Email or username:

Password:

Forgot your password?
Aaron Rainbolt

#Ventoy Security Concerns (please boost for visibility)

Ventoy is a popular utility for making USB drives containing multiple operating systems in the form of bootable image files. While very useful in theory, the source tree contains numerous binary blobs without source code. This issue has been brought up to the authors multiple times, have not been corrected, and have even gotten worse (more blobs have been added to the code over time). This is a potential malware vector, similar to the "test files" in the xz-utils backdoor catastrophe.

Recently the author has ignored a very lengthy thread raising security concerns because of these binary blobs. Given the amount of attention the thread has gotten, this seems strange, especially given that the authors have been active since then. github.com/ventoy/Ventoy/issue

Stranger yet still, a video by Veronica Explains (@vkc) on how to create bootable USB flash drives got flooded by comments heavily suggesting the use of Ventoy and even being somewhat accusing because Veronica didn't advertise Ventoy. This is... not anything I've seen users of ANY open-source project do, and it feels similar to the social engineering done against Lasse Collin that convinced him to add Jia Tan as a maintainer, thus compromising xz-utils. See the comments of youtube.com/watch?v=QiSXClZauX

If you're using Ventoy, you may want to consider ceasing its use for the time being out of an abundance of caution. If you truly need its functionality, you might look into something like the IODD SSD Enclosure (iodd.shop/HDD/SSD-Enclosure) which can emulate an optical drive and allows you to select an ISO saved to the drive to boot from.

#linux #boot #security #malicious #backdoor

61 comments
Charlie

@arraybolt3 @vkc

ah HA! I was trying to remember WTF that device was called! I remember seeing it in passing but couldn't remember what it was called when I went to look for it again.

Since it's just a mass storage device, I'm assuming it supports Linux out-of-the-box right? No silly windows-only binaries needed?

Aaron Rainbolt

@cdp1337 @vkc The Ubuntu Studio team lead (@eickmeyer) uses or at least used one for installing Ubuntu Studio on devices for testing, so yeah, pretty sure it works with Linux (and works for installing Linux too).

Erich Eickmeyer

@arraybolt3 @cdp1337 @vkc

It's a product by iODD, and I now have the improved version: amazon.com/IODD-ST400-Enclosur

However, lately I've been using Ventoy for just simple multi-booting, but the iODD ST400 is still great for hardware encryption and booting an ISO as a CD/DVD, although it uses NTFS storage unfortunately, which is the biggest drawback.

Aaron Rainbolt

@eickmeyer @cdp1337 @vkc You may want to read the first post in this thread - Ventoy has suspicious activity surrounding it that have multiple people (some of them notable) concerned as to its safety.

(Part of me is thinking seriously about attempting to crack open some of the binaries in Ventoy and find out what they're hiding, if anything)

Aaron Rainbolt

@eickmeyer @cdp1337 @vkc Curiosity got the better of me. I've now downloaded the full blob-laden Ventoy source code and all release artifacts from the latest release for safe-keeping and future analysis.

Does anyone have good suggestions for #reverseengineering tools? I know about #ghidra but am interested in other suggestions too. #linux #ubuntu

Charlie

@arraybolt3 @eickmeyer @vkc

hex-rays.com/ida-free/

is the only product I've used for this type of work. I generally don't do much reverse engineering though as I find it annoyingly tedious.

One thought; if you know the original source repo of the binary files, you can compare the hash of the compiled files from the authoritative source to see if they've been modified / recompiled before uploading to Ventoy's repo.

Fritz Adalis

@arraybolt3 @eickmeyer @cdp1337 @vkc
Rather than just start disassembling, try to reproduce the blobs that are documented, then see what's different. Then start doing the same with the handful of ones without docs.

Aaron Rainbolt

@FritzAdalis @eickmeyer @cdp1337 @vkc That's more or less what I had planned. Reverse engineering tools were what I hoped to use for investigating how things changed from the original source code, if they changed.

