Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-265

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18227.20162 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Contact us

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18227.20162

Architecture

x64

MD5

9d92f762057999f2b18e8f0dc15a1de8

Proof-of-Concept file information

File name

2024-265.accdb

MD5

c140ff5623fd3fb935dca30baefd40b1

Exception details

ExceptionAddress: 00007fffbcc4fd6d (mso20win32client!CrashWithRecovery+0x000000000000004d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000

Stack trace

Child-SP RetAddr : Args to Child : Call Site
000000a4`ab3ae3c0 00007fff`bce71b66 : 0000022c`01483052 00000000`00000000 00000000`00000000 00000000`00000000 : mso20win32client!CrashWithRecovery+0x4d
000000a4`ab3ae420 00007ff8`726f1ee9 : 00000000`00000016 0000022c`2ca81ca8 00000000`00000000 00000000`00000016 : mso20win32client!EnableAbortRedirectLiblet::Uninit+0x93
000000a4`ab3ae490 00007ff8`726d5011 : 000000a4`ab3ae701 0000022c`00000000 00000000`00000000 000000a4`ab3ae540 : ucrtbase!raise+0x1d9
000000a4`ab3ae510 00007ff7`0c56e0ba : 000000a4`00000003 00000000`00000003 ffffffff`fffffffe 0000022c`2ad88ff0 : ucrtbase!abort+0x31
000000a4`ab3ae540 00007ff8`726f1f37 : 000000a4`ab3ae720 0000022c`2ca81ca8 00000000`0000905a 00000000`00000001 : msaccess!SetEnumIntlView+0x202a
000000a4`ab3ae570 00007ff7`0c68bd82 : 000000a4`ab3ae720 00007fff`bd22c560 0000022c`2ca81ca8 000000a4`ab3aecf0 : ucrtbase!terminate+0x17
000000a4`ab3ae5a0 00007ff7`0c3e25fe : 000000a4`00000000 0000022c`2ca81ca8 000000a4`00000000 000000a4`ab3aee24 : msaccess!WizChooseColor+0x37872
000000a4`ab3ae6d0 00007ff7`0c3e2f05 : 0000022c`2bcbaff0 0000022c`00000002 0000022c`41a03f70 0000022c`00000000 : msaccess!JETESLoadProjectTypeLib+0x6ee7e
000000a4`ab3ae840 00007ff7`0c3e3590 : 0000022c`1302af80 0000022c`00000002 0000022c`2ca81ca8 0000022c`00000001 : msaccess!JETESLoadProjectTypeLib+0x6f785
000000a4`ab3ae8a0 00007ff7`0c66ff22 : 0000022c`00000002 0000022c`199d9fe0 000000a4`00000000 00000000`00000001 : msaccess!JETESLoadProjectTypeLib+0x6fe10
000000a4`ab3ae940 00007ff7`0c669cfd : 00000000`00000018 000000a4`ab3aefe0 00000000`0000005a 00000000`0049414e : msaccess!WizChooseColor+0x1ba12
000000a4`ab3aeb20 00007ff7`0c3e5ffe : 00000000`0054046c 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!WizChooseColor+0x157ed
000000a4`ab3aeee0 00007ff8`734b5801 : 00000000`002e04a8 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!JETESLoadProjectTypeLib+0x7287e
000000a4`ab3af230 00007ff8`734b509c : 00000000`00000388 00007ff7`0c3e5d60 00000000`002e04a8 00000000`80000000 : USER32!UserCallWinProcCheckWow+0x341
000000a4`ab3af390 00007ff8`734e4eb3 : 00000000`00000000 00000000`00000000 00000000`00000000 0000022c`45080690 : USER32!DispatchClientMessage+0x9c
000000a4`ab3af3f0 00007ff8`75023744 : 00000100`00000000 00000000`002e04a8 0000022c`4507e140 00007ff8`734a8e78 : USER32!_fnDWORD+0x33
000000a4`ab3af450 00007ff8`726018b4 : 00007ff8`734b34b8 000000a4`ab3af7b0 00000000`00000000 00000000`00000001 : ntdll!KiUserCallbackDispatcherContinue
000000a4`ab3af4d8 00007ff8`734b34b8 : 000000a4`ab3af7b0 00000000`00000000 00000000`00000001 00007ff8`734b2f89 : win32u!NtUserDispatchMessage+0x14
000000a4`ab3af4e0 00007ff7`0c7c378d : 000000a4`ab3af5a0 00000000`00000000 00000000`00000000 00000000`00000000 : USER32!DispatchMessageWorker+0x348
000000a4`ab3af560 00007ff7`0c7c3fa5 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5d6ed
000000a4`ab3af700 00007ff7`0c333c72 : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5df05
000000a4`ab3af7e0 00007ff8`72f7e8d7 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x13c72
000000a4`ab3af820 00007ff8`74f9fbcc : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
000000a4`ab3af850 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Download PoC