[German]Within the last days I’ve seen several blog posts recommending the tool NVTrimmer. The tool is used for customizing Nvidia driver installation packages. If you intend to use this tool, read this blog post to become aware of the risks.
At this point I’d like to make a clear: It’s not my intension to criticizes my blogging colleagues. At a first glance it’s a good idea to have such a tool, and I value the intension of the developer of this tool. But, if you think you need that tool, you should at least have read the following explanations and be aware of the potential consequences.
NVTrimmer, what’s that?
Martin Brinkmann introduced NVTrimmer on ghacks.net a few days ago – here is his tweet.
NVTrimmer: remove unwanted components from Nvidia drivers #nvidia #drivers #videocardhttps://t.co/Hp6f0lfMU7 pic.twitter.com/BocHWBs20l
— ghacksnews (@ghacksnews) 1. Oktober 2018
With this tool you can customize a Nvidia driver installation packag. The screenshot shown in the tweet above indicates the options for customization, which looks tempting. Martin Brinkmann wrote:
NVIDIA Driver Slimming Utility (NVSlimmer) is a free portable program for Windows to remove unwanted components from Nvidia drivers before installation.
Sounds reasonable, and the tool has been introduced within the guru3d forum. I’ve read Martin’s blog post an thought ‘you need to check this tool, sounds good’.
Trouble after NVSlimmer 0.5 download
Within the article linked above (and another German article), version 0.4 of the tool has been tested. Visiting the guru3d forum I found version 0.5, which I downloaded in Windows 7 SP1. Then I tried to have a look into the ZIP archive, using a double click (my intention was, to use Windows build in features for that).
But I got the message shown above on my German Windows, that says ‘Could not open the folder, due to the ZIP compressed folder … is not valid’. First I thought the download was damaged. But other copies produced the same behavior. My attempt, to unzip the archive, using Windows 7 context menu command, ends with the error message below:
It says that the ZIP archive is empfty, obviously the archive was packed with options that are not supported in Windows 7 SP1. I then reluctantly tried 7-Zip, but already received an error message during unpacking. Finally I opened the ZIP archive in 7-Zip with a double click and was able to view files. These could then be expanded by drag & drop into a new folder.
Addenum: I know now the reason, why I can’t unzip the archive (a German reader posted a comment). The download is saved as a .zip archive file, but the content is packed as RAR – I’ve overlooked this in 7-Zip.
Frowning over the expanded files
When I looked into the folder with the unzipped files, I found libraries and auxiliary routines of 7-Zip are used there. The following screenshot shows the contents of the folder.
The 7-Zip utilities and files are version 18.5.0.0 (dated April 30, 2018). This is the current version (see also my blog post 7-ZIP Version 18.05 released). But I had explained in this article as well as in the blog post Security-Risk: Avoid 7-Zip the potential security problems with 7-Zip, and that’s why I hesitate to use these utilities. Obviously NVTrimmer needs these tools to unpack and repack the NVidia driver archives.
Addenum: Ok, they are using the least recent 7-zip version, and Igor Beltchev seems to have improved the security of 7-zip. But it’s important, to keep in mind, to check after downloading a new version of NVSlimmer, that these files also has been updated.
Red alert within my security test bed
Since a while I have begun to test such new tools also within a security test bed. There I can check if a program is vulnerable to DLL hijacking or having obvious security issues. In this test environment I use test modules provided by security expert Stefan Kanthak (see also my article PSA: Classic Shell is now Open Shell Menu – and a warning). The modules will trigger an alarm, if something is not properly implemented.
Executing NVTrimmer within my security test bed triggered one ‘mine after the other’. The dialog box shown above is in German, but it says, that NVSlimmer.exe is using a dll from my test bed. The dialog was one of many similar messages. NVTrimmer not only uses the insecure 7-Zip auxiliary tools, but also has a lot of static dependencies to various DLL libraries.
This opens an attack vector to DLL hijacking for malware. It doesn’t even need admin privileges to manipulate or inject things. And now people are using this tool to read a Nvidia driver package, select some options and then let the tool reassemble it into a modified driver package. This driver package will be installed later in Windows with administrator privileges.
So this provides a wonderful attack vector for malware. This malware of course could inject everything into the driver package that you need in terms of malicious functions. I won’t say ‘it happens’, but I point out a potential risk that should be avoided in a ‘good programming practice’. So I would keep my fingers away from such a tool.