{"id":7235,"date":"2018-10-03T00:54:00","date_gmt":"2018-10-02T22:54:00","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=7235"},"modified":"2018-10-03T02:30:37","modified_gmt":"2018-10-03T00:30:37","slug":"warning-avoid-nvtrimmer-for-nvidia-driver-customization","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2018\/10\/03\/warning-avoid-nvtrimmer-for-nvidia-driver-customization\/","title":{"rendered":"Warning: Avoid NVTrimmer for Nvidia driver customization"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"https:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2015\/01\/Schutz.jpg\" width=\"40\" height=\"47\" align=\"left\" \/>[<a href=\"https:\/\/www.borncity.com\/blog\/?p=210089&amp;\" target=\"_blank\" rel=\"noopener\">German<\/a>]Within the last days I've seen several blog posts recommending the tool NVTrimmer. The tool is used for customizing Nvidia driver installation packages. If you intend to use this tool, read this blog post to become aware of the risks.<\/p>\n<p><!--more--><\/p>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg04.met.vgwort.de\/na\/8b138ba34a8e4fbcae66044f155d1ea9\" alt=\"\" width=\"1\" height=\"1\" \/>At this point I'd like to make a clear: It's not my intension to criticizes my blogging colleagues. At a first glance it's a good idea to have such a tool, and I value the intension of the developer of this tool. But, if you think you need that tool, you should at least have read the following explanations and be aware of the potential consequences.<\/p>\n<h2>NVTrimmer, what's that?<\/h2>\n<p>Martin Brinkmann introduced NVTrimmer on ghacks.net a few days ago &#8211; here is his tweet.<\/p>\n<blockquote class=\"twitter-tweet\" data-lang=\"de\">\n<p dir=\"ltr\" lang=\"en\">NVTrimmer: remove unwanted components from Nvidia drivers <a href=\"https:\/\/twitter.com\/hashtag\/nvidia?src=hash&amp;ref_src=twsrc%5Etfw\">#nvidia<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/drivers?src=hash&amp;ref_src=twsrc%5Etfw\">#drivers<\/a> <a href=\"https:\/\/twitter.com\/hashtag\/videocard?src=hash&amp;ref_src=twsrc%5Etfw\">#videocard<\/a><a href=\"https:\/\/t.co\/Hp6f0lfMU7\">https:\/\/t.co\/Hp6f0lfMU7<\/a> <a href=\"https:\/\/t.co\/BocHWBs20l\">pic.twitter.com\/BocHWBs20l<\/a><\/p>\n<p>\u2014 ghacksnews (@ghacksnews) <a href=\"https:\/\/twitter.com\/ghacksnews\/status\/1046688415977279488?ref_src=twsrc%5Etfw\">1. Oktober 2018<\/a><\/p><\/blockquote>\n<p><span id=\"preserve3570a16da91c4e4fb22d4c4906399e7e\" class=\"wlWriterPreserve\"><script src=\"https:\/\/platform.twitter.com\/widgets.js\" async=\"\" charset=\"utf-8\"><\/script><\/span><\/p>\n<p>With this tool you can customize a Nvidia driver installation packag. The screenshot shown in the tweet above indicates the options for customization, which looks tempting. Martin Brinkmann wrote:<\/p>\n<blockquote><p>NVIDIA Driver Slimming Utility (NVSlimmer) is a free portable program for Windows to remove unwanted components from Nvidia drivers before installation.<\/p><\/blockquote>\n<p>Sounds reasonable, and the tool has been introduced within the <a href=\"https:\/\/forums.guru3d.com\/threads\/nvidia-driver-slimming-utility.423072\/\" target=\"_blank\" rel=\"noopener\">guru3d forum<\/a>. I've read Martin's blog post an thought 'you need to check this tool, sounds good'.<\/p>\n<h2>Trouble after NVSlimmer 0.5 download<\/h2>\n<p>Within the article linked above (and another German article), version 0.4 of the tool has been tested. Visiting the <a href=\"https:\/\/forums.guru3d.com\/threads\/nvidia-driver-slimming-utility.423072\/\" target=\"_blank\" rel=\"noopener\">guru3d forum<\/a> I found version 0.5, which I downloaded in Windows 7 SP1. Then I tried to have a look into the ZIP archive, using a double click (my intention was, to use Windows build in features for that).<\/p>\n<p><img decoding=\"async\" title=\"ZIP-Fehler 1\" src=\"https:\/\/i.imgur.com\/qzAUzsb.jpg\" alt=\"ZIP-Fehler 1\" \/><\/p>\n<p>But I got the message shown above on my German Windows, that says 'Could not open the folder, due to the ZIP compressed folder \u2026 is not valid'. First I thought the download was damaged. But other copies produced the same behavior. My attempt, to unzip the archive, using Windows 7 context menu command, ends with the error message below:<\/p>\n<p><img decoding=\"async\" title=\"ZIP-Fehler beim Entpacken\" src=\"https:\/\/i.imgur.com\/Zk1BHTC.jpg\" alt=\"ZIP-Fehler beim Entpacken\" \/><\/p>\n<p>It says that the ZIP archive is empfty, obviously the archive was packed with options that are not supported in Windows 7 SP1. I then reluctantly tried 7-Zip, but already received an error message during unpacking. Finally I opened the ZIP archive in 7-Zip with a double click and was able to view files. These could then be expanded by drag &amp; drop into a new folder.