Unpatched.ai can make mistakes. Public reports may be added, updated, or removed at any time.

Microsoft Access Improper Input Validation Vulnerability

Report ID: 2024-250

unpatched

Summary

An improper input validation issue exists in Microsoft Access, specifically MSACCESS.EXE version 16.0.18227.20162 when opening a specially crafted file. By sending a target the file and convincing them to open it, an attacker could unlikely gain Remote Code Execution (RCE) on the target's computer due to the unpatched issue. However, even if RCE isn't achieved, the crash could result in Denial of Service (DoS) for the target application. In addition, likely due to how Microsoft Access handles recent files, file recovery, and file repair, it is possible the issue could result in a persistent DoS attack, where the application will continue to crash, even after reboot by the target.

Attack vector

Remote

DoS

Reported - Won't Fix

Contact us

Vulnerable executable information

File name

MSACCESS.EXE

Version

16.0.18227.20162

Architecture

x64

MD5

9d92f762057999f2b18e8f0dc15a1de8

Proof-of-Concept file information

File name

2024-250.accdb

MD5

d357b24d85bd0482e2ce7d7038429234

Exception details

ExceptionAddress: 00007fffbcc4fd6d (mso20win32client!CrashWithRecovery+0x000000000000004d)
ExceptionCode: c0000005 (Access violation)
ExceptionFlags: 00000000
NumberParameters: 2
Parameter[0]: 0000000000000001
Parameter[1]: 0000000000000000
Attempt to write to address 0000000000000000

Stack trace

Child-SP RetAddr : Args to Child : Call Site
00000007`c8711c10 00007fff`bce71b66 : 000001fa`01483052 00000000`00000000 00000000`00000000 00000000`00000000 : mso20win32client!CrashWithRecovery+0x4d
00000007`c8711c70 00007ff8`726f1ee9 : 00000000`00000016 000001fa`1d35f888 00000000`00000001 00000000`00000016 : mso20win32client!EnableAbortRedirectLiblet::Uninit+0x93
00000007`c8711ce0 00007ff8`726d5011 : 000001fa`1d361801 000001fa`00000000 00000000`00000000 00000007`c8711d90 : ucrtbase!raise+0x1d9
00000007`c8711d60 00007ff7`0c56e0ba : 00007fff`00000003 00000000`00000003 ffffffff`fffffffe 000001fa`07842ff0 : ucrtbase!abort+0x31
00000007`c8711d90 00007ff8`726f1f37 : 000001fa`1d361888 000001fa`1d35f888 00000000`00000000 000001fa`178d2f00 : msaccess!SetEnumIntlView+0x202a
00000007`c8711dc0 00007ff7`0c5c7ed1 : 000001fa`1d361888 00007fff`bd22c560 000001fa`1d35f888 00000000`00000084 : ucrtbase!terminate+0x17
00000007`c8711df0 00007ff7`0c5ca322 : 000001fa`1d361888 00000000`00000000 00000000`00000084 000001fa`1d35f888 : msaccess!SizeCallback+0x513e1
00000007`c8711e20 00007ff7`0c89f79e : 00000007`c8711ec8 000001fa`04a72860 00000000`00000084 00000000`0000000a : msaccess!SizeCallback+0x53832
00000007`c8711e80 00007ff7`0c89f846 : 000001fa`079e2ff0 00000007`c8712d98 00000007`c8712d98 00000000`00000000 : msaccess!AccessLoadString+0x25afe
00000007`c8712d50 00007ff7`0c8a6d2a : 00000000`0000000c 000001fa`32683f70 00000007`c8715d90 00000000`00000001 : msaccess!AccessLoadString+0x25ba6
00000007`c8713c20 00007ff7`0c8a61a8 : 00000000`00000000 00000000`00000000 00000007`c87174c0 00000000`00000001 : msaccess!AccessLoadString+0x2d08a
00000007`c87143e0 00007ff7`0c89e772 : 00000000`00000102 000001fa`04a72860 00000000`00008000 00000000`00000000 : msaccess!AccessLoadString+0x2c508
00000007`c8715ce0 00007ff7`0c652af6 : 00000000`00000000 00007ff7`0cbcbd57 00000206`00000008 00007ff8`7507084c : msaccess!AccessLoadString+0x24ad2
00000007`c8716100 00007ff7`0c652989 : 00000007`c87174c0 00007ff7`0c685d6e 00000000`00000080 00000000`00000001 : msaccess!SizeCallback+0xdc006
00000007`c87162f0 00007ff7`0c64b6d8 : 00000000`00000080 000001fa`04a72860 00000000`00000202 00000000`00000000 : msaccess!SizeCallback+0xdbe99
00000007`c8716350 00007ff7`0c64d0d9 : 000046a7`155414ea 00000000`00000080 00000007`c87182f0 00000000`00000202 : msaccess!SizeCallback+0xd4be8
00000007`c8717620 00007ff7`0c8227c2 : 00000000`00000000 00000007`c8718520 00000000`000007d1 00000000`00008000 : msaccess!SizeCallback+0xd65e9
00000007`c87176d0 00007ff7`0c4f1aa6 : 00000000`f229a6a0 00000007`c8718520 00000000`00000001 00000007`c8718520 : msaccess!MSAU_GetSizeList+0x3f372
00000007`c87182a0 00007ff7`0c4e936f : 00000000`00000001 00000000`00000016 00000000`00000001 00000007`c8718520 : msaccess!MSAU_ErrSortStringArray+0x1d936
00000007`c8718420 00007ff7`0c5091d6 : 000001fa`178a8fe0 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x151ff
00000007`c87187c0 00007ff7`0c504855 : 00000007`c871c4a0 00000000`00000000 00007ff8`74f9fbcc 00000007`c871dde0 : msaccess!MSAU_ErrSortStringArray+0x35066
00000007`c871c440 00007ff7`0c4fe5e7 : 00000000`00000105 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x306e5
00000007`c871dcf0 00007ff7`0c50512a : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000001 : msaccess!MSAU_ErrSortStringArray+0x2a477
00000007`c871f3d0 00007ff7`0c7c2e8f : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!MSAU_ErrSortStringArray+0x30fba
00000007`c871f8f0 00007ff7`0c7c3fa5 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5cdef
00000007`c871fa90 00007ff7`0c333c72 : 00000000`0000000a 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!GetAccessIntellisenseManager+0x5df05
00000007`c871fb70 00007ff8`72f7e8d7 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : msaccess!Ordinal59+0x13c72
00000007`c871fbb0 00007ff8`74f9fbcc : 00000000`00000000 00000000`00000000 000004f0`fffffb30 000004d0`fffffb30 : KERNEL32!BaseThreadInitThunk+0x17
00000007`c871fbe0 00000000`00000000 : 00000000`00000000 00000000`00000000 00000000`00000000 00000000`00000000 : ntdll!RtlUserThreadStart+0x2c

Steps to reproduce

Download PoC