Codrus :archlinux: 🇺🇲

@arraybolt3 @FritzAdalis @eickmeyer @cdp1337 @vkc

Look for strings contained in the blob first—sometimes you can learn a lot that way.

⠠⠵ avuko

@arraybolt3 @FritzAdalis @eickmeyer @cdp1337 @vkc

I don't have time to do this myself, but I'd run all of the binary blobs I might want to compare through ssdeep. That way I would get a quick first feel for which are similar/alike, and which are different, and to what extend.

ssdeep-project.github.io/ssdee

Doing something like `vimdiff <(xxd binary1) <(xxd binary2) also helps me for quick checks.

cutter.re/ is a free gui for reversing.

coucouf ⏚

@arraybolt3 @FritzAdalis @eickmeyer @cdp1337 @vkc diffoscope is an excellent tool for analysing differences in binaries. It will dive down i into any format it knows (including ELF) to extract meaningful diffs.

diffoscope.org/

Charlie

@eickmeyer @arraybolt3 @vkc

Perfect! I'll think about getting an ST300 ordered today.

I saw they have the ST400 but for the purposes of a dummy boot drive from ISO; encryption is way overkill. The ST300 lists that it supports exFAT too, so I don't have to resort to NTFS.

And yeah, I read the original thread; ever since I discovered that application I've been leery of it; (just skeezy vibes from the website and project as a whole, but it was the only utility I was able to find which allowed me to boot ISO images without a pocket full of USB sticks).

@eickmeyer @arraybolt3 @vkc

Perfect! I'll think about getting an ST300 ordered today.

I saw they have the ST400 but for the purposes of a dummy boot drive from ISO; encryption is way overkill. The ST300 lists that it supports exFAT too, so I don't have to resort to NTFS.

And yeah, I read the original thread; ever since I discovered that application I've been leery of it; (just skeezy vibes from the website and project as a whole, but it was the only utility I was able to find which allowed me to...

Lalufu

@cdp1337 @arraybolt3 @vkc I have a 400, and I seem to recall that I had to resort to Windows to create the NTFS file system on the drive, none of the Linux tools seemed to create it just so that the firmware would like it
Similar with virtual disk images (for USB stick emulation), while qemu-img can make these the firmware doesn't seem to like them, ones made from Windows work.
Apart from this its a great tool, and I wish I had known about it 10 years ago.

enshroudedshrew

@arraybolt3 pardon my ignorance, but is the paid device you are linking the only alternative to Ventoy‘s ability to have an usb stick with multiple ISOs on it to boot from?

Aaron Rainbolt

@enshroudedshrew It's the only "drop-in replacement" I personally know of. With some Linux ISOs you can mimic the functionality somewhat using GRUB, but it's a lot more work than Ventoy and doesn't work universally.

(FWIW I have no connection to IODD, this is just something I remembered the Ubuntu Studio team lead showing me.)

vascorsd

@arraybolt3 @enshroudedshrew there was some years ago at least a way to make an android phone emulate a usb device when plugged and mount any isos. But it required an unlocked device with root which is impossible for most people.

feld
@arraybolt3 @vkc this IODD is a rebaged Zalman! I have one on my desk, but I have had issues with it on UEFI machines



https://www.iodd.shop/IODD-2531-USB-30-external-HDD-SSD-Enclosure
feld
@arraybolt3 @vkc I followed the instructions by Ventoy's author in this Github issue about some files being detected as viruses, compiled their busybox/xzcat from upstream as instructed, and it does still get detected as a virus. So that's fun.

https://github.com/ventoy/Ventoy/issues/660#issuecomment-748475849
mmu_man

@arraybolt3 @vkc FWIW, I raised this concern 4 years ago but nobody noticed…

github.com/ventoy/Ventoy/issue

txt.file

@arraybolt3 the enclosure (suggested iODD device) pretty much runs closed source software on its microcontroller. @babble_endanger

Aaron Rainbolt

@txt_file @babble_endanger ah that. Fair enough, though to my awareness the manufacturer of the enclosure hasn't used social engineering tactics against viewers of any particular YouTube channel.

