Microsoft Access Improper Input Validation Vulnerability

Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-264

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18227.20162 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18227.20162

Architecture

x64

MD5

9d92f762057999f2b18e8f0dc15a1de8

Proof-of-Concept file information

File name

2024-264.accdb

MD5

35c9b13beb6913c7c97868f4549b3bc0

Exception details

ExceptionAddress: 00007fffbcc4fd6d (mso20win32client!CrashWithRecovery+0x000000000000004d)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000

Stack trace

Child-SP          RetAddr               : Args to Child                                                           : Call Site
00000058`36550ff0 00007fff`bce71b66     : 00000184`01483052 00000000`00000000 00000000`00000000 00000000`00000000 : mso20win32client!CrashWithRecovery+0x4d
00000058`36551050 00007ff8`726f1ee9     : 00000000`00000016 00000184`88ac6ff8 00000184`a5780000 00000000`00000016 : mso20win32client!EnableAbortRedirectLiblet::Uninit+0x93
00000058`365510c0 00007ff8`726d5011     : 00000000`ffffce01 00000184`00000000 00000000`00000000 00000058`36551170 : ucrtbase!raise+0x1d9
00000058`36551140 00007ff7`0c56e0ba     : 00007fff`00000003 00000000`00000003 ffffffff`fffffffe 00000184`e58c6ff0 : ucrtbase!abort+0x31
00000058`36551170 00007ff8`726f1f37     : 00000000`ffffce02 00000184`88ac6ff8 00000000`00000001 00000000`ffffce02 : msaccess!SetEnumIntlView+0x202a
00000058`365511a0 00007ff7`0c3778a9     : 00000000`ffffce02 00007fff`bd22c560 00000184`88ac6ff8 00000184`88abaf90 : ucrtbase!terminate+0x17
00000058`365511d0 00007ff7`0c4102b4     : 00000058`36551288 00000184`88ac6ff8 00000184`88ac6ff0 00000058`36554720 : msaccess!JETESLoadProjectTypeLib+0x4129
00000058`36551210 00007ff7`0c89f95c     : 00000058`36551288 00000184`88abaf90 00000058`36551288 00000000`00000003 : msaccess!JETESLoadProjectTypeLib+0x9cb34
00000058`36551240 00007ff7`0c89f846     : 00000184`88abcfe0 00000058`36552158 00000058`36552158 00000000`00000002 : msaccess!AccessLoadString+0x25cbc
00000058`36552110 00007ff7`0c89f846     : 00000184`88a0cff0 00000058`36553028 00000058`36553028 00000000`00000001 : msaccess!AccessLoadString+0x25ba6
00000058`36552fe0 00007ff7`0c8a6d2a     : 00000000`0000000c 00000184`a5903f70 00000058`36556020 00000000`00000001 : msaccess!AccessLoadString+0x25ba6
00000058`36553eb0 00007ff7`0c8a61a8     : 00000000`00000000 00000000`00000000 00000184`ef186fe2 00000000`00000001 : msaccess!AccessLoadString+0x2d08a
00000058`36554670 00007ff7`0c89e772     : 00000000`10000102 00000184`f775e860 00000000`00008000 00000000`00000000 : msaccess!AccessLoadString+0x2c508
00000058`36555f70 00007ff7`0c652af6     : 00000184`f775e860 00000184`8896dfa8 00000184`efa28ec0 00000184`f775e860 : msaccess!AccessLoadString+0x24ad2
00000058`36556390 00007ff7`0c652989     : 00007fff`b56e423c 00007ff8`74ec5f8b 00007ff7`0cb17b46 00007ff7`0c8f8d91 : msaccess!SizeCallback+0xdc006
00000058`36556580 00007ff7`0cb1ebc3     : 00000000`00000000 00000184`ef186fe2 00000058`36556b38 00000000`0000000e : msaccess!SizeCallback+0xdbe99
00000058`365565e0 00007ff7`0cb1f70c     : 00000184`f775e860 00000000`00000000 00000184`f6482fd0 00000184`f775e860 : msaccess!FUniqueIndexTableFieldEx+0xfcb63
00000058`36556a70 00007ff7`0cae155c     : 00000184`f775e860 00000058`36556b50 00000000`00000000 00000184`d45d2f00 : msaccess!FUniqueIndexTableFieldEx+0xfd6ac
00000058`36556b00 00007ff7`0cb147a6     : 00000184`f6482fd0 00000000`00008000 00000184`e44e8f40 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xbf4fc
00000058`36556b80 00007ff7`0c8f847d     : 00000184`ef186fd8 00000000`00000000 00000184`fe72bf90 00000000`ffffffef : msaccess!FUniqueIndexTableFieldEx+0xf2746
00000058`36556be0 00007fff`b5717504     : 00000000`00000000 00000184`fe72bf90 00000058`36556c30 00000184`f5695f90 : msaccess!AccessLoadString+0x7e7dd
00000058`36556c10 00007fff`b56ce8b5     : 00000000`00000000 00000000`00000000 00000184`fe72be78 00000000`00000000 : VBE7!CProjitemDocument::LoadDocItem+0x58
00000058`36556c50 00007fff`b587f624     : 00000000`00000000 00000000`00000000 00000184`fe646498 00000000`00000001 : VBE7!HostGetBaseClassTypeInfo3+0xf5
