Gravitational Lensing Red Star OS: Snoops Harder Than Rimmer
by LambdaCalculus
When we come to look at the Linux kernel and all the things the project stands for, we all get the immediate feeling of a kernel and the operating systems written around it - that it does what we expect it to, is free and open to study and tinker with, and allows us to have full control of our computers, mobile devices, IoT devices... you get the picture.
Freedom, no snooping, no proprietary code... the Linux way, right?
Well, not in this case. There's a Linux distribution that exists that doesn't exercise freedom, loves to snoop on its users in multiple ways, and has no real source code available. It was developed in one of the most oppressive, isolated countries in the world. This country has been under the command of a dynasty that's still in charge today. No, it isn't the United States... it's North Korea. And the operating system is their own homegrown Linux distribution: Red Star OS.
Modern computing in North Korea has been gearing towards this Linux mindset for some time. Originally, Red Hat Linux was the distribution of choice for use on computers in the country, before switching to Windows with North Korean language packs installed. In 1998, the Korean Computer Center (KCC) began experimenting with developing their own Linux distribution, naturally using Red Hat as a basis.
The first version, 1.0, was released in 2008, containing a few utilities and programs, mostly reskins or renames of various F/OSS projects, as well as Wine to facilitate running Windows programs.
Version 2.0 followed in 2009, and the most well known version, 3.0, in 2013, with its infamous macOS-like skin on KDE3, complete with dock and even application behavior and packaging being wholesale lifted from macOS (in which a folder containing all the program resources is given a special executable flag that launches the binary inside it).
Version 4.0 was released around 2019-2020, but as of this writing, a copy has yet to be leaked to the greater Internet; the previous versions are obtainable on the Internet Archive.
Now, I wish I could tell a cool tale about how Red Star OS 3.0 got spread around widely online, where someone smuggled a copy out of Pyongyang and risked their lives to get onboard a waiting plane at the airport, North Korean guards on their heels, and it would make a great story to tell at DEFCON or something. Truth is, though, that a tourist simply purchased a copy at a bookstore in Pyongyang and took it home. But the first time someone really took a look under the hood was at a talk at 32C3 in 2015, where details about its inner workings and security were laid bare.
There have been some other videos here and there about Red Star OS, but none truly hit the technical details that CCC did. Inspired by their work and my own hobby of exploring OS inner workings, I did my own talk for JawnCon 0x1 in 2024 where I also detailed Red Star OS 3.0 and dove into it.
Red Star OS 3.0 was not based on Red Hat as its previous releases were, but instead on Fedora 11 and 12. In fact, most packages from Fedora 11 and 12 that don't have dependencies can and will install in Red Star without issues for the most part.
Installing it is not super different from other Linux distros of the era; the installer (a modified version of Anaconda) is also dressed up to act as much like the standard (of the era) macOS installer as is allowable. The install process is roughly the same. Even though GRUB isn't shown in the installer, it is there, and hitting Escape quickly before the installer starts will halt the process and allow you to switch the installer language to English (type linux lang=en and hit Enter, even though a prompt will not be seen).
The installed system, however, doesn't respect this language flag, which means a little command line magic will be needed post-install to switch the language of the GUI to something that isn't Korean.
When the install is done and you get to the GUI, there's an Applications icon on the right-side of the Dock, next to the trash. Open it, look for a blank folder, open that, look for a folder with a hammer and wrench on it, open that, and then open the terminal.
Type rootsetting, hit Enter, and a small window will open to let you set a root password.
Click the padlock, enter your user password, then click the blue button. Then click the checkbox, enter a root password and confirm, and click the blue button.
Now go back to the terminal, type su, and enter the following:
Reboot your system and it'll now be in English.
Now then, we're not here to talk about how pretty the GUI is or any of that. If you know your way around the macOS Finder, you should be good here. We're here to see what's under the hood and what vulnerabilities there are to poke holes at! That's why you're reading this article, right?
The network setup in Red Star OS, by default, has firewall rules set that don't allow access to the greater Internet outside of North Korea's intranet and doesn't resolve DNS by default. Since North Korea doesn't even use DNS to access its own internal sites, this would make sense in context.
However, it's extremely simple to flush the iptables out to gain access. As root:
This will then allow access to the greater Internet, but before trying anything, we still have more of the system to defang, because there are some shady components under the hood still lurking to get rid of.
In a default install, Red Star OS includes two rather malicious and intrusive monitoring daemons, which will constantly monitor the system for any changes made to modify its components or for "suspicious" files (we'll come to this part later).
These daemons, scnprc and opprc are difficult to disable and kill off completely, but a set of scripts released by CCC onto GitHub will handle disabling and getting rid of these daemons for good. These scripts can be found at github.com/takeshixx/redstar-tools for the curious.
Running defuse.sh from this repo set will get rid of all malicious daemons, but let's also look at the manual process.
First, we need to make sure we have a root password.
The first thing we need to disable is SELinux, as it protects several directories (like /var/log) from being tampered with:
Be sure to append selinux=0 into /boot/grub/grub.conf so it doesn't come back up again on reboot.
Next, we need to kill the securityd daemon:
Next, we need to disable the rtscan kernel module using Python:
# python Python 2.6 (r26:66714, Oct 7 2012, 13:39:47) [GCC 4.4.0 20090506 (Red Hat 4.4.0-4)] on linux2 Type "help", "copyright", "credits" or "license" for more information. >>> import fcntl >>> fcntl.ioctl(open('/dev/res','wb'), 29187) 0Once we disable rtscan we can kill both scnprc and opprc easily:
And after that, we need to replace /usr/lib/libos.so.0.0.0 with the copy found in the repo, which will prevent securityd from causing a reboot loop.
