Microsoft Access Improper Input Validation Vulnerability

Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-274

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18227.20162 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18227.20162

Architecture

x64

MD5

9d92f762057999f2b18e8f0dc15a1de8

Proof-of-Concept file information

File name

2024-274.accdb

MD5

491cea8d1fbd25f8059273a76fe08f31

Exception details

ExceptionAddress: 00007ff70c8bcc40 (msaccess!AccessLoadString+0x0000000000042fa0)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000000
   Parameter[1]: 0000000000000008
Attempt to read from address 0000000000000008

Stack trace

Child-SP          RetAddr               : Args to Child                                                           : Call Site
00000019`26bbfef0 00007ff7`0c8a703f     : 00000000`00000001 00007ff7`0cec3b30 00007ff7`0cebbb50 00000000`00000200 : msaccess!AccessLoadString+0x42fa0
00000019`26bc1ae0 00007ff7`0c89f16c     : 00000019`26bc1c88 00000000`00000114 00000019`26bc1c88 00000000`0100100a : msaccess!AccessLoadString+0x2d39f
00000019`26bc1c40 00007ff7`0c89f846     : 00000019`26bc2b58 0000013d`e3111860 00000019`26bc2b58 00000000`00000009 : msaccess!AccessLoadString+0x254cc
00000019`26bc2b10 00007ff7`0c8a6d2a     : 00000000`0000000c 0000013d`91873f70 00000019`26bc5b50 00000000`00000001 : msaccess!AccessLoadString+0x25ba6
00000019`26bc39e0 00007ff7`0c8a61a8     : 00000000`00000000 00000000`00000000 0000013d`b53b0fd6 00000000`00000001 : msaccess!AccessLoadString+0x2d08a
00000019`26bc41a0 00007ff7`0c89e772     : 00000000`10000102 0000013d`e3111860 00000000`00008004 00000000`00000000 : msaccess!AccessLoadString+0x2c508
00000019`26bc5aa0 00007ff7`0c652af6     : 0000013d`e3111860 0000013d`f4654fa8 0000013d`c95c6ec0 0000013d`e3111860 : msaccess!AccessLoadString+0x24ad2
00000019`26bc5ec0 00007ff7`0c652989     : 00007fff`accc423c 00007ff8`74ec5f8b 00007ff7`0cb17b46 00007ff7`0c8f8d91 : msaccess!SizeCallback+0xdc006
00000019`26bc60b0 00007ff7`0cb1ebc3     : 00000000`00000000 0000013d`b53b0fd6 00000019`26bc6668 00000000`0000000f : msaccess!SizeCallback+0xdbe99
00000019`26bc6110 00007ff7`0cb1f70c     : 0000013d`e3111860 00000000`00000000 0000013d`b4ab7fd0 0000013d`e3111860 : msaccess!FUniqueIndexTableFieldEx+0xfcb63
00000019`26bc65a0 00007ff7`0cae155c     : 0000013d`e3111860 00000019`26bc6680 00000000`00000000 0000013d`9e11df00 : msaccess!FUniqueIndexTableFieldEx+0xfd6ac
00000019`26bc6630 00007ff7`0cb147a6     : 0000013d`b4ab7fd0 00000000`00008004 0000013d`dccf4f40 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xbf4fc
00000019`26bc66b0 00007ff7`0c8f847d     : 0000013d`b53b0fc8 00000000`00000000 0000013d`ee6bdf90 00000000`ffffffef : msaccess!FUniqueIndexTableFieldEx+0xf2746
00000019`26bc6710 00007fff`accf7504     : 00000000`00000000 0000013d`ee6bdf90 00000019`26bc6760 0000013d`e7e3ef90 : msaccess!AccessLoadString+0x7e7dd
00000019`26bc6740 00007fff`accae8b5     : 00000000`00000000 00000000`00000000 0000013d`ee6bde78 00000000`00000000 : VBE7!CProjitemDocument::LoadDocItem+0x58
00000019`26bc6780 00007fff`ace5f624     : 00000000`00000000 00000000`00000000 0000013d`ee5d4498 00000000`00000001 : VBE7!HostGetBaseClassTypeInfo3+0xf5
00000019`26bc67e0 00007fff`ace5b071     : 0000013d`f32dc9d0 00000019`26bc6a68 00000019`26bc6d60 0000013d`916f0000 : VBE7!IMPMGR::HookUpBaseTypeInfo+0xb8
00000019`26bc6850 00007fff`ace5ad91     : 0000013d`f32dc9d0 00007ff8`00000010 0000013d`916f0000 00000000`00000000 : VBE7!IMPMGR::LoadTypeInfo+0xe5
00000019`26bc6890 00007fff`ace5bbc4     : 0000013d`f32dc9d0 00000000`00000010 0000013d`00000000 00000019`26bc6968 : VBE7!IMPMGR::GetTypeInfo+0xcd
