Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-276

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18227.20162 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Contact us

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18227.20162

Architecture

x64

MD5

9d92f762057999f2b18e8f0dc15a1de8

Proof-of-Concept file information

File name

2024-276.accdb

MD5

f95324f6b4fb6e77d3b764cd3dce71e1

Exception details

ExceptionAddress: 00007fffb5edfd6d (mso20win32client!CrashWithRecovery+0x000000000000004d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000

Stack trace

Child-SP RetAddr : Args to Child : Call Site
0000001a`1c2f5a60 00007fff`b6101b66 : 00000179`01483052 00000000`00000000 00000000`00000000 00000000`00000000 : mso20win32client!CrashWithRecovery+0x4d
0000001a`1c2f5ac0 00007ff8`726f1ee9 : 00000000`00000016 00000000`00000000 00000000`00000000 00000000`00000016 : mso20win32client!EnableAbortRedirectLiblet::Uninit+0x93
0000001a`1c2f5b30 00007ff8`726d5011 : 00000000`17000001 00000000`00000000 00000000`00000000 0000001a`1c2f5be0 : ucrtbase!raise+0x1d9
0000001a`1c2f5bb0 00007ff7`0c56e0ba : 00007fff`00000003 00000000`00000003 ffffffff`fffffffe 00000179`852deff0 : ucrtbase!abort+0x31
0000001a`1c2f5be0 00007ff8`726f1f37 : 00000000`17000000 00000000`00000000 00000000`00000000 00000000`17000000 : msaccess!SetEnumIntlView+0x202a
0000001a`1c2f5c10 00007ff7`0c3778a9 : 00000000`17000000 00007fff`b64bc560 00000000`00000000 00000179`d7bd5fc8 : ucrtbase!terminate+0x17
0000001a`1c2f5c40 00007ff7`0c378d5a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!JETESLoadProjectTypeLib+0x4129
0000001a`1c2f5c80 00007ff7`0c377d34 : 00000179`d7bd5f60 00000179`852d6f90 000002dc`e391c496 0000001a`1c2f5de0 : msaccess!JETESLoadProjectTypeLib+0x55da
0000001a`1c2f5ce0 00007ff7`0c3772c1 : 00000179`d7bd3fe0 00000179`d7bd3fe0 0000001a`1c2f5df0 0000001a`1c2f5e38 : msaccess!JETESLoadProjectTypeLib+0x45b4
0000001a`1c2f5d10 00007ff7`0c3773fd : 00000000`00008007 0000001a`1c2f6750 00000179`f408e860 00007ff7`0cfa6178 : msaccess!JETESLoadProjectTypeLib+0x3b41
0000001a`1c2f5d40 00007ff7`0c361a93 : 0000001a`1c2f5df0 00000179`cf3b9f30 00000000`00000002 0000001a`1c2f62b0 : msaccess!JETESLoadProjectTypeLib+0x3c7d
0000001a`1c2f5d80 00007ff7`0c361caf : 00000179`f73c4fd0 00000179`cf3b9f38 0000001a`1c2f62b0 0000001a`1c2f5e68 : msaccess!ReleaseAccessIconResource+0x25e13
0000001a`1c2f5db0 00007ff7`0c3614af : 00000000`08000001 00000000`00000000 00000000`00000007 00007ff8`7286b591 : msaccess!ReleaseAccessIconResource+0x2602f
0000001a`1c2f5f40 00007ff7`0c35d949 : 00000179`cf3b9f30 00000179`f2ff6fe8 00000000`00000000 00000000`00000411 : msaccess!ReleaseAccessIconResource+0x2582f
0000001a`1c2f6190 00007ff7`0cbd01f7 : 00000179`00000001 00000000`00000000 00000000`00008007 00007ff7`0c370ead : msaccess!ReleaseAccessIconResource+0x21cc9
0000001a`1c2f6200 00007ff7`0cc0ef2a : 00007ff7`00000000 00000000`00000000 0000001a`1c2f6750 00000000`00000000 : msaccess!OpenHscrEmbedded+0x60347
0000001a`1c2f6270 00007ff7`0cb1ed7b : 00000000`00000000 00000179`ce187fd2 0000001a`1c2f69a8 00000179`a2443f70 : msaccess!OpenHscrEmbedded+0x9f07a
0000001a`1c2f6450 00007ff7`0cb1f70c : 00000179`f408e860 00000000`00000000 00000179`df3d4fd0 00000179`f408e860 : msaccess!FUniqueIndexTableFieldEx+0xfcd1b
0000001a`1c2f68e0 00007ff7`0cae155c : 00000179`f408e860 0000001a`1c2f69c0 00000000`00000000 00000179`8520bf00 : msaccess!FUniqueIndexTableFieldEx+0xfd6ac
0000001a`1c2f6970 00007ff7`0cb147a6 : 00000179`df3d4fd0 00000000`00008000 00000179`b260ef40 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xbf4fc
0000001a`1c2f69f0 00007ff7`0c8f847d : 00000179`ce187fc8 00000000`00000000 00000179`80253f90 00000000`ffffffef : msaccess!FUniqueIndexTableFieldEx+0xf2746
0000001a`1c2f6a50 00007fff`accf7504 : 00000000`00000000 00000179`80253f90 0000001a`1c2f6aa0 00000179`fa4c1f90 : msaccess!AccessLoadString+0x7e7dd
0000001a`1c2f6a80 00007fff`accae8b5 : 00000000`00000000 00000000`00000000 00000179`80253e78 00000000`00000000 : VBE7!CProjitemDocument::LoadDocItem+0x58
0000001a`1c2f6ac0 00007fff`ace5f624 : 00000000`00000000 00000000`00000000 00000179`80116498 00000000`00000001 : VBE7!HostGetBaseClassTypeInfo3+0xf5
