Microsoft Access Out-Of-Bounds Read Vulnerability

Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Out-Of-Bounds Read Vulnerability

Report ID: 2024-272

unpatched

Summary

A memory safety issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18227.20162 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could potentially gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue.

Attack vector

Remote

Reported - Won't Fix

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18227.20162

Architecture

x64

MD5

9d92f762057999f2b18e8f0dc15a1de8

Proof-of-Concept file information

File name

2024-272.accdb

MD5

91f0e8e097cf5cc452a7ff10db673ac5

Exception details

ExceptionAddress: 00007ff84f5c03a7 (VCRUNTIME140!memcpy_avx_ermsb_Intel+0x0000000000000167)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 00000222ae927920
Attempt to read from address 00000222ae927920

Stack trace

Child-SP          RetAddr               : Args to Child                                                           : Call Site
000000a2`43dc3828 00007ff7`0c43d06c     : 00000000`00000001 000000a2`43dc3910 00000000`fffff7e0 00000000`000000db : VCRUNTIME140!memcpy_avx_ermsb_Intel+0x167 [D:\a\_work\1\s\src\vctools\crt\vcruntime\src\string\amd64\Intel\memcpy_avx_ermsb_aligned.asm @ 231] 
000000a2`43dc3830 00007ff8`72ed939c     : 00000000`00000ffd 00007fff`b2bf6c30 00000222`ae92a098 00000000`11000000 : msaccess!JETESLoadProjectTypeLib+0xc98ec
000000a2`43dc3a20 00007ff8`72ed89f4     : 00000222`a948ecb8 00000000`00000001 00000000`00000025 00007ff7`fffffffe : coml2!CPagedVector::GetTableWithSect+0x99c
000000a2`43dc3ab0 00007ff8`72ed835c     : 00000000`00000000 000000a2`43dc3d18 00000000`00000000 00007ff7`0c370ead : coml2!CPagedVector::GetTable+0x14
000000a2`43dc3af0 00007ff8`72ed7d7a     : 00000000`00000000 000000a2`43dc3c70 002e0034`00000000 00000000`00000000 : coml2!CFat::Contig+0x11c
000000a2`43dc3b80 00007ff8`72ed7aa8     : 00007ff7`0cbe95a5 00007ff7`0c3720f1 00001b12`b54db4f1 00000000`0000008e : coml2!CStreamCache::GetSect+0x18a
000000a2`43dc3e50 00007ff8`72ed77c0     : 00000222`fffffffe 00000000`00000000 00000000`00000083 00007fff`b9755065 : coml2!CStreamCache::Contig+0xb8
000000a2`43dc3eb0 00007ff8`72eeb558     : 00000222`d8759538 00007fff`b4c79548 00007ff7`0d1a27a0 00000000`00000000 : coml2!CDirectStream::ReadAt+0x130
000000a2`43dc4110 00007ff8`72edc47f     : 000000a2`43dc4420 00000000`00000009 00000222`d172f170 00007fff`b2c01424 : coml2!CTransactedStream::ReadAt+0x88
000000a2`43dc41c0 00007ff7`0c37af42     : 00000000`00012a44 00000222`a4e30e40 00000000`00000000 00000000`00000000 : coml2!CExposedStream::Read+0x1ef
000000a2`43dc4270 00007ff7`0c379c37     : 00000222`00000000 000000a2`43dc76b0 00000000`00000bc0 00000000`01000003 : msaccess!JETESLoadProjectTypeLib+0x77c2
000000a2`43dc42d0 00007ff7`0c8a022a     : 00000222`a73d0088 00007ff8`728f5e8c 00000222`d172e5b0 00007ff7`0cac8b31 : msaccess!JETESLoadProjectTypeLib+0x64b7
000000a2`43dc4450 00007ff7`0c8ba51e     : 000000a2`00000042 000000a2`43dc76b0 00000000`00000000 00000000`00000001 : msaccess!AccessLoadString+0x2658a
000000a2`43dc44a0 00007ff7`0c8a703f     : 00007ff7`00000001 00007ff7`0ceb4950 00000000`00000000 00000000`00000200 : msaccess!AccessLoadString+0x4087e
