#Ventoy Security Concerns (please boost for visibility)
Ventoy is a popular utility for making USB drives containing multiple operating systems in the form of bootable image files. While very useful in theory, the source tree contains numerous binary blobs without source code. This issue has been brought up to the authors multiple times, have not been corrected, and have even gotten worse (more blobs have been added to the code over time). This is a potential malware vector, similar to the "test files" in the xz-utils backdoor catastrophe.
Recently the author has ignored a very lengthy thread raising security concerns because of these binary blobs. Given the amount of attention the thread has gotten, this seems strange, especially given that the authors have been active since then. https://github.com/ventoy/Ventoy/issues/2795
Stranger yet still, a video by Veronica Explains (@vkc) on how to create bootable USB flash drives got flooded by comments heavily suggesting the use of Ventoy and even being somewhat accusing because Veronica didn't advertise Ventoy. This is... not anything I've seen users of ANY open-source project do, and it feels similar to the social engineering done against Lasse Collin that convinced him to add Jia Tan as a maintainer, thus compromising xz-utils. See the comments of https://www.youtube.com/watch?v=QiSXClZauXA&t=3s
If you're using Ventoy, you may want to consider ceasing its use for the time being out of an abundance of caution. If you truly need its functionality, you might look into something like the IODD SSD Enclosure (https://www.iodd.shop/HDD/SSD-Enclosure) which can emulate an optical drive and allows you to select an ISO saved to the drive to boot from.
ah HA! I was trying to remember WTF that device was called! I remember seeing it in passing but couldn't remember what it was called when I went to look for it again.
Since it's just a mass storage device, I'm assuming it supports Linux out-of-the-box right? No silly windows-only binaries needed?
@cdp1337 @vkc The Ubuntu Studio team lead (@eickmeyer) uses or at least used one for installing Ubuntu Studio on devices for testing, so yeah, pretty sure it works with Linux (and works for installing Linux too).
It's a product by iODD, and I now have the improved version: https://www.amazon.com/IODD-ST400-Enclosure-Bootable-Encryption/dp/B0B3HQMV5T/
However, lately I've been using Ventoy for just simple multi-booting, but the iODD ST400 is still great for hardware encryption and booting an ISO as a CD/DVD, although it uses NTFS storage unfortunately, which is the biggest drawback.
@eickmeyer @cdp1337 @vkc You may want to read the first post in this thread - Ventoy has suspicious activity surrounding it that have multiple people (some of them notable) concerned as to its safety.
(Part of me is thinking seriously about attempting to crack open some of the binaries in Ventoy and find out what they're hiding, if anything)
@eickmeyer @cdp1337 @vkc Curiosity got the better of me. I've now downloaded the full blob-laden Ventoy source code and all release artifacts from the latest release for safe-keeping and future analysis.
Does anyone have good suggestions for #reverseengineering tools? I know about #ghidra but am interested in other suggestions too. #linux #ubuntu
https://hex-rays.com/ida-free/
is the only product I've used for this type of work. I generally don't do much reverse engineering though as I find it annoyingly tedious.
One thought; if you know the original source repo of the binary files, you can compare the hash of the compiled files from the authoritative source to see if they've been modified / recompiled before uploading to Ventoy's repo.
@arraybolt3 @eickmeyer @cdp1337 @vkc
Rather than just start disassembling, try to reproduce the blobs that are documented, then see what's different. Then start doing the same with the handful of ones without docs.
@FritzAdalis @arraybolt3 @cdp1337 @vkc
That's actually an excellent idea.
@FritzAdalis @eickmeyer @cdp1337 @vkc That's more or less what I had planned. Reverse engineering tools were what I hoped to use for investigating how things changed from the original source code, if they changed.
@arraybolt3 @FritzAdalis @eickmeyer @cdp1337 @vkc
Look for strings contained in the blob first—sometimes you can learn a lot that way.
@arraybolt3 @FritzAdalis @eickmeyer @cdp1337 @vkc
I don't have time to do this myself, but I'd run all of the binary blobs I might want to compare through ssdeep. That way I would get a quick first feel for which are similar/alike, and which are different, and to what extend.
https://ssdeep-project.github.io/ssdeep/index.html
Doing something like `vimdiff <(xxd binary1) <(xxd binary2) also helps me for quick checks.
https://cutter.re/ is a free gui for reversing.
