Mastodawn

hernanca Aug 7, 2024

#Ventoy Security Concerns (please boost for visibility)

Ventoy is a popular utility for making USB drives containing multiple operating systems in the form of bootable image files. While very useful in theory, the source tree contains numerous binary blobs without source code. This issue has been brought up to the authors multiple times, have not been corrected, and have even gotten worse (more blobs have been added to the code over time). This is a potential malware vector, similar to the "test files" in the xz-utils backdoor catastrophe.

Recently the author has ignored a very lengthy thread raising security concerns because of these binary blobs. Given the amount of attention the thread has gotten, this seems strange, especially given that the authors have been active since then. https://github.com/ventoy/Ventoy/issues/2795

Stranger yet still, a video by Veronica Explains (@vkc) on how to create bootable USB flash drives got flooded by comments heavily suggesting the use of Ventoy and even being somewhat accusing because Veronica didn't advertise Ventoy. This is... not anything I've seen users of ANY open-source project do, and it feels similar to the social engineering done against Lasse Collin that convinced him to add Jia Tan as a maintainer, thus compromising xz-utils. See the comments of https://www.youtube.com/watch?v=QiSXClZauXA&t=3s

If you're using Ventoy, you may want to consider ceasing its use for the time being out of an abundance of caution. If you truly need its functionality, you might look into something like the IODD SSD Enclosure (https://www.iodd.shop/HDD/SSD-Enclosure) which can emulate an optical drive and allows you to select an ISO saved to the drive to boot from.

#linux #boot #security #malicious #backdoor

[issue]: Remove BLOBs from the source tree · Issue #2795 · ventoy/Ventoy

What happened? Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f8946...

GitHub

Charlie Aug 5, 2024

@arraybolt3 @vkc

ah HA! I was trying to remember WTF that device was called! I remember seeing it in passing but couldn't remember what it was called when I went to look for it again.

Since it's just a mass storage device, I'm assuming it supports Linux out-of-the-box right? No silly windows-only binaries needed?

Aaron Rainbolt Aug 5, 2024

@cdp1337 @vkc The Ubuntu Studio team lead (@eickmeyer) uses or at least used one for installing Ubuntu Studio on devices for testing, so yeah, pretty sure it works with Linux (and works for installing Linux too).

Erich Eickmeyer Aug 5, 2024

@arraybolt3 @cdp1337 @vkc

It's a product by iODD, and I now have the improved version: https://www.amazon.com/IODD-ST400-Enclosure-Bootable-Encryption/dp/B0B3HQMV5T/

However, lately I've been using Ventoy for just simple multi-booting, but the iODD ST400 is still great for hardware encryption and booting an ISO as a CD/DVD, although it uses NTFS storage unfortunately, which is the biggest drawback.

Amazon.com

Aaron Rainbolt Aug 5, 2024

@eickmeyer @cdp1337 @vkc You may want to read the first post in this thread - Ventoy has suspicious activity surrounding it that have multiple people (some of them notable) concerned as to its safety.

(Part of me is thinking seriously about attempting to crack open some of the binaries in Ventoy and find out what they're hiding, if anything)

Erich Eickmeyer Aug 5, 2024

@arraybolt3 @cdp1337 @vkc Ohboy.

Aaron Rainbolt Aug 5, 2024

@eickmeyer @cdp1337 @vkc Curiosity got the better of me. I've now downloaded the full blob-laden Ventoy source code and all release artifacts from the latest release for safe-keeping and future analysis.

Does anyone have good suggestions for #reverseengineering tools? I know about #ghidra but am interested in other suggestions too. #linux #ubuntu

Charlie Aug 5, 2024

@arraybolt3 @eickmeyer @vkc

https://hex-rays.com/ida-free/

is the only product I've used for this type of work. I generally don't do much reverse engineering though as I find it annoyingly tedious.

One thought; if you know the original source repo of the binary files, you can compare the hash of the compiled files from the authoritative source to see if they've been modified / recompiled before uploading to Ventoy's repo.

IDA Free

A powerful disassembler and a versatile debugger

Fritz Adalis Aug 5, 2024

@arraybolt3 @eickmeyer @cdp1337 @vkc
Rather than just start disassembling, try to reproduce the blobs that are documented, then see what's different. Then start doing the same with the handful of ones without docs.

Erich Eickmeyer Aug 5, 2024

@FritzAdalis @arraybolt3 @cdp1337 @vkc

That's actually an excellent idea.

