tiny11builder icon indicating copy to clipboard operation
tiny11builder copied to clipboard

Published 20 hours ago verified publisher icon ntdevlabs

Beware: oscdimg.exe in this repo is not the original from Microsoft

Open dividebysandwich opened this issue 1 year ago • 12 comments

oscdimg.exe in this repo is likely modified.

Original file from Microsoft ADK: 134.98 KB This file: 140.28 KB

The original file from Microsoft has a valid cert chain all the way up to the root CA which is trusted. This file has a valid cert chain up to the root CA, which is a different one and untrusted.

I don't think I have to explain the risk involved in running a file like that.

dividebysandwich avatar Apr 16 '23 13:04 dividebysandwich

https://www.virustotal.com/gui/file/5048a219b9dea36c489020889200456ce2d394b91a737a09753d9bfdb7461a87/detection

s3rj1k avatar Apr 16 '23 14:04 s3rj1k

Virustotaal does not say everything

TBit-services avatar Apr 16 '23 14:04 TBit-services

oscdimg.exe in this repo is likely modified.

Original file from Microsoft ADK: 134.98 KB This file: 140.28 KB

The original file from Microsoft has a valid cert chain all the way up to the root CA which is trusted. This file has a valid cert chain up to the root CA, which is a different one and untrusted.

I don't think I have to explain the risk involved in running a file like that.

While I encourage everyone to download the binary directly from Microsoft https://github.com/ntdevlabs/tiny11builder/pull/43#issuecomment-1501074660, I can confirm that the current binary in this project is untouched and was once distributed by Microsoft in Windows ADK. I checked the checksum using secure hashing algorithms when this project was initially release due to the file signature not being valid. Microsoft have recently updated the binary distributed with Windows ADK and the signature is now valid and the file has obviously changed along with that. The binary is outdated, not malicious.

But once again, I do very much discourage downloading binaries from unofficial sources.

PolicyPuma4 avatar Apr 16 '23 14:04 PolicyPuma4

@PolicyPuma4 Do you have maybe a link to that outdated ADK? Just curios.

s3rj1k avatar Apr 16 '23 14:04 s3rj1k

@PolicyPuma4 I second the call for that ADK. Also, the signature is valid, it's just not signed by a trusted CA, which is weird considering we're talking about MS. Getting our hands on that outdated ADK would help a lot.

dividebysandwich avatar Apr 16 '23 17:04 dividebysandwich

@PolicyPuma4 Do you have maybe a link to that outdated ADK? Just curios.

@PolicyPuma4 I second the call for that ADK. Also, the signature is valid, it's just not signed by a trusted CA, which is weird considering we're talking about MS. Getting our hands on that outdated ADK would help a lot.

I don't believe Microsoft publish older revisions of Windows ADK. I can't seem to find a way to download the revision that would have been in place just over two months ago.

I too was sceptical about the certificate, which is why I manually checked myself, this was a couple weeks ago. I am confident that the binary is the same Microsoft distributed because of this. Obviously my word doesn't make it so, which is why I advise against downloading binaries from unofficial sources.

I very much understand your concern, however the main issue is the binary is outdated, seconded to it being distributed at all.

PolicyPuma4 avatar Apr 16 '23 18:04 PolicyPuma4

For completeness sake, I have found the older version of the Windows ADK for Windows 11 version 21H2: https://go.microsoft.com/fwlink/?linkid=2165884 The contained oscdimg. exe is dated 5th of June 2021 and contains a valid signature with a trusted CA. It also does not match the file in this repository.

How did you check this a couple of weeks ago when even on archive.org there's no mention of any change in the meantime? The download link remained unchanged all this time. Do you have a copy of the installer perhaps?

I agree that this file should have never been distributed on github. My main issue from a security standpoint is to try and find out where this file comes and what it contains. I would very much like to know what it is and where it came from.

EDIT: To clarify, Microsoft has released two versions, 21H2 and 22H2. Both have valid signatures. 22H2 was released 24th of May 2022, so almost a year ago. Archive.org shows no change since that release. Before then, 21H2 was released but that was not recorded by archive.org

dividebysandwich avatar Apr 16 '23 19:04 dividebysandwich

Hi! The oscdimg.exe from this repo was taken from the MSMG toolkit v13.2, since it was the one that I used and that I had at hand. If you check the SHA256 hashes for that one and the one from here, it should be the same: 5048A219B9DEA36C489020889200456CE2D394B91A737A09753D9BFDB7461A87 Judging from the copyright of the file, which says 1983-2012, it might be from an ADK from Windows 8 era. Obviously, one can use their own executable, or none at all if they don't need an ISO. Hope this clarifies any issues.

ntdevlabs avatar Apr 16 '23 20:04 ntdevlabs

Hi @ntdevlabs I can confirm that MSMG toolkit v13.2 contains an identical oscdimg.exe This is not an official download so I'm not entirely put at ease. Also note that the licensing terms specify that only the contents of "samples" may be redistributed, so uploading the executable on github is very breaking the terms of the license anyway.

dividebysandwich avatar Apr 16 '23 21:04 dividebysandwich

ima just grab official adk

ZGStuff avatar Apr 21 '23 03:04 ZGStuff

I have replaced the oscdimg with the one from the latest Windows ADK.

ntdevlabs avatar Apr 24 '23 14:04 ntdevlabs

Cheers, would you mind to close this PR or convert to discussion and close for housekeeping.

There are many PRs open, not sure if they are addressed or not, but this one seems to be.

Karl-WE avatar May 30 '23 07:05 Karl-WE