00000019`26bc6900 00007fff`ace5c1e1     : 0000013d`f32dc9d0 00007ff8`00000000 00000019`26bc6968 00000019`26bc6a68 : VBE7!IMPMGR::GetCoClassTypeInfoOfBase+0x78
00000019`26bc6940 00007fff`ace5f3ed     : 0000013d`f32dc9d0 00000019`26bc6ab8 00000019`26bc6ad0 00000001`00000001 : VBE7!IMPMGR::GetBaseTypeInfoAttribute+0x65
00000019`26bc6a90 00007fff`acdfb8a3     : 0000013d`f32dc9d0 0000013d`f464abe0 00000019`26bc6b90 0000013d`c01eafd0 : VBE7!IMPMGR::Write+0x1f5
00000019`26bc6ae0 00007fff`ace038a5     : 0000013d`e747bc40 0000013d`f464abe0 0000013d`00000000 0000013d`f4646f60 : VBE7!BASIC_TYPEROOT::WriteParts+0x583
00000019`26bc6ba0 00007fff`ace03430     : 0000013d`e747bc40 0000013d`f464abe0 0000013d`00000000 00000019`26bc6c08 : VBE7!BASIC_TYPEROOT::WriteToStream+0xe5
00000019`26bc6be0 00007fff`acdd5292     : 0000013d`e747bc40 0000013d`e12c1f00 00000019`26bc6f40 00000019`26bc7298 : VBE7!BASIC_TYPEROOT::Write+0x1b0
00000019`26bc6d20 00007fff`acdd4c3a     : 0000013d`e828af80 0000013d`e12c1f00 00000019`26bc0007 0000013d`00000001 : VBE7!ExecProj::SaveModule+0x32a
00000019`26bc7370 00007fff`accc423c     : 0000013d`e828af80 00000000`00000000 00000019`00000001 0000013d`e3111860 : VBE7!ExecProj::Save+0x1da
00000019`26bc79a0 00007ff7`0c8fa8b8     : 0000013d`ee5cef38 00007fff`accee621 0000013d`e82168b0 0000013d`ee5cef38 : VBE7!Project::StgSave+0x134
00000019`26bc7a80 00007ff7`0cb17b46     : 00000000`00000000 00000000`00000000 0000013d`ee5cef38 0000013d`ee5cef38 : msaccess!AccessLoadString+0x80c18
00000019`26bc7af0 00007ff7`0c8f8d91     : 0000013d`dccf4f40 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf5ae6
00000019`26bc7bc0 00007ff7`0cb15658     : 0000013d`dccf4f70 00000000`80004005 0000013d`dccf4f40 00000000`00000000 : msaccess!AccessLoadString+0x7f0f1
00000019`26bc7fb0 00007ff7`0cb15fac     : 0000013d`dccf4f40 00000019`26bc8100 00000000`00000000 0000013d`00000000 : msaccess!FUniqueIndexTableFieldEx+0xf35f8
00000019`26bc8060 00007ff7`0cadb86c     : 00000000`00000000 00000000`00000001 0000013d`c95c6ec0 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf3f4c
00000019`26bc8100 00007ff7`0c36edd0     : 0000013d`c95c6ec0 0000013d`c95c6ec0 0000013d`c95c6ec0 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xb980c
00000019`26bc8230 00007ff7`0cbe95da     : 00000000`00000000 0000013d`c95c6ec0 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x33150
00000019`26bc8270 00007ff7`0c3720f1     : 00000000`00000002 00000019`26bc87a0 00000000`00000002 00000000`00000000 : msaccess!OpenHscrEmbedded+0x7972a
00000019`26bc8430 00007ff7`0c36348e     : 00000019`26bc85d0 00000019`26bc8708 0000013d`cfd34f70 00000019`26bc8708 : msaccess!ReleaseAccessIconResource+0x36471
00000019`26bc8570 00007ff7`0c508775     : 00000019`26bc87a0 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x2780e
00000019`26bc8690 00007ff7`0c504855     : 00000019`26bcc370 00000000`00000000 00007ff8`74f9fbcc 00000019`26bcdcb0 : msaccess!MSAU_ErrSortStringArray+0x34605
00000019`26bcc310 00007ff7`0c4fe5e7     : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x306e5
00000019`26bcdbc0 00007ff7`0c50512a     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!MSAU_ErrSortStringArray+0x2a477
00000019`26bcf2a0 00007ff7`0c7c2e8f     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fba
00000019`26bcf7c0 00007ff7`0c7c3fa5     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5cdef
00000019`26bcf960 00007ff7`0c333c72     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5df05
00000019`26bcfa40 00007ff8`72f7e8d7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x13c72
00000019`26bcfa80 00007ff8`74f9fbcc     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
00000019`26bcfab0 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Analysis

Download PoC