Finally, deleting /usr/share/autostart/scnprc.desktop and /etc/init/ctguard.conf will prevent kdeinit from starting the framework on reboot and prevent init from starting opprc, even when srcprc isn't running.
After all this, you can safely reboot the system and everything should be fully defanged.
The scnprc and opprc daemons are two ways that the North Korean government controls users of the OS and restricts their rights due to their operation.
On a regular install, both daemons monitor both system changes and files that pass through the system, in the name of "safety" and "integrity" of the running system.
In reality, both tightly restrict what can be done to modify the system in any way. For example, modifying any system library or critical system file on an "armed" (i.e., not defanged) install will trigger the system to go into a bootloop, which will force a reinstall and can be used as a tipoff that the system was tampered with. The other way it controls users and monitors the files on their system, watermarking certain filetypes to trace what systems these files are passing through.
Both scnprc and opprc work together to not only scan your files and decide what's "malicious" and what isn't, but also to watermark certain files (based on metadata) with a small 31-byte DES-encrypted key that contains information about the computer's serial number (or likely MAC address) and drive serial number.
The watermark can be seen by viewing the file with a hex editor, or comparing a "clean" copy of the file to the "marked" file with a tool like vbindiff.
Considering how tightly monitored and overseen computer sales would be in the country, this would likely lead to a quick way of looking up the computer's information in a user database and swiftly moving to arrest the "dissenter" for bringing "forbidden" knowledge or banned materials into the country, as the watermarking accumulates as a file is copied between computers, essentially creating a "paper trail" for authorities to follow.
Targeted files include PDF and Office document files, picture files, video files, and audio files. In my tests, there are a few filetypes that the daemons don't touch: plain text files are not touched for obvious reasons, as well as any kind of source code, archive files, and Doom WAD files. This also exposes a blind spot in their "security."
You can easily distribute written information in a plain text file, or by packing your files into an archive that isn't noticed. This watermarking also can't happen if the volume the files are on is set to read-only, which means the easiest way to Sneakernet sensitive data around is either burn to an optical disc or set an SD or USB stick to read-only after copying files to it.
Getting rid of both daemons as described above (which is also important, as scnprc spawns opprc and opprc is not transparent to the user, nor can simply be SIGKILL'd as the PID is protected by another daemon) will kill the watermarking "feature" completely, allowing files to safely passage through the OS without fear of being marked.
One of the last things to note is that, although the included software is based on known F/OSS software like Firefox (which is rebranded as Naenara) or OpenOffice (branded as Sogwang Office), some additions were added for tracking purposes. On Naenara, packet captures revealed that every GET request being made by the browser was getting intercepted and getting injected with a ping request to a North Korean IP address, likely meaning that any and all sites you visit using Naenara is sending info back to a government server for tracking purposes.
While these pings obviously fail outside of the North Korean intranet, it's interesting to see just how much the government is snooping on and tracking their citizens, and are likely looking for anyone looking up any kind of web page that they would deem inappropriate or forbidden.
Additionally, tests with some additional browsers (at the time of this writing, I tested lynx in the terminal and Firefox 3.5 without their branding or modifications) show no such pings getting mixed into GET requests, confirming this to be specific to Naenara only.
There's plenty more to explore in Red Star OS, and Red Star OS 4.0 would also provide a new wealth of information about this odd, weirdly oppressive Linux distro and the minds behind it. Perhaps you, the hacker reading this page, can help in the search for Red Star OS 4.0? Let's find out!
http://torcache.net/torrent/2e85d200d81b74a57dd70dab66c81222df1cf715.torrent /\ _________________ ________/ \____________ ______________ | | _____ |slip| |\ / | |__| __ | | | ____| |___| |____| | \ /| __| ___| | ____| | | | _____| ____ | / \|__ | |__| /\ | | | | | | /___/ |/__ _\ | | \/ | | |___| |________|________| \ / |______|_____|_/\_|___| \/ Red Star OS 3.0 Desktop *retail* ```````````````````````````````` I gave you server, now here's desktop! Welcome, one and all, to best korea's Linux distro, version 3.0. Otherwise known as, "the one to prease the fappletards". Unlike server, this one doesn't need a serial, just mount in your VM and go boot from it :D acf53d2b50ecb1391044b343502becf5 redstar_desktop3.0_sign.iso 3eb7ca51105614f3716ceb7dad0ceda9ba0f906a redstar_desktop3.0_sign.iso 895ad0e01ae0d35a65e9ac42dd34d0a1d685d6dfa331ce5b4f24bbc753439be3 redstar_desktop3.0_sign.iso To use this, I guess you better praise juche ideals and post sincere comments about how much you love DPRK to /r/pyongyang. But don't ask about The Interview.. I've heard its a touchy subject there... ;) Wanna ~~cyber~~ discuss this, and maybe just maybe shower me with praise? http://widget00.mibbit.com/?server=irc.ringoflightning.net&channel=%23ris&settings=fd3d000db0cd81335322e2449af35662&noServerNotices=true&autoConnect=true&nick=BestKorea????? or: irc.ringoflightning.net #RIS Or perhaps you'd like to shower me with dogecoins? DRFLRDccwLbdzgGPPADMDxZBXQxn5We3sb ~ slipstream / raylee - "pulling data out of DPRK's ass since 2014!"