iVentoy installing unsafe Windows Kernel drivers

[ppatpat]

iVentoy installing unsafe Windows Kernel drivers

iVentoy https://github.com/ventoy/PXE/releases

iventoy-1.0.20-linux-free.tar.gz, iventoy-1.0.20-win32-free.zip, iventoy-1.0.20-win64-free.zip

All these distribution files contain "\data\iventoy.dat" which is decrypted in RAM by iventoy app into "\data\iventoy.dat.xz".

The following python script helps with an alternative manual decryption for analysis purposes:

## Python decrypt script start #######
# python-3.13.3
#
# tested with iventoy.dat from:  
#  https://github.com/ventoy/PXE/releases
#   iventoy-1.0.20-linux-free.tar.gz
#   iventoy-1.0.20-win32-free.zip 
#   iventoy-1.0.20-win64-free.zip 
#
###########################################################################################
# Script Variables
file_path_in  = '..\\data\\iventoy.dat'	
file_path_out = '..\\data\\iventoy.dat.xz'
###########################################################################################

import sys

#Functions

def read_binary_file_into_buffer(file_path_in):
   with open(file_path_in, 'rb') as file:
      file_content = file.read()
   return bytearray(file_content)

def save_binary_file_into_file(byte_array, file_path_out):
   with open(file_path_out, "wb") as binary_file:
      binary_file.write(byte_array);
   return 


def decrypt_file(iventoy_dat_zx ):
	iventoy_dat_zx_len = len(iventoy_dat_zx);
	print("...")
	v19 = iventoy_dat_zx_len;
	v20 = 0;
	v22 = iventoy_dat_zx_len >> 2;

	if v22:
		while(True):			
			v23 = 4 * v20;
			v20 = v20 + 1;
			v24 = iventoy_dat_zx[v23];
			iventoy_dat_zx[v23] = iventoy_dat_zx[v23+3];
			iventoy_dat_zx[v23+3] = v24;
			v25 = iventoy_dat_zx[v23+1];
			iventoy_dat_zx[v23+1]=iventoy_dat_zx[v23+2];
			iventoy_dat_zx[v23+2]=v25;

			if v20 < v22:
				continue;
			else:
				break;

	v26=0;
	v31=0;
	if v19 >> 1:
		while(True):
			v28=iventoy_dat_zx[v31];
			v31=v31+1;
			v29=v19-v26;
			v26=v26+1;
			v30=v29-1;
			iventoy_dat_zx[v31-1] = iventoy_dat_zx[v30];
			iventoy_dat_zx[v30] = v28;

			if v26 < v19 >> 1:
				continue;
			else:
				break;

	return 


def main(file_path_in,file_path_out):

	print("Script tested with iventoy.dat from:");  
	print("  https://github.com/ventoy/PXE/releases");
	print("   iventoy-1.0.20-linux-free.tar.gz");
	print("   iventoy-1.0.20-win32-free.zip");
	print("   iventoy-1.0.20-win64-free.zip"); 


	iventoy_dat = read_binary_file_into_buffer(file_path_in)
	iventoy_dat_len = len(iventoy_dat)


	iventoy_dat_zx = iventoy_dat[136:];
	decrypt_file(iventoy_dat_zx )

	if iventoy_dat_zx[0]!=0xfd or iventoy_dat_zx[1]!=0x37 or iventoy_dat_zx[2]!=0x7A or iventoy_dat_zx[3]!=0x58 or iventoy_dat_zx[4]!=0x5A:    
		print("Error decrypting", file_path_in);
		sys.exit();

	#save bytearray.
	save_binary_file_into_file(iventoy_dat_zx, file_path_out);

	print("\nFile",file_path_in,"has been decrypted into", file_path_out);
	print("File", file_path_out, "can be opened with 7z\n");
	print("WARNING! File",file_path_out,"from iventoy-1.0.20 contain viruses/trojans!\n");
	print("iventoy.dat.xz\\iventoy.dat\\.\\win\\wintool.tar.xz\\wintool.tar");
	print("  https://www.virustotal.com/gui/file/774f9fc9556a531a6a531dbccd78e9f5a30495ff7a8f07a9cade1bfa47ffcf4e");
	print("iventoy.dat.xz\\iventoy.dat\\.\\win\\wintool.tar.xz\\wintool.tar\\wintool\\64\\httpdisk_sig.sys");
	print("  https://www.virustotal.com/gui/file/d3e3bba7d37c4948470b9ad0c23014e09e68559b56914267612f208988cd518f");
	print("iventoy.dat.xz\\iventoy.dat\\.\\win\\wintool.tar.xz\\wintool.tar\\wintool\\32\\httpdisk_sig.sys\n");	
	print("Other files could also be infected!!");

	return 


main(file_path_in,file_path_out);