Aaron Rainbolt Aug 5, 2024

@FritzAdalis @eickmeyer @cdp1337 @vkc That's more or less what I had planned. Reverse engineering tools were what I hoped to use for investigating how things changed from the original source code, if they changed.

⠠⠵ avuko Aug 6, 2024

@arraybolt3 @FritzAdalis @eickmeyer @cdp1337 @vkc

I don't have time to do this myself, but I'd run all of the binary blobs I might want to compare through ssdeep. That way I would get a quick first feel for which are similar/alike, and which are different, and to what extend.

https://ssdeep-project.github.io/ssdeep/index.html

Doing something like `vimdiff <(xxd binary1) <(xxd binary2) also helps me for quick checks.

https://cutter.re/ is a free gui for reversing.

ssdeep - Fuzzy hashing program

coucouf ⏚Aug 6, 2024

@arraybolt3 @FritzAdalis @eickmeyer @cdp1337 @vkc diffoscope is an excellent tool for analysing differences in binaries. It will dive down i into any format it knows (including ELF) to extract meaningful diffs.

https://diffoscope.org/

diffoscope: in-depth comparison of files, archives, and directories

Adam ♿Aug 6, 2024

@arraybolt3 @eickmeyer @cdp1337 @vkc /bin/strings (no really)

Charlie Aug 5, 2024

@eickmeyer @arraybolt3 @vkc

Perfect! I'll think about getting an ST300 ordered today.

I saw they have the ST400 but for the purposes of a dummy boot drive from ISO; encryption is way overkill. The ST300 lists that it supports exFAT too, so I don't have to resort to NTFS.

And yeah, I read the original thread; ever since I discovered that application I've been leery of it; (just skeezy vibes from the website and project as a whole, but it was the only utility I was able to find which allowed me to boot ISO images without a pocket full of USB sticks).

Lalufu Aug 7, 2024

@cdp1337 @arraybolt3 @vkc I have a 400, and I seem to recall that I had to resort to Windows to create the NTFS file system on the drive, none of the Linux tools seemed to create it just so that the firmware would like it
Similar with virtual disk images (for USB stick emulation), while qemu-img can make these the firmware doesn't seem to like them, ones made from Windows work.
Apart from this its a great tool, and I wish I had known about it 10 years ago.

Charlie Aug 7, 2024

@Lalufu @arraybolt3 @vkc
@eickmeyer

My ST300 just came in today; slapped in a spare 1TB drive and it fired right up in Gnome Disks. Seems to be working just fine, though we'll see how usable it is when something blows up and I have to load up gparted while in a panic. :P

enshroudedshrew Aug 5, 2024

@arraybolt3 pardon my ignorance, but is the paid device you are linking the only alternative to Ventoy‘s ability to have an usb stick with multiple ISOs on it to boot from?

Aaron Rainbolt Aug 5, 2024

@enshroudedshrew It's the only "drop-in replacement" I personally know of. With some Linux ISOs you can mimic the functionality somewhat using GRUB, but it's a lot more work than Ventoy and doesn't work universally.

(FWIW I have no connection to IODD, this is just something I remembered the Ubuntu Studio team lead showing me.)

vascorsd Aug 5, 2024

@arraybolt3 @enshroudedshrew there was some years ago at least a way to make an android phone emulate a usb device when plugged and mount any isos. But it required an unlocked device with root which is impossible for most people.

Zekah Aug 17, 2024

@vascorsd @arraybolt3 @enshroudedshrew you're thinking of drivedroid ?
https://softwarebakery.com/projects/drivedroid

DriveDroid - Softwarebakery

vascorsd Aug 17, 2024

@Zekah @arraybolt3 @enshroudedshrew could be. Not sure. Seems to check all the features I was thinking about. I'm mostly sure it was something I saw in fdroid, but could be wrong.

Zekah Aug 17, 2024

@vascorsd @arraybolt3 @enshroudedshrew it is in f-droid I think, it is in mine

feld Aug 5, 2024

@arraybolt3 @vkc this IODD is a rebaged Zalman! I have one on my desk, but I have had issues with it on UEFI machines

https://www.iodd.shop/IODD-2531-USB-30-external-HDD-SSD-Enclosure

IODD 2531 USB 3.0 external HDD/SSD Enclosure, 125,66 €

2 5′ HDD Enclosure USB 3 0 / 2 0 / 1 1 Virtual ODD/HDD Function 2 5 S-ATA SSD/HDD Write blocker (forensic) Windows-To-Go

IODD 2531 USB 3.0 external HDD/SSD Enclosure, 125,66 €

feld Aug 5, 2024

@arraybolt3 @vkc I followed the instructions by Ventoy's author in this Github issue about some files being detected as viruses, compiled their busybox/xzcat from upstream as instructed, and it does still get detected as a virus. So that's fun.

https://github.com/ventoy/Ventoy/issues/660#issuecomment-748475849

Mirai virus · Issue #660 · ventoy/Ventoy

https://www.virustotal.com/gui/file/da28fcd5f8668f3ecf38ae48161ea9c00c6a7517fd08695f7985b4e6ccdf6d34/detection https://www.virustotal.com/gui/file/0410043931953e7805fdb747f2a25c409ad0b6ed85807e222f...

