Microsoft Access Use-After-Free Vulnerability

Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Report ID: 2024-271

unpatched

Summary

A use-after-free issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18227.20162 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could potentially gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue.

Attack vector

Remote

RCE

Reported - Won't Fix

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18227.20162

Architecture

x64

MD5

9d92f762057999f2b18e8f0dc15a1de8

Proof-of-Concept file information

File name

2024-271.accdb

MD5

777bdd6f7fd66f9f8540cdec8edb4291

Exception details

ExceptionAddress: 00007ff84f5c03a7 (VCRUNTIME140!memcpy_avx_ermsb_Intel+0x0000000000000167)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000020ee5f41a98
Attempt to read from address 0000020ee5f41a98

UaF details

address 0000020ee5f41a98 found in
_DPH_HEAP_ROOT @ 20e903b1000
in free-ed allocation (  DPH_HEAP_BLOCK:         VirtAddr         VirtSize)
                            20e9c529dd0:      20ee5f40000             2000
00007ff874f9e4f3 ntdll!RtlDebugFreeHeap+0x0000000000000037
00007ff874eeba6e ntdll!RtlpFreeHeap+0x000000000000174e
00007ff874ef2871 ntdll!RtlFreeHeap+0x0000000000000651
00007ff87263ddab ucrtbase!free_base+0x000000000000001b
00007ff8660729b4 <Unloaded_MPCLIENT.DLL>+0x00000000000129b4
00007ff866123c8a <Unloaded_MPCLIENT.DLL>+0x00000000000c3c8a
00007ff866068c37 <Unloaded_MPCLIENT.DLL>+0x0000000000008c37
00007ff87269f356 ucrtbase!initterm+0x0000000000000036
00007ff86612398a <Unloaded_MPCLIENT.DLL>+0x00000000000c398a
00007ff866123b00 <Unloaded_MPCLIENT.DLL>+0x00000000000c3b00
00007ff874edd860 ntdll!LdrpCallInitRoutine+0x00000000000000b0
00007ff874edcc0c ntdll!LdrpInitializeNode+0x000000000000019c
00007ff874f6b09a ntdll!LdrpInitializeGraphRecurse+0x000000000000006a
00007ff874f6ad83 ntdll!LdrpPrepareModuleForExecution+0x00000000000000ef
00007ff874f0b0c4 ntdll!LdrpLoadDllInternal+0x0000000000000284
00007ff874f0acd0 ntdll!LdrpLoadDll+0x0000000000000100
00007ff874f166a0 ntdll!LdrLoadDll+0x0000000000000170
00007ff872841d46 KERNELBASE!LoadLibraryExW+0x00000000000000e6
00007ff869090711 MpOav!DllRegisterServer+0x000000000000d8c1
00007ff86908877b MpOav!DllRegisterServer+0x000000000000592b
00007ff869088491 MpOav!DllRegisterServer+0x0000000000005641
00007ff869085566 MpOav!DllRegisterServer+0x0000000000002716
00007ff86908341d MpOav!DllRegisterServer+0x00000000000005cd
00007fffada48b83 mso!MsoFDoAntiVirusScanEx+0x00000000000002d3
00007ff70c36e861 msaccess!ReleaseAccessIconResource+0x0000000000032be1
00007ff70cbe91d7 msaccess!OpenHscrEmbedded+0x0000000000079327
00007ff70c3720f1 msaccess!ReleaseAccessIconResource+0x0000000000036471
00007ff70c36348e msaccess!ReleaseAccessIconResource+0x000000000002780e
00007ff70c508775 msaccess!MSAU_ErrSortStringArray+0x0000000000034605
00007ff70c504855 msaccess!MSAU_ErrSortStringArray+0x00000000000306e5
00007ff70c4fe5e7 msaccess!MSAU_ErrSortStringArray+0x000000000002a477
00007ff70c50512a msaccess!MSAU_ErrSortStringArray+0x0000000000030fba