Adam ♿

@arraybolt3 @vkc Let me just audit the firmware on the iodd... wait.

(strong agree re: Ventoy security concerns though)

Christopher Snowhill

@voltagex Guess the other solution is buying a bulk supply of USB sticks no larger than 16GB and a label printer to identify what you've dd'd onto them.

Christopher Snowhill

Bonus points: USB media that cheap also tends to be so slow, you don't even need an optical device simulator to relive the memories of writing the media and booting it as slow as CDROMs.

Simon Müller :ablobcatcoffee:

@arraybolt3

Whilst I appreciate the fact you linked an alternative...the starting price is at ~100 EUR, which isn't exactly an alternative to a free piece of software

Is there any other software alternative you know of? Maybe someone mentioned something in the thread?

Aaron Rainbolt

@cyrus The functionality in Ventoy is pretty close to one-of-a-kind. You can kind of mimic it with GRUB though. There's also a tool called Glim (github.com/thias/glim) that apparently makes setting up GRUB in this fashion easy. I haven't audited the code and can't vouch for its safety, but it might be worth looking at.

Simon Müller :ablobcatcoffee:

@arraybolt3 I mean...Ventoy is based on GRUB2 soo... :blobcatthinkingglare:

Aaron Rainbolt

@cyrus Is it though? I believe it has GRUB binary blobs in the source code tree, but from my research it appears to have a lot of additional functionality (such as the ability to boot Windows ISOs, which generally don't take to the GRUB approach so well).

Simon Müller :ablobcatcoffee:

@arraybolt3 it is GRUB2, they have a bunch of custom scripts to extract and boot the required files from Windows ISOs manually

Robin B.

@cyrus @arraybolt3

Ventoy uses github.com/ValdikSS/Super-UEFI to boot unsigned ISOs on SecureBoot-Devices.
I haven't researched how to make it work with my own key - so I'm careful to delete the key afterwards or to not use the feature at all.

Using a grub2-solution like glim is sufficient for 99% of my use-cases, so I'm switching away from ventoy.
Making wimboot work with glim seems to be possible but experimental.. fortunately I don't need it.

Lien Rag

@cyrus

I've used many other softwares before discovering Ventoy (I only remember the name of Multisystem) but #Ventoy is way better than all of them, I'm really sad to learn this problem as I use it a lot.

@arraybolt3 @enshroudedshrew

moonlight_seashell

@arraybolt3 @vkc
and some of the exes still looks suspicious to virustotal

lutoma :ohai:

@arraybolt3

> This is... not anything I've seen users of ANY open-source project do

I see you've never interacted with the Matrix community 😅 Some of the most irritating 'evangelists' in the open source world.

Aaron Rainbolt

@lutoma lol, I actually use Matrix heavily enough that I'm one of the mods of the entire Ubuntu Community there. Yes, we are pushy, but... not to the point of launching what looks like a staged invasion on someone's YouTube channel to push it :P

DelegateVoid

@arraybolt3 @vkc Ok on the dubious blobs... but then you link to a paid proprietary product.. smells

Aaron Rainbolt

@delegatevoid @vkc It was the only alternative I knew of at the time, and it was something an Ubuntu dev had showed me.

iXô

@arraybolt3@theres.life @vincib@mamot.fr There is another issue : if you use iVentoy (ventoy for pxe), it can inject some « thing » into the media, as for exemple it allow net booting windows by creating a fake second drive for the iso.

Morten Linderud

@arraybolt3 @vkc

While the lack of reply is concerning, the binary blobs are not strictly speaking weird in this context.

Grub and BusyBox binaries for different architectures is annoying to build and including them as binaries is a practical choice.

It would be better if they included some description where they are taken from though.

Hobson Lane

@arraybolt3
I had the same feeling (without all the analysis to back up my suspicions). Thank you for the SSD enclosure alternative!
@vkc @Siph

Jak2k

@arraybolt3 @vkc
For some blobs, the sources have been found.