@arraybolt3 @FritzAdalis @eickmeyer @cdp1337 @vkc diffoscope is an excellent tool for analysing differences in binaries. It will dive down i into any format it knows (including ELF) to extract meaningful diffs.
@arraybolt3 @eickmeyer @cdp1337 @vkc /bin/strings (no really)
Perfect! I'll think about getting an ST300 ordered today.
I saw they have the ST400 but for the purposes of a dummy boot drive from ISO; encryption is way overkill. The ST300 lists that it supports exFAT too, so I don't have to resort to NTFS.
And yeah, I read the original thread; ever since I discovered that application I've been leery of it; (just skeezy vibes from the website and project as a whole, but it was the only utility I was able to find which allowed me to boot ISO images without a pocket full of USB sticks).
@cdp1337 @arraybolt3 @vkc I have a 400, and I seem to recall that I had to resort to Windows to create the NTFS file system on the drive, none of the Linux tools seemed to create it just so that the firmware would like it
Similar with virtual disk images (for USB stick emulation), while qemu-img can make these the firmware doesn't seem to like them, ones made from Windows work.
Apart from this its a great tool, and I wish I had known about it 10 years ago.
@Lalufu @arraybolt3 @vkc
@eickmeyer
My ST300 just came in today; slapped in a spare 1TB drive and it fired right up in Gnome Disks. Seems to be working just fine, though we'll see how usable it is when something blows up and I have to load up gparted while in a panic. :P
@arraybolt3 pardon my ignorance, but is the paid device you are linking the only alternative to Ventoy‘s ability to have an usb stick with multiple ISOs on it to boot from?
@enshroudedshrew It's the only "drop-in replacement" I personally know of. With some Linux ISOs you can mimic the functionality somewhat using GRUB, but it's a lot more work than Ventoy and doesn't work universally.
(FWIW I have no connection to IODD, this is just something I remembered the Ubuntu Studio team lead showing me.)
@arraybolt3 @enshroudedshrew there was some years ago at least a way to make an android phone emulate a usb device when plugged and mount any isos. But it required an unlocked device with root which is impossible for most people.
@Zekah @arraybolt3 @enshroudedshrew could be. Not sure. Seems to check all the features I was thinking about. I'm mostly sure it was something I saw in fdroid, but could be wrong.
@vascorsd @arraybolt3 @enshroudedshrew it is in f-droid I think, it is in mine
@arraybolt3 @vkc FWIW, I raised this concern 4 years ago but nobody noticed…
@arraybolt3 The enclosure doesn't have blobs??
@babble_endanger "The enclosure"?
@arraybolt3 the enclosure (suggested iODD device) pretty much runs closed source software on its microcontroller. @babble_endanger
@txt_file @babble_endanger ah that. Fair enough, though to my awareness the manufacturer of the enclosure hasn't used social engineering tactics against viewers of any particular YouTube channel.
@arraybolt3 @txt_file @babble_endanger
Hey, there is no proof that there the dev used social engineering in this videos comments. Till now there are only accusations, however it's interesting, that many comments about ventoy have been removed - not by Veronica.
But maybe people read these ventoy warnings and deleted their endorsements.
@arraybolt3 @txt_file @babble_endanger
I always found Blena Etcher way sketchier, since it should be way more code & obfuscations and way less functionality. And I am wondering why people like it and endorse it also under this video.
@ejim @txt_file @babble_endanger Not sure where you see them removed? They all ended up at the bottom of the comment list but I counted a full twenty of them earlier this morning.
@arraybolt3 @txt_file @babble_endanger
Okay, Veronica said in the top YT Comment that some were removed.
@arraybolt3 @vkc Let me just audit the firmware on the iodd... wait.
(strong agree re: Ventoy security concerns though)
Whilst I appreciate the fact you linked an alternative...the starting price is at ~100 EUR, which isn't exactly an alternative to a free piece of software
Is there any other software alternative you know of? Maybe someone mentioned something in the thread?
@cyrus The functionality in Ventoy is pretty close to one-of-a-kind. You can kind of mimic it with GRUB though. There's also a tool called Glim (https://github.com/thias/glim) that apparently makes setting up GRUB in this fashion easy. I haven't audited the code and can't vouch for its safety, but it might be worth looking at.
@arraybolt3 I mean...Ventoy is based on GRUB2 soo...
