ElliotKillick / Mido

The Secure Microsoft Windows Downloader
https://elliotonsecurity.com
MIT License
552 stars 25 forks source link

SHA256SUMs for consumer editions of Windows can be gathered directly from the page of the ISO download link #10

Closed lj3954 closed 11 months ago

lj3954 commented 11 months ago

Hello. I was working on options for downloading different windows ISOs in quickemu (which uses code from this project), and while trying to find where Microsoft publishes hashes, I discovered that they were located on the same page as the download link. Here's the code I used in order to gather the correct hash from the page (this must be run before reducing iso_download_link_html to the first 4096 characters).

HASH=$(echo "$iso_download_link_html" | sed 's/<tr><td>/\n<tr><td>/g' | grep "$LANGUAGE 64-bit" | grep -o -P '(?<=</td><td>).*(?=</td></tr>)') This should work for windows 8, 10, and 11 consumer ISOs. From a quick check, the windows server pages do not appear to have checksums published, and the enterprise editions appear to only have them in a PDF format.

ElliotKillick commented 11 months ago

Happy New Year! This would be a nice feature to have for automatically ensuring data integrity. However, since we're relying on Microsoft's checksum it can't be used for any security benefit. The idea being that if MS servers deliver a maliciously modified ISO to one client, then Mido would be able to detect it based on the local checksum not matching.

It's too bad MS doesn't sign their ISOs using GPG or Authenticode, as that would help to alleviate the problem greatly. MS could technically still sign a bad ISO but it would create a lot more risk for them because then someone would be able to mathematically prove the event occurred.

Mido is the secure Windows downloader so we aim for zero trust of all parties including Microsoft as much as we can.

I think we could implement some feature where have two types of hashes: local and remote. The local hash is the one we already have for alleviating the security concern above and the remote hash we just use for data verification (this will only be for consumer ISOs). Then we could add an option to hard fail on local hash mismatch for consumer ISOs (this is up to the person's own threat model of how they would be using Windows, e.g. if it's air gapped or not).

lj3954 commented 11 months ago

I closed this due to the page only providing Windows 11 hashes, no matter the product or skuid. I wasn't paying close enough attention while testing.

ElliotKillick commented 11 months ago

Hm, okay thanks for letting me know. If that changes then we can reopen.