Stack trace

Child-SP          RetAddr               : Args to Child                                                           : Call Site
000000ad`94af7448 00007ff7`0c43d06c     : 00000000`00000001 000000ad`94af7530 00000000`fffff958 00007ff8`74ee7776 : VCRUNTIME140!memcpy_avx_ermsb_Intel+0x167 [D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\Intel\memcpy_avx_ermsb_aligned.asm @ 231] 
000000ad`94af7450 00007ff8`72ed939c     : 0000020e`9b99adb0 0000020e`9b99adb0 0000020e`daf5bdc0 0000020e`b2fbefd0 : msaccess!JETESLoadProjectTypeLib+0xc98ec
000000ad`94af7640 00007ff8`72ed89f4     : 0000020e`cea9fcb8 000000ad`00000003 000000ad`94af77e0 00000000`fffffffe : coml2!CPagedVector::GetTableWithSect+0x99c
000000ad`94af76d0 00007ff8`72ee9795     : 00000000`00000000 00000000`00000001 000088c9`2af3858d 00000000`00000000 : coml2!CPagedVector::GetTable+0x14
000000ad`94af7710 00007ff8`72ee8c47     : 00000000`00000000 0000020e`cea9fcb8 00000000`00000000 00000000`00000000 : coml2!CFat::FindLast+0x55
000000ad`94af7770 00007ff8`72f0a418     : 0000020e`cea9fa50 00000000`00000000 0000020e`cea9fa50 00000000`00000000 : coml2!CFat::FindMaxSect+0x47
000000ad`94af77a0 00007ff8`72eebc6b     : 00000000`00000000 00000000`00000000 00000000`0003a800 00007ff8`74ee7776 : coml2!CMStream::BeginCopyOnWrite+0x1b0
000000ad`94af77e0 00007ff8`72f00ccf     : 00000000`00000000 00000000`00000000 0000020e`9cd07f70 00000000`00000000 : coml2!CPubDocFile::Commit+0x1f3
000000ad`94af7900 00007ff7`0c35f35b     : 00000000`00000009 0000020e`dfa4de90 00000000`00000000 0000020e`9cd07f70 : coml2!CExposedDocFile::Commit+0xef
000000ad`94af7970 00007ff7`0c361097     : 00000000`00000000 0000020e`00000069 00000000`00000000 0000020e`d0d7ef30 : msaccess!ReleaseAccessIconResource+0x236db
000000ad`94af7ad0 00007ff7`0c362bb3     : 00000000`00000000 0000020e`00000003 0000020e`00000001 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x25417
000000ad`94af7b50 00007ff7`0c362373     : 0000020e`d0d7ef30 0000020e`d0d7ef30 00000000`00000003 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x26f33
000000ad`94af7be0 00007ff7`0c3633a2     : 00000000`00000000 00000000`00000000 00000000`00000000 00007ff7`0cc0f97b : msaccess!ReleaseAccessIconResource+0x266f3
000000ad`94af8150 00007ff7`0cbe94e3     : 0000020e`9b5fcf18 000000ad`94af8320 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x27722
000000ad`94af8220 00007ff7`0c3720f1     : 00000000`00000002 000000ad`94af8750 00000000`00000002 00000000`00000000 : msaccess!OpenHscrEmbedded+0x79633
000000ad`94af83e0 00007ff7`0c36348e     : 000000ad`94af8580 000000ad`94af86b8 0000020e`99ff1f70 000000ad`94af86b8 : msaccess!ReleaseAccessIconResource+0x36471
000000ad`94af8520 00007ff7`0c508775     : 000000ad`94af8750 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x2780e
000000ad`94af8640 00007ff7`0c504855     : 000000ad`94afc320 00000000`00000000 00007ff8`74f9fbcc 000000ad`94afdc60 : msaccess!MSAU_ErrSortStringArray+0x34605
000000ad`94afc2c0 00007ff7`0c4fe5e7     : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x306e5
000000ad`94afdb70 00007ff7`0c50512a     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!MSAU_ErrSortStringArray+0x2a477
000000ad`94aff250 00007ff7`0c7c2e8f     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fba
000000ad`94aff770 00007ff7`0c7c3fa5     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5cdef
000000ad`94aff910 00007ff7`0c333c72     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5df05
000000ad`94aff9f0 00007ff8`72f7e8d7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x13c72
000000ad`94affa30 00007ff8`74f9fbcc     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
000000ad`94affa60 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Analysis

Download PoC