@cyrus Is it though? I believe it has GRUB binary blobs in the source code tree, but from my research it appears to have a lot of additional functionality (such as the ability to boot Windows ISOs, which generally don't take to the GRUB approach so well).
@arraybolt3 it is GRUB2, they have a bunch of custom scripts to extract and boot the required files from Windows ISOs manually
Ventoy uses https://github.com/ValdikSS/Super-UEFIinSecureBoot-Disk to boot unsigned ISOs on SecureBoot-Devices.
I haven't researched how to make it work with my own key - so I'm careful to delete the key afterwards or to not use the feature at all.
Using a grub2-solution like glim is sufficient for 99% of my use-cases, so I'm switching away from ventoy.
Making wimboot work with glim seems to be possible but experimental.. fortunately I don't need it.
I've used many other softwares before discovering Ventoy (I only remember the name of Multisystem) but #Ventoy is way better than all of them, I'm really sad to learn this problem as I use it a lot.
@cyrus @arraybolt3
I have used Rufus. It can create multi-boot ISO drives. It only runs on Windows.
@arraybolt3 @vkc
and some of the exes still looks suspicious to virustotal
> This is... not anything I've seen users of ANY open-source project do
I see you've never interacted with the Matrix community Some of the most irritating 'evangelists' in the open source world.
@lutoma lol, I actually use Matrix heavily enough that I'm one of the mods of the entire Ubuntu Community there. Yes, we are pushy, but... not to the point of launching what looks like a staged invasion on someone's YouTube channel to push it :P
@arraybolt3 @vkc Ok on the dubious blobs... but then you link to a paid proprietary product.. smells
@delegatevoid @vkc It was the only alternative I knew of at the time, and it was something an Ubuntu dev had showed me.
@arraybolt3@theres.life @vincib@mamot.fr There is another issue : if you use iVentoy (ventoy for pxe), it can inject some « thing » into the media, as for exemple it allow net booting windows by creating a fake second drive for the iso.
While the lack of reply is concerning, the binary blobs are not strictly speaking weird in this context.
Grub and BusyBox binaries for different architectures is annoying to build and including them as binaries is a practical choice.
It would be better if they included some description where they are taken from though.
@kouett lol, yes it is, but only because he's the one who actually nearly got killed. I'd say the exact same thing if it were Biden who had been shot and survived.
@arraybolt3
I had the same feeling (without all the analysis to back up my suspicions). Thank you for the SSD enclosure alternative!
@vkc @Siph
@arraybolt3 @vkc
For some blobs, the sources have been found.
The arch AUR pkgbuild maintainer commented:
https://github.com/ventoy/Ventoy/issues/2795#issuecomment-2272249476
"Anyway, my take on the whole situation is that the Ventoy author is an honourable person. Of course, I cannot be 100% certain, but I firmly believe there are no backdoors or anything dodgy going on here. Everyone needs to chill out a bit.
I'd be willing to help @ventoy try and get a proper build system going. I have proved that we don't need to rely on Centos 7 as a build environment."
This is promising. I really hope a good build system helps address this trust issue.
@robin @jak2k @vkc That is a potentially good sign. The appearance of a social engineering attack on Veronica's YT channel doesn't give me much hope though. When it was just binary blobs there was the "mhh... worrying but whatever". When it was the ignored security thread it was "mhh... more worrying but whatever". Now that there's social engineering involved too, I'm thinking "ok this is bad". I doubt the Arch Linux maintainer is aware of that.
I actually am working on getting a security audit done over here - I have two VMs installed, one for building Ventoy and new copies of all of the blobs, and one for comparing and inspecting them. I'll report back what I find.
@arraybolt3 @robin @jak2k @vkc
so far nothing?
@arraybolt3 @vkc It's possible this is an issue, but having read the thread the overwhelming impression I get is of people trying to shove effort onto the developer, and being unwilling to help. There are comments that most of the blobs have now located scripts for building, and a comment within the last day that the GRUB related blobs are from other distributions. I'm not seeing anyone e.g. doing a CRC check on the blob vs other sources, or submitting diffs to fetch the files from another project.
The latest comment takes the biscuit 'I promise that as soon as this gets satisfyingly fixed and the worries come down, I'm becoming a regular financial contributor. and I'm sure many in the thread will dot the same.'
haha. hahahahahahahaha. bonk. They tried that before, it didn't work.
Good point on the CDROM emulator though, I use a Zalman VE300 for that purpose.