Robin B.

@jak2k @arraybolt3 @vkc

The arch AUR pkgbuild maintainer commented:
github.com/ventoy/Ventoy/issue

"Anyway, my take on the whole situation is that the Ventoy author is an honourable person. Of course, I cannot be 100% certain, but I firmly believe there are no backdoors or anything dodgy going on here. Everyone needs to chill out a bit.

I'd be willing to help @ventoy try and get a proper build system going. I have proved that we don't need to rely on Centos 7 as a build environment."

This is promising. I really hope a good build system helps address this trust issue.

@jak2k @arraybolt3 @vkc

The arch AUR pkgbuild maintainer commented:
github.com/ventoy/Ventoy/issue

"Anyway, my take on the whole situation is that the Ventoy author is an honourable person. Of course, I cannot be 100% certain, but I firmly believe there are no backdoors or anything dodgy going on here. Everyone needs to chill out a bit.

Aaron Rainbolt

@robin @jak2k @vkc That is a potentially good sign. The appearance of a social engineering attack on Veronica's YT channel doesn't give me much hope though. When it was just binary blobs there was the "mhh... worrying but whatever". When it was the ignored security thread it was "mhh... more worrying but whatever". Now that there's social engineering involved too, I'm thinking "ok this is bad". I doubt the Arch Linux maintainer is aware of that.

I actually am working on getting a security audit done over here - I have two VMs installed, one for building Ventoy and new copies of all of the blobs, and one for comparing and inspecting them. I'll report back what I find.

@robin @jak2k @vkc That is a potentially good sign. The appearance of a social engineering attack on Veronica's YT channel doesn't give me much hope though. When it was just binary blobs there was the "mhh... worrying but whatever". When it was the ignored security thread it was "mhh... more worrying but whatever". Now that there's social engineering involved too, I'm thinking "ok this is bad". I doubt the Arch Linux maintainer is aware of that.

Pete / Syllopsium

@arraybolt3 @vkc It's possible this is an issue, but having read the thread the overwhelming impression I get is of people trying to shove effort onto the developer, and being unwilling to help. There are comments that most of the blobs have now located scripts for building, and a comment within the last day that the GRUB related blobs are from other distributions. I'm not seeing anyone e.g. doing a CRC check on the blob vs other sources, or submitting diffs to fetch the files from another project.

The latest comment takes the biscuit 'I promise that as soon as this gets satisfyingly fixed and the worries come down, I'm becoming a regular financial contributor. and I'm sure many in the thread will dot the same.'

haha. hahahahahahahaha. bonk. They tried that before, it didn't work.

Good point on the CDROM emulator though, I use a Zalman VE300 for that purpose.

@arraybolt3 @vkc It's possible this is an issue, but having read the thread the overwhelming impression I get is of people trying to shove effort onto the developer, and being unwilling to help. There are comments that most of the blobs have now located scripts for building, and a comment within the last day that the GRUB related blobs are from other distributions. I'm not seeing anyone e.g. doing a CRC check on the blob vs other sources, or submitting diffs to fetch the files from another project.

Aaron Rainbolt

@syllopsium @vkc I'm downloading the needed stuff to do those checks fwiw.

Tired Bunny :bunhdcomfysleep:
@arraybolt3 @vkc I should add that this wave seemingly completely absent from Peertube upload of the same video, though I don't know if it contributes to proving the point or not...
🏳️‍🌈🎃🇧🇷Luana🇧🇷🎃🏳️‍🌈 :verified:

@vkc @arraybolt3 Meh, I wouldn’t really say they’re ignoring it. Ventoy’s last commit itself was 2 months ago, and the issue isn’t much older than that. The binary blobs need to go, sure, but it’s not like anyone complaining is opening a pull request for that.

This is a foss project, the dev isn’t being paid for it or anything so maybe let’s just not reproduce the foss negativity we all complain about? They’re in no way obliged to respond as quickly as anyone wants, you know?