0000001a`1c2f6b20 00007fff`ace5b071 : 00000179`faf019d0 0000001a`1c2f6da8 0000001a`1c2f70a0 00000179`a22c0000 : VBE7!IMPMGR::HookUpBaseTypeInfo+0xb8
0000001a`1c2f6b90 00007fff`ace5ad91 : 00000179`faf019d0 00007ff8`00000010 00000179`a22c0000 00000000`00000000 : VBE7!IMPMGR::LoadTypeInfo+0xe5
0000001a`1c2f6bd0 00007fff`ace5bbc4 : 00000179`faf019d0 00000000`00000010 00000179`00000000 0000001a`1c2f6ca8 : VBE7!IMPMGR::GetTypeInfo+0xcd
0000001a`1c2f6c40 00007fff`ace5c1e1 : 00000179`faf019d0 00007ff8`00000000 0000001a`1c2f6ca8 0000001a`1c2f6da8 : VBE7!IMPMGR::GetCoClassTypeInfoOfBase+0x78
0000001a`1c2f6c80 00007fff`ace5f3ed : 00000179`faf019d0 0000001a`1c2f6df8 0000001a`1c2f6e10 00000001`00000001 : VBE7!IMPMGR::GetBaseTypeInfoAttribute+0x65
0000001a`1c2f6dd0 00007fff`acdfb8a3 : 00000179`faf019d0 00000179`85205be0 0000001a`1c2f6ed0 00000179`ab214fd0 : VBE7!IMPMGR::Write+0x1f5
0000001a`1c2f6e20 00007fff`ace038a5 : 00000179`eb97ec40 00000179`85205be0 00000179`00000000 00000179`85201f60 : VBE7!BASIC_TYPEROOT::WriteParts+0x583
0000001a`1c2f6ee0 00007fff`ace03430 : 00000179`eb97ec40 00000179`85205be0 00000179`00000000 0000001a`1c2f6f48 : VBE7!BASIC_TYPEROOT::WriteToStream+0xe5
0000001a`1c2f6f20 00007fff`acdd5292 : 00000179`eb97ec40 00000179`f8d81f00 0000001a`1c2f7280 0000001a`1c2f75d8 : VBE7!BASIC_TYPEROOT::Write+0x1b0
0000001a`1c2f7060 00007fff`acdd4c3a : 00000179`fa51ff80 00000179`f8d81f00 0000001a`1c2f0007 00000179`00000001 : VBE7!ExecProj::SaveModule+0x32a
0000001a`1c2f76b0 00007fff`accc423c : 00000179`fa51ff80 00000000`00000000 0000001a`00000001 00000179`f408e860 : VBE7!ExecProj::Save+0x1da
0000001a`1c2f7ce0 00007ff7`0c8fa8b8 : 00000179`80110f38 00007fff`accee621 00000179`fa5248b0 00000179`80110f38 : VBE7!Project::StgSave+0x134
0000001a`1c2f7dc0 00007ff7`0cb17b46 : 00000000`00000000 00000000`00000000 00000179`80110f38 00000179`80110f38 : msaccess!AccessLoadString+0x80c18
0000001a`1c2f7e30 00007ff7`0c8f8d91 : 00000179`b260ef40 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf5ae6
0000001a`1c2f7f00 00007ff7`0cb15658 : 00000179`b260ef70 00000000`80004005 00000179`b260ef40 00000000`00000000 : msaccess!AccessLoadString+0x7f0f1
0000001a`1c2f82f0 00007ff7`0cb15fac : 00000179`b260ef40 0000001a`1c2f8440 00000000`00000000 00000179`00000000 : msaccess!FUniqueIndexTableFieldEx+0xf35f8
0000001a`1c2f83a0 00007ff7`0cadb86c : 00000000`00000000 00000000`00000001 00000179`dc3a4ec0 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf3f4c
0000001a`1c2f8440 00007ff7`0c36edd0 : 00000179`dc3a4ec0 00000179`dc3a4ec0 00000179`dc3a4ec0 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xb980c
0000001a`1c2f8570 00007ff7`0cbe95da : 00000000`00000000 00000179`dc3a4ec0 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x33150
0000001a`1c2f85b0 00007ff7`0c3720f1 : 00000000`00000002 0000001a`1c2f8ae0 00000000`00000002 00000000`00000000 : msaccess!OpenHscrEmbedded+0x7972a
0000001a`1c2f8770 00007ff7`0c36348e : 0000001a`1c2f8910 0000001a`1c2f8a48 00000179`d1b45f70 0000001a`1c2f8a48 : msaccess!ReleaseAccessIconResource+0x36471
0000001a`1c2f88b0 00007ff7`0c508775 : 0000001a`1c2f8ae0 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x2780e
0000001a`1c2f89d0 00007ff7`0c504855 : 0000001a`1c2fc6b0 00000000`00000000 00007ff8`74f9fbcc 0000001a`1c2fdff0 : msaccess!MSAU_ErrSortStringArray+0x34605
0000001a`1c2fc650 00007ff7`0c4fe5e7 : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x306e5
0000001a`1c2fdf00 00007ff7`0c50512a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!MSAU_ErrSortStringArray+0x2a477
0000001a`1c2ff5e0 00007ff7`0c7c2e8f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fba
0000001a`1c2ffb00 00007ff7`0c7c3fa5 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5cdef
0000001a`1c2ffca0 00007ff7`0c333c72 : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5df05
0000001a`1c2ffd80 00007ff8`72f7e8d7 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x13c72
0000001a`1c2ffdc0 00007ff8`74f9fbcc : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
0000001a`1c2ffdf0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Download PoC