GitHub

mmu_man Aug 6, 2024

@arraybolt3 @vkc FWIW, I raised this concern 4 years ago but nobody noticed…

https://github.com/ventoy/Ventoy/issues/199

Simplify linux install scripts · Issue #199 · ventoy/Ventoy

Looking at Ventoy2Disk.sh & friends, I'm quite perplex as to why it's so convoluted: I see absolutely no reason to bundle a shell binary alongside. Even if you require bash features it's quite easy...

GitHub

babble encat Aug 6, 2024

@arraybolt3 The enclosure doesn't have blobs??

Aaron Rainbolt Aug 6, 2024

@babble_endanger "The enclosure"?

txt.file Aug 6, 2024

@arraybolt3 the enclosure (suggested iODD device) pretty much runs closed source software on its microcontroller. @babble_endanger

Aaron Rainbolt Aug 6, 2024

@txt_file @babble_endanger ah that. Fair enough, though to my awareness the manufacturer of the enclosure hasn't used social engineering tactics against viewers of any particular YouTube channel.

ejim Aug 9, 2024

@arraybolt3 @txt_file @babble_endanger
Hey, there is no proof that there the dev used social engineering in this videos comments. Till now there are only accusations, however it's interesting, that many comments about ventoy have been removed - not by Veronica.
But maybe people read these ventoy warnings and deleted their endorsements.

ejim Aug 9, 2024

@arraybolt3 @txt_file @babble_endanger
I always found Blena Etcher way sketchier, since it should be way more code & obfuscations and way less functionality. And I am wondering why people like it and endorse it also under this video.

Chewie Nov 10, 2024

@ejim Agreed.

The download is >100mb, which seems totally excessive.

Even if the Linux version is a static binary, the Windows version is a similar size, whereas Rufus (https://rufus.ie/en/), which does a similar job, is between 1.5 and 5mb!

Balena Etcher looks nicer, but I doubt there's 100mb-worth of extra graphics in there.....

Rufus - Create bootable USB drives the easy way

Rufus: Create bootable USB drives the easy way

ejim Nov 10, 2024

@chewie yeah, last I looked #balenaEtcher it was an #electron app.

Aaron Rainbolt Aug 9, 2024

@ejim @txt_file @babble_endanger Not sure where you see them removed? They all ended up at the bottom of the comment list but I counted a full twenty of them earlier this morning.

ejim Aug 10, 2024

@arraybolt3 @txt_file @babble_endanger
Okay, Veronica said in the top YT Comment that some were removed.

Adam ♿Aug 6, 2024

@arraybolt3 @vkc Let me just audit the firmware on the iodd... wait.

(strong agree re: Ventoy security concerns though)

Christopher Snowhill Aug 6, 2024

@voltagex Guess the other solution is buying a bulk supply of USB sticks no larger than 16GB and a label printer to identify what you've dd'd onto them.

Christopher Snowhill Aug 6, 2024

Bonus points: USB media that cheap also tends to be so slow, you don't even need an optical device simulator to relive the memories of writing the media and booting it as slow as CDROMs.

neocat_flag_trans

Whilst I appreciate the fact you linked an alternative...the starting price is at ~100 EUR, which isn't exactly an alternative to a free piece of software

Is there any other software alternative you know of? Maybe someone mentioned something in the thread?

moonlight_seashell Aug 6, 2024

@arraybolt3 @vkc
and some of the exes still looks suspicious to virustotal

lutoma Aug 6, 2024

> This is... not anything I've seen users of ANY open-source project do

I see you've never interacted with the Matrix community 😅 Some of the most irritating 'evangelists' in the open source world.