Instead of accusing without proof and recommending a closed source expensive hardware alternative (and btw the same proofless accusation could be made here, saying people are attacking #ventoy just to recommend a backdoored closed source alternative…) maybe someone could actually build those binaries and make sure they are the same? And while they’re at it document the building processes so someone can make a PR removing those blobs from Ventoy’s source.

The suspiciously enthusiast fanboys are weird tho…

@vkc @arraybolt3 Meh, I wouldn’t really say they’re ignoring it. Ventoy’s last commit itself was 2 months ago, and the issue isn’t much older than that. The binary blobs need to go, sure, but it’s not like anyone complaining is opening a pull request for that.

This is a foss project, the dev isn’t being paid for it or anything so maybe let’s just not reproduce the foss negativity we all complain about? They’re in no way obliged to respond as quickly as anyone wants, you know?

Aaron Rainbolt

@luana @vkc The last commit was made two months after the thread was started. 60 days seems like plenty enough time to at least drop a note indicating that they saw it and will take it into consideration.

No one is obliged to do anything. But you can learn from their behavior.

I intend on building those binaries and seeing if they are the same. I discussed techniques for doing this elsewhere in the thread.

burne

@luana @vkc @arraybolt3 "it's foss" is not a good reason for maitaining a potential malware vector.

Mikle_Bond

@arraybolt3 @untsuki @vkc

This is... not anything I've seen users of ANY open-source project do, [...]

Try telling neovim people that you've tried it, but liked vim more. I've witnessed this statement to ignite at least twice.

On a less sarcastic note: I don't see anything suspicious in the comments section on YouTube. Did the offensive comments sink too far into the timeline, or were they deleted by now? As of now, most of them are praises and mentions of Rufus/Etcher.

sadmac356

@Mikle_Bond likely deleted due to the sheer numbers of them she received

Aaron Rainbolt

@Mikle_Bond @untsuki @vkc Most of them sunk to the bottom. Given the author's recent rename of the video though, it looks like they may still be being made.

「羽飛やこう:最不調和の化身」

@arraybolt3@theres.life @vkc@linuxmom.net The comments may look like a replay of the Jia Tan incident, but it isn't like forcing someone to hand out their maintenance role to another like last time. I can see where those people are coming from, because just like them, I'm somewhat a Ventoy fan booting several ISOs for system installations and repairs. If I watched her video, I'm likely to leave a comment on why leaving Ventoy out too, and I also see avid fans of certain pieces of products bombarding recommendations when they see a list doesn't contain what they love.
The solution you recommended requires purchasing a separate piece of hardware is sadly not feasible in a broader context. Where thumb drives could be obtained relatively cheaply, those pieces of hardware you recommended cost around 50 euros for a single one. On the cost front alone, the temporary solution offered isn't likely to attract a crowd of any significance.
I must admit however the binary blobs are indeed quite questionable, as I also went through the nightmare of manually downgrading the packages on a fleet of servers myself during that xz incident, writing a call-out post after that. I can't say I'll be stopping using Ventoy at all in the foreseeable future until another all-software solution makes its scene, but I'll keep this disturbing fact in mind.

Edit: Sifting through the comment section, I found @attilax@framapiaf.org mentioning MultiSystem (use machine translation if you cannot read French), which was sadly discontinued over two years ago.

@arraybolt3@theres.life @vkc@linuxmom.net The comments may look like a replay of the Jia Tan incident, but it isn't like forcing someone to hand out their maintenance role to another like last time. I can see where those people are coming from, because just like them, I'm somewhat a Ventoy fan booting several ISOs for system installations and repairs. If I watched her video, I'm likely to leave a comment on why leaving Ventoy out too, and I also see avid fans of certain pieces of products bombarding...

:babyrapereenactment: bill [figger]
@arraybolt3 @vkc shitty win10 install now infected with chinese spyware i guess
Go Up