Microsoft Access Improper Input Validation Vulnerability

Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-279

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18227.20162 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18227.20162

Architecture

x64

MD5

9d92f762057999f2b18e8f0dc15a1de8

Proof-of-Concept file information

File name

2024-279.accdb

MD5

9a702f5e69a421a7dacdb557f9c7e9fd

Exception details

ExceptionAddress: 00007fffb55efd6d (mso20win32client!CrashWithRecovery+0x000000000000004d)
   ExceptionCode: c0000005 (Access violation)
  ExceptionFlags: 00000000
NumberParameters: 2
   Parameter[0]: 0000000000000001
   Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000

Stack trace

Child-SP          RetAddr               : Args to Child                                                           : Call Site
000000ea`318f58b0 00007fff`b5811b66     : 0000023b`01483052 00000000`00000000 00000000`00000000 00000000`00000000 : mso20win32client!CrashWithRecovery+0x4d
000000ea`318f5910 00007ff8`726f1ee9     : 00000000`00000016 00000000`00000000 00000000`00000000 00000000`00000016 : mso20win32client!EnableAbortRedirectLiblet::Uninit+0x93
000000ea`318f5980 00007ff8`726d5011     : 00000000`71000001 00000000`00000000 00000000`00000000 000000ea`318f5a30 : ucrtbase!raise+0x1d9
000000ea`318f5a00 00007ff7`0c56e0ba     : 00007fff`00000003 00000000`00000003 ffffffff`fffffffe 0000023b`23cd9ff0 : ucrtbase!abort+0x31
000000ea`318f5a30 00007ff8`726f1f37     : 00000000`71000002 00000000`00000000 00000000`00000002 00000000`71000002 : msaccess!SetEnumIntlView+0x202a
000000ea`318f5a60 00007ff7`0c3778a9     : 00000000`71000002 00007fff`b5bcc560 00000000`00000000 0000023b`3826bfc8 : ucrtbase!terminate+0x17
000000ea`318f5a90 00007ff7`0c378d5a     : 00000000`00000000 00000000`00000000 00000000`00000000 00007ff7`0cb1c2a4 : msaccess!JETESLoadProjectTypeLib+0x4129
000000ea`318f5ad0 00007ff7`0c377d34     : 0000023b`3826bf60 0000023b`24566f90 0000b8a7`33181b2f 000000cd`318f5c60 : msaccess!JETESLoadProjectTypeLib+0x55da
000000ea`318f5b30 00007ff7`0c3772c1     : 0000023b`438e8fe0 0000023b`438e8fe0 000000ea`318f5c00 00000000`00000000 : msaccess!JETESLoadProjectTypeLib+0x45b4
000000ea`318f5b60 00007ff7`0c3773fd     : 0000023b`3f35c860 000000ea`318f63f8 0000023b`1d19aec0 0000023b`3f35c860 : msaccess!JETESLoadProjectTypeLib+0x3b41
000000ea`318f5b90 00007ff7`0c363183     : 0000023b`40265fd0 000000ea`318f64fe 000000ea`318f64fe 000000ea`318f611e : msaccess!JETESLoadProjectTypeLib+0x3c7d
000000ea`318f5bd0 00007ff7`0cb1dd24     : 00000000`00000000 00000000`00008004 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x27503
000000ea`318f5d40 00007ff7`0cb1f6af     : 0000023b`3f35c860 00000000`00000000 0000023b`186a8fd0 0000023b`3f35c860 : msaccess!FUniqueIndexTableFieldEx+0xfbcc4
000000ea`318f6330 00007ff7`0cae155c     : 0000023b`3f35c860 000000ea`318f6410 00000000`00000000 0000023b`4629ffc8 : msaccess!FUniqueIndexTableFieldEx+0xfd64f
000000ea`318f63c0 00007ff7`0cb147a6     : 0000023b`186a8fd0 00000000`00008004 0000023b`36780f40 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xbf4fc
000000ea`318f6440 00007ff7`0c8f847d     : 000000ea`318f64f0 00000000`00000000 0000023b`4a723f90 00007fff`00000017 : msaccess!FUniqueIndexTableFieldEx+0xf2746
000000ea`318f64a0 00007fff`ac61756a     : 00000000`00000000 0000023b`4a723f90 000000ea`318f6520 0000023b`75364f90 : msaccess!AccessLoadString+0x7e7dd
000000ea`318f64d0 00007fff`ac5ce8b5     : 00000000`00000000 00000000`00000000 0000023b`4a723e78 00000000`00000000 : VBE7!CProjitemDocument::LoadDocItem+0xbe
000000ea`318f6540 00007fff`ac77f624     : 00000000`00000000 00000000`00000000 0000023b`4a624498 00000000`00000001 : VBE7!HostGetBaseClassTypeInfo3+0xf5
000000ea`318f65a0 00007fff`ac77b071     : 0000023b`2c9619d0 000000ea`318f6828 000000ea`318f6b20 0000023b`6ced0000 : VBE7!IMPMGR::HookUpBaseTypeInfo+0xb8
000000ea`318f6610 00007fff`ac77ad91     : 0000023b`2c9619d0 00007ff8`00000010 0000023b`6ced0000 00000000`00000000 : VBE7!IMPMGR::LoadTypeInfo+0xe5