000000a2`43dc4510 00007ff7`0c89ef7c     : 000000a2`43dc46b8 00000000`00000004 000000a2`43dc46b8 00000000`00000000 : msaccess!AccessLoadString+0x2d39f
000000a2`43dc4670 00007ff7`0c8a6d2a     : 00000000`0000000c 00000222`f1523f70 000000a2`43dc76b0 00000000`00000001 : msaccess!AccessLoadString+0x252dc
000000a2`43dc5540 00007ff7`0c8a61a8     : 00000000`00000000 00000000`00000000 000000a2`43dc7ec0 00000000`00000001 : msaccess!AccessLoadString+0x2d08a
000000a2`43dc5d00 00007ff7`0c89e772     : 00000000`00020102 00000222`c3920860 00000000`00008000 00000000`00000000 : msaccess!AccessLoadString+0x2c508
000000a2`43dc7600 00007ff7`0c652af6     : 00000222`bc449f40 000000a2`43dc7a40 00001b12`b54df0c1 00000000`00000102 : msaccess!AccessLoadString+0x24ad2
000000a2`43dc7a20 00007ff7`0c691e81     : 006f0073`006f0072 004a002e`00740066 004e002e`00740065 00760069`00740061 : msaccess!SizeCallback+0xdc006
000000a2`43dc7c10 00007ff7`0c41ced8     : 00000222`c3920860 00007ff7`0cbc3b97 00000000`00000003 000000a2`00000000 : msaccess!WizChooseColor+0x3d971
000000a2`43dc7c80 00007ff7`0cc0e369     : 00000000`00000000 00000000`00008000 000000a2`43dc82e9 00000222`c3920860 : msaccess!JETESLoadProjectTypeLib+0xa9758
000000a2`43dc7cd0 00007ff7`0c7e5b45     : 000000a2`43dc8188 00000000`00000000 000000a2`43dc82e9 00000222`c3920860 : msaccess!OpenHscrEmbedded+0x9e4b9
000000a2`43dc8130 00007ff7`0c36ea60     : 00000222`a34beec0 000000a2`43dc82f0 00007ff8`727688c0 000000a2`43dc82f0 : msaccess!MSAU_GetSizeList+0x26f5
000000a2`43dc8280 00007ff7`0c36dea3     : 00000000`00000000 00000000`00000000 00000222`a34beec0 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x32de0
000000a2`43dc8350 00007ff7`0cbe95a5     : 00000222`a34bef18 00000000`00000000 00000222`a34beec0 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x32223
000000a2`43dc8650 00007ff7`0c3720f1     : 00000000`00000002 000000a2`43dc8b80 00000000`00000002 00000000`00000000 : msaccess!OpenHscrEmbedded+0x796f5
000000a2`43dc8810 00007ff7`0c36348e     : 000000a2`43dc89b0 000000a2`43dc8ae8 00000222`a8a48f70 000000a2`43dc8ae8 : msaccess!ReleaseAccessIconResource+0x36471
000000a2`43dc8950 00007ff7`0c508775     : 000000a2`43dc8b80 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x2780e
000000a2`43dc8a70 00007ff7`0c504855     : 000000a2`43dcc750 00000000`00000000 00007ff8`74f9fbcc 000000a2`43dce090 : msaccess!MSAU_ErrSortStringArray+0x34605
000000a2`43dcc6f0 00007ff7`0c4fe5e7     : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x306e5
000000a2`43dcdfa0 00007ff7`0c50512a     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!MSAU_ErrSortStringArray+0x2a477
000000a2`43dcf680 00007ff7`0c7c2e8f     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fba
000000a2`43dcfba0 00007ff7`0c7c3fa5     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5cdef
000000a2`43dcfd40 00007ff7`0c333c72     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5df05
000000a2`43dcfe20 00007ff8`72f7e8d7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x13c72
000000a2`43dcfe60 00007ff8`74f9fbcc     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
000000a2`43dcfe90 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Analysis

Download PoC