fff`b587c1e1     : 000002d1`e31b19d0 00007ff8`00000000 000000d7`d5766c78 000000d7`d5766d78 : VBE7!IMPMGR::GetCoClassTypeInfoOfBase+0x78
000000d7`d5766c50 00007fff`b587f3ed     : 000002d1`e31b19d0 000000d7`d5766dc8 000000d7`d5766de0 00000001`00000001 : VBE7!IMPMGR::GetBaseTypeInfoAttribute+0x65
000000d7`d5766da0 00007fff`b581b8a3     : 000002d1`e31b19d0 000002d1`fe4bcbe0 000000d7`d5766ea0 000002d1`d41e6fd0 : VBE7!IMPMGR::Write+0x1f5
000000d7`d5766df0 00007fff`b58238a5     : 000002d1`eb276c40 000002d1`fe4bcbe0 000002d1`00000000 000002d1`fe4b8f60 : VBE7!BASIC_TYPEROOT::WriteParts+0x583
000000d7`d5766eb0 00007fff`b5823430     : 000002d1`eb276c40 000002d1`fe4bcbe0 000002d1`00000000 000000d7`d5766f18 : VBE7!BASIC_TYPEROOT::WriteToStream+0xe5
000000d7`d5766ef0 00007fff`b57f5292     : 000002d1`eb276c40 000002d1`d2098f00 000000d7`d5767240 000000d7`d57675a8 : VBE7!BASIC_TYPEROOT::Write+0x1b0
000000d7`d5767030 00007fff`b57f4c3a     : 000002d1`ef562f80 000002d1`d2098f00 000000d7`d5760007 000002d1`00000001 : VBE7!ExecProj::SaveModule+0x32a
000000d7`d5767680 00007fff`b56e423c     : 000002d1`ef562f80 00000000`00000000 000000d7`00000001 000002d1`ea8c0860 : VBE7!ExecProj::Save+0x1da
000000d7`d5767cb0 00007ff7`0c8fa8b8     : 000002d1`f785cf38 00007fff`b570e621 000002d1`ef5678b0 000002d1`f785cf38 : VBE7!Project::StgSave+0x134
000000d7`d5767d90 00007ff7`0cb17b46     : 00000000`00000000 00000000`00000000 000002d1`f785cf38 000002d1`f785cf38 : msaccess!AccessLoadString+0x80c18
000000d7`d5767e00 00007ff7`0c8f8d91     : 000002d1`c475df40 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf5ae6
000000d7`d5767ed0 00007ff7`0cb15658     : 000002d1`c475df70 00000000`80004005 000002d1`c475df40 00000000`00000000 : msaccess!AccessLoadString+0x7f0f1
000000d7`d57682c0 00007ff7`0cb15fac     : 000002d1`c475df40 000000d7`d5768410 00000000`00000000 000002d1`00000000 : msaccess!FUniqueIndexTableFieldEx+0xf35f8
000000d7`d5768370 00007ff7`0cadb86c     : 00000000`00000000 00000000`00000001 000002d1`e2f16ec0 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf3f4c
000000d7`d5768410 00007ff7`0c36edd0     : 000002d1`e2f16ec0 000002d1`e2f16ec0 000002d1`e2f16ec0 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xb980c
000000d7`d5768540 00007ff7`0cbe95da     : 00000000`00000000 000002d1`e2f16ec0 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x33150
000000d7`d5768580 00007ff7`0c3720f1     : 00000000`00000002 000000d7`d5768ab0 00000000`00000002 00000000`00000000 : msaccess!OpenHscrEmbedded+0x7972a
000000d7`d5768740 00007ff7`0c36348e     : 000000d7`d57688e0 000000d7`d5768a18 000002d1`e2994f70 000000d7`d5768a18 : msaccess!ReleaseAccessIconResource+0x36471
000000d7`d5768880 00007ff7`0c508775     : 000000d7`d5768ab0 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x2780e
000000d7`d57689a0 00007ff7`0c504855     : 000000d7`d576c680 00000000`00000000 00007ff8`74f9fbcc 000000d7`d576dfc0 : msaccess!MSAU_ErrSortStringArray+0x34605
000000d7`d576c620 00007ff7`0c4fe5e7     : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x306e5
000000d7`d576ded0 00007ff7`0c50512a     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!MSAU_ErrSortStringArray+0x2a477
000000d7`d576f5b0 00007ff7`0c7c2e8f     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fba
000000d7`d576fad0 00007ff7`0c7c3fa5     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5cdef
000000d7`d576fc70 00007ff7`0c333c72     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5df05
000000d7`d576fd50 00007ff8`72f7e8d7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x13c72
000000d7`d576fd90 00007ff8`74f9fbcc     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
000000d7`d576fdc0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Analysis

Download PoC