000000ea`318f6650 00007fff`ac77bbc4     : 0000023b`2c9619d0 00000000`00000010 0000023b`00000000 000000ea`318f6728 : VBE7!IMPMGR::GetTypeInfo+0xcd
000000ea`318f66c0 00007fff`ac77c1e1     : 0000023b`2c9619d0 00007ff8`00000000 000000ea`318f6728 000000ea`318f6828 : VBE7!IMPMGR::GetCoClassTypeInfoOfBase+0x78
000000ea`318f6700 00007fff`ac77f3ed     : 0000023b`2c9619d0 000000ea`318f6878 000000ea`318f6890 00000001`00000001 : VBE7!IMPMGR::GetBaseTypeInfoAttribute+0x65
000000ea`318f6850 00007fff`ac71b8a3     : 0000023b`2c9619d0 0000023b`5010cbe0 000000ea`318f6950 0000023b`74a96fd0 : VBE7!IMPMGR::Write+0x1f5
000000ea`318f68a0 00007fff`ac7238a5     : 0000023b`32958c40 0000023b`5010cbe0 0000023b`00000000 0000023b`50108f60 : VBE7!BASIC_TYPEROOT::WriteParts+0x583
000000ea`318f6960 00007fff`ac723430     : 0000023b`32958c40 0000023b`5010cbe0 0000023b`00000000 000000ea`318f69c8 : VBE7!BASIC_TYPEROOT::WriteToStream+0xe5
000000ea`318f69a0 00007fff`ac6f5292     : 0000023b`32958c40 0000023b`2bd9df00 000000ea`318f6d00 000000ea`318f7058 : VBE7!BASIC_TYPEROOT::Write+0x1b0
000000ea`318f6ae0 00007fff`ac6f4c3a     : 0000023b`45a01f80 0000023b`2bd9df00 000000ea`318f0006 0000023b`00000001 : VBE7!ExecProj::SaveModule+0x32a
000000ea`318f7130 00007fff`ac5e423c     : 0000023b`45a01f80 00000000`00000000 000000ea`00000001 0000023b`3f35c860 : VBE7!ExecProj::Save+0x1da
000000ea`318f7760 00007ff7`0c8fa8b8     : 0000023b`4a61ef38 00007fff`ac60e621 0000023b`459c18b0 0000023b`4a61ef38 : VBE7!Project::StgSave+0x134
000000ea`318f7840 00007ff7`0cb17b46     : 00000000`00000000 00000000`00000000 0000023b`4a61ef38 0000023b`4a61ef38 : msaccess!AccessLoadString+0x80c18
000000ea`318f78b0 00007ff7`0c8f8d91     : 0000023b`36780f40 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf5ae6
000000ea`318f7980 00007ff7`0cb15658     : 0000023b`36780f70 00000000`80004005 0000023b`36780f40 00000000`00000000 : msaccess!AccessLoadString+0x7f0f1
000000ea`318f7d70 00007ff7`0cb15fac     : 0000023b`36780f40 000000ea`318f7ec0 00000000`00000000 0000023b`00000000 : msaccess!FUniqueIndexTableFieldEx+0xf35f8
000000ea`318f7e20 00007ff7`0cadb86c     : 00000000`00000000 00000000`00000001 0000023b`1d19aec0 00000000`00000001 : msaccess!FUniqueIndexTableFieldEx+0xf3f4c
000000ea`318f7ec0 00007ff7`0c36edd0     : 0000023b`1d19aec0 0000023b`1d19aec0 0000023b`1d19aec0 00000000`00000000 : msaccess!FUniqueIndexTableFieldEx+0xb980c
000000ea`318f7ff0 00007ff7`0cbe95da     : 00000000`00000000 0000023b`1d19aec0 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x33150
000000ea`318f8030 00007ff7`0c3720f1     : 00000000`00000002 000000ea`318f8560 00000000`00000002 00000000`00000000 : msaccess!OpenHscrEmbedded+0x7972a
000000ea`318f81f0 00007ff7`0c36348e     : 000000ea`318f8390 000000ea`318f84c8 0000023b`2b368f70 000000ea`318f84c8 : msaccess!ReleaseAccessIconResource+0x36471
000000ea`318f8330 00007ff7`0c508775     : 000000ea`318f8560 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!ReleaseAccessIconResource+0x2780e
000000ea`318f8450 00007ff7`0c504855     : 000000ea`318fc130 00000000`00000000 00007ff8`74f9fbcc 000000ea`318fda70 : msaccess!MSAU_ErrSortStringArray+0x34605
000000ea`318fc0d0 00007ff7`0c4fe5e7     : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x306e5
000000ea`318fd980 00007ff7`0c50512a     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!MSAU_ErrSortStringArray+0x2a477
000000ea`318ff060 00007ff7`0c7c2e8f     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fba
000000ea`318ff580 00007ff7`0c7c3fa5     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5cdef
000000ea`318ff720 00007ff7`0c333c72     : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5df05
000000ea`318ff800 00007ff8`72f7e8d7     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x13c72
000000ea`318ff840 00007ff8`74f9fbcc     : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
000000ea`318ff870 00000000`00000000     : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Analysis

Download PoC