Aaron Rainbolt Aug 6, 2024

@lutoma lol, I actually use Matrix heavily enough that I'm one of the mods of the entire Ubuntu Community there. Yes, we are pushy, but... not to the point of launching what looks like a staged invasion on someone's YouTube channel to push it :P

DelegateVoid Aug 6, 2024

@arraybolt3 @vkc Ok on the dubious blobs... but then you link to a paid proprietary product.. smells

Aaron Rainbolt Aug 6, 2024

@delegatevoid @vkc It was the only alternative I knew of at the time, and it was something an Ubuntu dev had showed me.

iXô Aug 6, 2024

@arraybolt3 @vincib There is another issue : if you use iVentoy (ventoy for pxe), it can inject some « thing » into the media, as for exemple it allow net booting windows by creating a fake second drive for the iso.

stupid hot girl Aug 6, 2024

@arraybolt3 shitd

Morten Linderud Aug 6, 2024

@arraybolt3 @vkc

While the lack of reply is concerning, the binary blobs are not strictly speaking weird in this context.

Grub and BusyBox binaries for different architectures is annoying to build and including them as binaries is a practical choice.

It would be better if they included some description where they are taken from though.

Oomfie Snoofies Aug 6, 2024

@arraybolt3 man your profile is sus, is this about trump ?
https://theres.life/@arraybolt3/112783544335740451

Aaron Rainbolt (@[email protected])

NOTICE: If you mock, berate, or otherwise talk trash about a former U.S. president who nearly got killed on 2024-07-14, because of what happened when he nearly got killed, I will probably unfollow, mute, and/or block you.

There's Life

Aaron Rainbolt Aug 6, 2024

@kouett lol, yes it is, but only because he's the one who actually nearly got killed. I'd say the exact same thing if it were Biden who had been shot and survived.

Hobson Lane Aug 6, 2024

@arraybolt3
I had the same feeling (without all the analysis to back up my suspicions). Thank you for the SSD enclosure alternative!
@vkc @Siph

Jak2k 🏳️‍🌈Aug 6, 2024

@arraybolt3 @vkc
For some blobs, the sources have been found.

Robin B.Aug 7, 2024

@jak2k @arraybolt3 @vkc

The arch AUR pkgbuild maintainer commented:
https://github.com/ventoy/Ventoy/issues/2795#issuecomment-2272249476

"Anyway, my take on the whole situation is that the Ventoy author is an honourable person. Of course, I cannot be 100% certain, but I firmly believe there are no backdoors or anything dodgy going on here. Everyone needs to chill out a bit.

I'd be willing to help @ventoy try and get a proper build system going. I have proved that we don't need to rely on Centos 7 as a build environment."

This is promising. I really hope a good build system helps address this trust issue.

[issue]: Remove BLOBs from the source tree · Issue #2795 · ventoy/Ventoy

What happened? Due to the recent XZ-Utils drama I checked the code and I'm appalled. There are more BLOBS than source code. https://github.com/ventoy/Ventoy/tree/3f65f0ef03e4aebcd14f233ca808a4f8946...

GitHub

Aaron Rainbolt Aug 7, 2024

@robin @jak2k @vkc That is a potentially good sign. The appearance of a social engineering attack on Veronica's YT channel doesn't give me much hope though. When it was just binary blobs there was the "mhh... worrying but whatever". When it was the ignored security thread it was "mhh... more worrying but whatever". Now that there's social engineering involved too, I'm thinking "ok this is bad". I doubt the Arch Linux maintainer is aware of that.

I actually am working on getting a security audit done over here - I have two VMs installed, one for building Ventoy and new copies of all of the blobs, and one for comparing and inspecting them. I'll report back what I find.

ejim Aug 24, 2024

@arraybolt3 @robin @jak2k @vkc
so far nothing?

Aaron Rainbolt Aug 25, 2024

@ejim @robin @jak2k @vkc Been very busy, also set up a new dev laptop yesterday. Still got this planned and have some of the tools set up for it.

Pete / Syllopsium Aug 6, 2024

@arraybolt3 @vkc It's possible this is an issue, but having read the thread the overwhelming impression I get is of people trying to shove effort onto the developer, and being unwilling to help. There are comments that most of the blobs have now located scripts for building, and a comment within the last day that the GRUB related blobs are from other distributions. I'm not seeing anyone e.g. doing a CRC check on the blob vs other sources, or submitting diffs to fetch the files from another project.

The latest comment takes the biscuit 'I promise that as soon as this gets satisfyingly fixed and the worries come down, I'm becoming a regular financial contributor. and I'm sure many in the thread will dot the same.'

haha. hahahahahahahaha. bonk. They tried that before, it didn't work.

Good point on the CDROM emulator though, I use a Zalman VE300 for that purpose.

Aaron Rainbolt Aug 6, 2024

@syllopsium @vkc I'm downloading the needed stuff to do those checks fwiw.