## Python decrypt script end #######

Opening the decrypted iventoy.dat.xz with 7z we see that some of the extracted files showed numerous positives in Virustotal.com and Windows Defender
i.e.

iventoy.dat.xz\iventoy.dat.\win\wintool.tar.xz

https://www.virustotal.com/gui/file/774f9fc9556a531a6a531dbccd78e9f5a30495ff7a8f07a9cade1bfa47ffcf4e

iventoy.dat.xz\iventoy.dat.\win\wintool.tar.xz\wintool.tar\wintool\64\httpdisk_sig.sys

https://www.virustotal.com/gui/file/d3e3bba7d37c4948470b9ad0c23014e09e68559b56914267612f208988cd518f

iventoy.dat.xz\iventoy.dat.\win\wintool.tar.xz\wintool.tar\wintool\32\httpdisk_sig.sys

iventoy.dat.xz\iventoy.dat.\win\vtoypxe64.exe

https://www.virustotal.com/gui/file/d87eacce4c1f905635767f617af9c0a461dc184edf89e72a1ed658532d822d0c

iventoy.dat.xz\iventoy.dat.\win\vtoypxe32.exe

etc.

Analyzing "iventoy.dat.xz\iventoy.dat.\win\vtoypxe64.exe" we see it includes a self signed certificate named "EV" certificate "JemmyLoveJenny EV Root CA0" at offset=0x0002C840 length=0x70E.

vtoypxe64.exe programmatically installs this certificate in the registry as a "trusted root certificate"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\E403A1DFC8F377E0F4AA43A83EE9EA079A1F55F2]
exactly as explained by "Jemmy1228" (the author of the fake root certificates) here:
https://security.stackexchange.com/questions/84765/how-to-generate-self-signed-ev-ssl-certificate

Next vtoypxe64.exe tries to load the following ring 0 kernel drivers in sequence:

"\ventoy\httpdisk.sys", "\ventoy\httpdisk_sig.sys", "\ventoy\httpdisk_nosig.sys"

httpdisk_sig.sys is signed by the previously trusted bogus certificate, this driver shows 31 hits in Virustotal (link shown above)

The bogus certificate used to be available on line at:
https://web.archive.org/web/20230810094532/https://pki.jemmylovejenny.tk/

The whole trick bypassing Microsoft effort preventing the install of compromised kernel drivers is mentioned here:
https://www.bleepingcomputer.com/news/security/hackers-exploit-windows-policy-to-load-malicious-kernel-drivers/

Iventoy is a PXE tool used to install Windows but it looks like it is also not only installing dubious ring 0 kernel disk drivers but also installing as "trusted root certificate" a bogus self signed EV certificate opening the door for a plethora of new attacks using the same EV certificate trick.

It seems this security hole is still open.

At this point I'm surprised Github is hosting this app and apparently even the projects that give support to the creation of false certificates like:

https://github.com/Jemmy1228/HookSigntool

https://github.com/hzqst/FuckCertVerifyTimeValidity

What am I missing here?

[JMarcosHP]

With this info, can we start reporting this project as malicious?

[mon5termatt]

The bogus certificate used to be available on line at:
https://web.archive.org/web/20230810094532/https://pki.jemmylovejenny.tk/

Oh look a .tk domain... what a surprise...

[blryface]

this sounds like something fun to get notifications about, hi people

[ohaiibuzzle]

I think we need to clarify this before the sensational journalists see this thread and start writing "Popular tool injects rootkit into Windows" (because it is under the Ventoy repos), that this is isolated to the PXE server iVentoy, not Ventoy as a whole

The typical use case of Ventoy that most users uses (making multi boot flash drives) wouldn't make use of it.

