Up to now, I confirm I can reproduce the following steps:
- download of official "iventoy-1.0.20-win64-free.zip"
- extraction of "iventoy.dat"
- conversion back to "iventoy.dat.xz" thanks to @ppatpat's Python code
- confirm that "wintool.tar.xz" is recognized by VirusTotal as something that injects fake root certificates
The next steps are scary, given the popularity of Ventoy/iVentoy :
> Analyzing "iventoy.dat.xz\iventoy.dat.\win\vtoypxe64.exe" we see it includes a self signed certificate named "EV" certificate "JemmyLoveJenny EV Root CA0" at offset=0x0002C840 length=0x70E.
> vtoypxe64.exe programmatically installs this certificate in the registry as a "trusted root certificate"
Playing devil's advocate, could it be that they require a temporary access to a customized Windows driver (and thus they fake a trusted root certificate) to make Ventoy work? If that's the case, they should have documented it properly in the source...
Doesn't mean for sure it's malicious but them not even explaining why there's blobs like this is very suspicious.
Maxious · 9h ago
I think regardless of intent, it is a security vulnerability to install these ring 0 loopholes. Microsoft is cracking down on RGB lighting and anticheat software drivers similarly
sn0n · 14h ago
So... If I use ventoy should I worry?
*Starts looking for alternatives just cuz*
out-of-ideas · 10h ago
isnt iventoy different than ventoy?
also check if your system has the reg key listed in the issue
and finally, if you are really concerned and dont want to re-install, you can always take export the registry key of your root certs of a ventoy installed system and compare against a system not loaded with ventoy
edit: can also use systemd to boot iso's (among many other things)
Another source:
https://security.stackexchange.com/questions/281238/iventoy-...
- download of official "iventoy-1.0.20-win64-free.zip"
- extraction of "iventoy.dat"
- conversion back to "iventoy.dat.xz" thanks to @ppatpat's Python code
- confirm that "wintool.tar.xz" is recognized by VirusTotal as something that injects fake root certificates
The next steps are scary, given the popularity of Ventoy/iVentoy :
> Analyzing "iventoy.dat.xz\iventoy.dat.\win\vtoypxe64.exe" we see it includes a self signed certificate named "EV" certificate "JemmyLoveJenny EV Root CA0" at offset=0x0002C840 length=0x70E. > vtoypxe64.exe programmatically installs this certificate in the registry as a "trusted root certificate"
https://www.bleepingcomputer.com/news/security/hackers-explo...
Or do you think it's 100% malicious?
Doesn't mean for sure it's malicious but them not even explaining why there's blobs like this is very suspicious.
*Starts looking for alternatives just cuz*
also check if your system has the reg key listed in the issue
there's always https://www.supergrubdisk.org/super-grub2-disk/
and finally, if you are really concerned and dont want to re-install, you can always take export the registry key of your root certs of a ventoy installed system and compare against a system not loaded with ventoy
edit: can also use systemd to boot iso's (among many other things)