00000058`36556cb0 00007fff`b587b071     : 00000184`878d49d0 00000058`36556f38 00000058`36557220 00000184`a5780000 : VBE7!IMPMGR::HookUpBaseTypeInfo+0xb8
00000058`36556d20 00007fff`b587ad91     : 00000184`878d49d0 00007ff8`00000010 00000184`a5780000 00000000`00000000 : VBE7!IMPMGR::LoadTypeInfo+0xe5
00000058`36556d60 00007fff`b587bbc4     : 00000184`878d49d0 00000000`00000010 00000184`00000000 00000058`36556e38 : VBE7!IMPMGR::GetTypeInfo+0xcd
00000058`36556dd0 00007fff`b587c1e1     : 00000184`878d49d0 00007ff8`00000000 00000058`36556e38 00000058`36556f38 : VBE7!IMPMGR::GetCoClassTypeInfoOfBase+0x78
00000058`36556e10 00007fff`b587f3ed     : 00000184`878d49d0 00000058`36556f88 00000058`36556fa0 00000001`00000001 : VBE7!IMPMGR::GetBaseTypeInfoAttribute+0x65
00000058`36556f60 00007fff`b581b8a3     : 00000184`878d49d0 00000184`fafb4be0 00000058`36557060 00000184`ee8a0fd0 : VBE7!IMPMGR::Write+0x1f5
00000058`36556fb0 00007fff`b58238a5     : 00000184`d7956c40 00000184`fafb4be0 00000184`00000000 00000184`fc2def60 : VBE7!BASIC_TYPEROOT::WriteParts+0x583
00000058`36557070 00007fff`b5823430     : 00000184`d7956c40 00000184`fafb4be0 00000184`00000000 00000058`365570d8 : VBE7!BASIC_TYPEROOT::WriteToStream+0xe5
00000058`365570b0 00007fff`b57f5292     : 00000184`d7956c40 00000184`d3666f00 00000058`36557400 00000058`36557768 : VBE7!BASIC_TYPEROOT::Write+0x1b0
00000058`365571f0 00007fff`b57f4c3a     : 00000184`fbf86f80 00000184`d3666f00 00000058`36550002 00000184`00000001 : VBE7!ExecProj::SaveModule+0x32a
00000058`36557840 00007fff`b56e423c     : 00000184`fbf86f80 00000000`00000000 00000058`00000001 00000184`f775e860 : VBE7!ExecProj::Save+0x1da
00000058`36557e70 00007ff7`0c8fa8b8     : 00000184`fe640f38 00007fff`b570e621 00000184`fbf898b0 00000184`fe640f38 : VBE7!Project::StgSave+0x134
00000058`36557f50 00007ff7`0cb17b46     : 00000000`00000000 00000000`00000000 00000184`fe640f38 00000184`fe640f38 : msaccess!AccessLoadString+0x80c18
00000058`36557fc0 00007ff7`0c8f8d91     : 00000184`e44e8f40 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf5ae6
00000058`36558090 00007ff7`0cb15658     : 00000184`e44e8f70 00000000`80004005 00000184`e44e8f40 00000000`00000000 : msaccess!AccessLoadString+0x7f0f1
00000058`36558480 00007ff7`0cb15fac     : 00000184`e44e8f40 00000058`365585d0 00000000`00000000 00000184`00000000 : msaccess!FUniqueIndexTableFieldEx+0xf35f8
00000058`36558530 00007ff7`0cadb86c     : 00000000`00000000 00000000`00000001 00000184`efa28ec0 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf3f4c
00000058`365585d0 00007ff7`0c36edd0     : 00000184`efa28ec0 00000184`efa28ec0 00000184`efa28ec0 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xb980c
00000058`36558700 00007ff7`0cbe95da     : 00000000`00000000 00000184`efa28ec0 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x33150
00000058`36558740 00007ff7`0c3720f1     : 00000000`00000002 00000058`36558c70 00000000`00000002 00000000`00000000 : msaccess!OpenHscrEmbedded+0x7972a
00000058`36558900 00007ff7`0c36348e     : 00000058`36558aa0 00000058`36558bd8 00000184`ad7dcf70 00000058`36558bd8 : msaccess!ReleaseAccessIconResource+0x36471
00000058`36558a40 00007ff7`0c508775     : 00000058`36558c70 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x2780e
00000058`36558b60 00007ff7`0c504855     : 00000058`3655c840 00000000`00000000 00007ff8`74f9fbcc 00000058`3655e180 : msaccess!MSAU_ErrSortStringArray+0x34605
00000058`3655c7e0 00007ff7`0c4fe5e7     : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x306e5
00000058`3655e090 00007ff7`0c50512a     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!MSAU_ErrSortStringArray+0x2a477
00000058`3655f770 00007ff7`0c7c2e8f     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fba
00000058`3655fc90 00007ff7`0c7c3fa5     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5cdef
00000058`3655fe30 00007ff7`0c333c72     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5df05
00000058`3655ff10 00007ff8`72f7e8d7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x13c72
00000058`3655ff50 00007ff8`74f9fbcc     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
00000058`3655ff80 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Analysis

Download PoC