That being said, this behavior is kinda over the top, I wonder why it is needed at all.

[dwn64]

I think we need to clarify this before the sensational journalists see this thread and start writing "Popular tool injects rootkit into Windows" (because it is under the Ventoy repos), that this is isolated to the PXE server iVentoy, not Ventoy as a whole

The typical use case of Ventoy that most users uses (making multi boot flash drives) wouldn't make use of it.

That being said, this behavior is kinda over the top, I wonder why it is needed at all.

Ventoy proper has similar concerns though, it utilizes opaque binary blobs that could very well be doing the same thing as iVentoy.

See: ventoy/Ventoy#2795

[0x8008]

chinese bloatware operating on a quirk of GRUB has spyware in it\

shocking

[eepycats]

httpdisk.sys
source: https://www.accum.se/~bosse/httpdisk/httpdisk-10.2.zip | httpdisk-10.2\sys\Release\x64\httpdisk.sys

httpdisk_nosig.sys
source: https://www.accum.se/~bosse/httpdisk/httpdisk-10.1.zip | httpdisk-10.1\sys\obj\chk\amd64\httpdisk.sys

httpdisk_sig.sys
literally httpdisk.sys (httpdisk-10.2\sys\Release\x64\httpdisk.sys) but with a different certificate (quick sha256 over all pe sections shows all of them match except for the cert ofc)

both archives also have the src and the driver itself is licensed under gpl2 lol

[ventoy]

Firstly, we shoud know that:
iVentoy and Ventoy are two completely different softwares and have no shared files.

Name	Official Website	Open Source	Edition	Use Case
Ventoy	https://www.ventoy.net	100% open source	Open source edition	Install OS through USB/HDisk
iVentoy	https://www.iventoy.com	part open source part closed source	Free-Edition Pro-Edition	Install OS through network(PXE)

This repo just contains the small open source part of iVentoy to comply with the open-source license.

iVentoy will stay closed-source.

Yes. As @eepycats said, httpdisk.sys is an open source driver, it is not unsafe.
Actually, when iVentoy boot Windows through PXE, it will boot the WinPE with test mode, so there is no need for the driver file to be signed. So httpdisk_sig.sys is actually not needed and can be removed later.

And also, the httpdisk driver will be installed only in the temporary WinPE environment (running in the RAM), not the final Windows system, so it will not affect the final installed Windows system on the harddisk.

PXE must depend on the network, so httpdisk driver is used to get the Windows install data from the server to the client by http.
And again, it will not be installed to the final Windows system.

[JMarcosHP]

Bro @ventoy can you fix iventoy's screen resolution bug on UEFI systems?

[escape0707]

Hi, @ventoy Thanks for the speedy reply. May I also ask if there are any plans to react to the Blob issue in the Ventoy repo? People there would like to get some feedback rather than guessing around forever.

[0x8008]

Hi, @ventoy Thanks for the speedy reply. May I also ask if there are any plans to react to the Blob issue in the Ventoy repo? People there would like to get some feedback rather than guessing around forever.

What reply? It's a nothingburger telling you there's no issues and that you really should move along ignoring the other claims made in the OP

[escape0707]

@0x8008 please stop spamming in both issues with your rants. And do not reply on behalf of others as if you are smarter. Thanks.

[ventoy]

OK. Let me explain about this.

iVentoy is a tool to install Windows/Linux through PXE. As we know, PXE is based on network, so we need a driver to mount the ISO file in the server side as a local drive (e.g. Y: Z:) though network. So I choose httpdisk.
httpdisk is an open source project https://www.accum.se/~bosse/httpdisk/httpdisk-10.2.zip

httpdisk driver will only be installed in the WinPE step, that means it only exist in the RAM and will not be installed to the final Widows system in the harddisk.

But in windows, by default a driver file must be signed to install.
So I find a signed version of httpdisk driver file in the internet and try to use it. But this signed version has already been rejected by latest Windows,
so finally I use another way, to boot the WinPE in test mode (again, only the WinPE environment).
When WinPE is booted in test mode, a driver file no need to be signed to install.

So finally, actually we don't need the signed version of httpdisk driver file and don't need to load the CA anymore.
Only that the code is not deleted.

So I will release a new version later that remove the signed httpdisk driver file and will not load the CA.