<\/p>\n<blockquote><p>Addenum: I know now the reason, why I can't unzip the archive (a German reader posted a comment). The download is saved as a .zip archive file, but the content is packed as RAR &#8211; I've overlooked this in 7-Zip.<\/p><\/blockquote>\n<h2>Frowning over the expanded files<\/h2>\n<p>When I looked into the folder with the unzipped files, I found libraries and auxiliary routines of 7-Zip are used there. The following screenshot shows the contents of the folder.<\/p>\n<p><img decoding=\"async\" title=\"NVSlimmer-Dateien\" src=\"https:\/\/i.imgur.com\/QCIgEk7.jpg\" alt=\"NVSlimmer-Dateien\" \/><\/p>\n<p>The 7-Zip utilities and files are version 18.5.0.0 (dated April 30, 2018). This is the current version (see also my blog post <a href=\"https:\/\/borncity.com\/win\/2018\/05\/05\/7-zip-version-18-05-released\/\">7-ZIP Version 18.05 released<\/a>). But I had explained in this article as well as in the blog post <a href=\"https:\/\/borncity.com\/win\/2018\/02\/21\/security-risk-avoid-7-zip\/\">Security-Risk: Avoid 7-Zip<\/a> the potential security problems with 7-Zip, and that's why I hesitate to use these utilities. Obviously NVTrimmer needs these tools to unpack and repack the NVidia driver archives.<\/p>\n<blockquote><p>Addenum: Ok, they are using the least recent 7-zip version, and Igor Beltchev seems to have improved the security of 7-zip. But it's important, to keep in mind, to check after downloading a new version of NVSlimmer, that these files also has been updated.<\/p><\/blockquote>\n<h2>Red alert within my security test bed<\/h2>\n<p>Since a while I have begun to test such new tools also within a security test bed. There I can check if a program is vulnerable to DLL hijacking or having obvious security issues. In this test environment I use test modules provided by security expert Stefan Kanthak (see also my article <a href=\"https:\/\/borncity.com\/win\/2018\/08\/11\/psa-classic-shell-is-now-open-shell-menu-and-a-warning\/\">PSA: Classic Shell is now Open Shell Menu \u2013 and a warning<\/a>). The modules will trigger an alarm, if something is not properly implemented.<\/p>\n<p><img decoding=\"async\" title=\"Sicherheitsalarm bei NVTrimmer 0.5\" src=\"https:\/\/i.imgur.com\/7KfipQd.jpg\" alt=\"Sicherheitsalarm bei NVTrimmer 0.5\" \/><\/p>\n<p>Executing NVTrimmer within my security test bed triggered one 'mine after the other'. The dialog box shown above is in German, but it says, that <em>NVSlimmer.exe<\/em> is using a dll from my test bed. The dialog was one of many similar messages. NVTrimmer not only uses the insecure 7-Zip auxiliary tools, but also has a lot of static dependencies to various DLL libraries.<\/p>\n<p>This opens an attack vector to DLL hijacking for malware. It doesn't even need admin privileges to manipulate or inject things. And now people are using this tool to read a Nvidia driver package, select some options and then let the tool reassemble it into a modified driver package. This driver package will be installed later in Windows with administrator privileges.<\/p>\n<p>So this provides a wonderful attack vector for malware. This malware of course could inject everything into the driver package that you need in terms of malicious functions. I won't say 'it happens', but I point out a potential risk that should be avoided in a 'good programming practice'. So I would keep my fingers away from such a tool.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Within the last days I've seen several blog posts recommending the tool NVTrimmer. The tool is used for customizing Nvidia driver installation packages. If you intend to use this tool, read this blog post to become aware of the risks.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,2],"tags":[69,157],"class_list":["post-7235","post","type-post","status-publish","format-standard","hentry","category-security","category-windows","tag-security","tag-tool"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/7235","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=7235"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/7235\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=7235"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=7235"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=7235"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}