[German]Within the last days I've seen several blog posts recommending the tool NVTrimmer. The tool is used for customizing Nvidia driver installation packages. If you intend to use this tool, read this blog post to become aware of the risks.
At this point I'd like to make a clear: It's not my intension to criticizes my blogging colleagues. At a first glance it's a good idea to have such a tool, and I value the intension of the developer of this tool. But, if you think you need that tool, you should at least have read the following explanations and be aware of the potential consequences.
NVTrimmer, what's that?
Martin Brinkmann introduced NVTrimmer on ghacks.net a few days ago – here is his tweet.
NVTrimmer: remove unwanted components from Nvidia drivers #nvidia #drivers #videocardhttps://t.co/Hp6f0lfMU7 pic.twitter.com/BocHWBs20l
— ghacksnews (@ghacksnews) 1. Oktober 2018
With this tool you can customize a Nvidia driver installation packag. The screenshot shown in the tweet above indicates the options for customization, which looks tempting. Martin Brinkmann wrote:
NVIDIA Driver Slimming Utility (NVSlimmer) is a free portable program for Windows to remove unwanted components from Nvidia drivers before installation.
Sounds reasonable, and the tool has been introduced within the guru3d forum. I've read Martin's blog post an thought 'you need to check this tool, sounds good'.
Trouble after NVSlimmer 0.5 download
Within the article linked above (and another German article), version 0.4 of the tool has been tested. Visiting the guru3d forum I found version 0.5, which I downloaded in Windows 7 SP1. Then I tried to have a look into the ZIP archive, using a double click (my intention was, to use Windows build in features for that).
But I got the message shown above on my German Windows, that says 'Could not open the folder, due to the ZIP compressed folder … is not valid'. First I thought the download was damaged. But other copies produced the same behavior. My attempt, to unzip the archive, using Windows 7 context menu command, ends with the error message below:
It says that the ZIP archive is empfty, obviously the archive was packed with options that are not supported in Windows 7 SP1. I then reluctantly tried 7-Zip, but already received an error message during unpacking. Finally I opened the ZIP archive in 7-Zip with a double click and was able to view files. These could then be expanded by drag & drop into a new folder.
Addenum: I know now the reason, why I can't unzip the archive (a German reader posted a comment). The download is saved as a .zip archive file, but the content is packed as RAR – I've overlooked this in 7-Zip.
Frowning over the expanded files
When I looked into the folder with the unzipped files, I found libraries and auxiliary routines of 7-Zip are used there. The following screenshot shows the contents of the folder.
The 7-Zip utilities and files are version 18.5.0.0 (dated April 30, 2018). This is the current version (see also my blog post 7-ZIP Version 18.05 released). But I had explained in this article as well as in the blog post Security-Risk: Avoid 7-Zip the potential security problems with 7-Zip, and that's why I hesitate to use these utilities. Obviously NVTrimmer needs these tools to unpack and repack the NVidia driver archives.
Addenum: Ok, they are using the least recent 7-zip version, and Igor Beltchev seems to have improved the security of 7-zip. But it's important, to keep in mind, to check after downloading a new version of NVSlimmer, that these files also has been updated.
Red alert within my security test bed
Since a while I have begun to test such new tools also within a security test bed. There I can check if a program is vulnerable to DLL hijacking or having obvious security issues. In this test environment I use test modules provided by security expert Stefan Kanthak (see also my article PSA: Classic Shell is now Open Shell Menu – and a warning). The modules will trigger an alarm, if something is not properly implemented.
Executing NVTrimmer within my security test bed triggered one 'mine after the other'. The dialog box shown above is in German, but it says, that NVSlimmer.exe is using a dll from my test bed. The dialog was one of many similar messages. NVTrimmer not only uses the insecure 7-Zip auxiliary tools, but also has a lot of static dependencies to various DLL libraries.
This opens an attack vector to DLL hijacking for malware. It doesn't even need admin privileges to manipulate or inject things. And now people are using this tool to read a Nvidia driver package, select some options and then let the tool reassemble it into a modified driver package. This driver package will be installed later in Windows with administrator privileges.
So this provides a wonderful attack vector for malware. This malware of course could inject everything into the driver package that you need in terms of malicious functions. I won't say 'it happens', but I point out a potential risk that should be avoided in a 'good programming practice'. So I would keep my fingers away from such a tool.
What you write is totally BS (sorry to say this).
1.) NVtrimmer is basically only a GUI for which you can do via a simple batch file, except that it also offers additional features like repacking/compressing the files which you chose within the GUI (optional process).
2.) Download issue has nothing to do with the program itself. If Guru3d has some troubles I'm sure they're working on it ASAP in order to fix this. That some files/articles are sometimes are not available is normal, probably because of maintenance etc.
3.) The program is harmless you can also verify that via VirusTotal or internal tools to check what's going on behind the scene. Your warning is nothing but a false positive.
4.) Yes 7-zip is used to compress the files (repacking) in order to save HDD/SSD space, 7-zip is fully open source.
5.) DWMAPI + UXtheme are not called using the program itself, it's maybe only a back function in order to draw the GUI (written in .NET assuming it tries to check threme layout to avoid several things).
The only part I see here to complain is that the original author didn't release the source code which makes it harder (but not impossible) to audit the program or to find/fix possible issues. Possible dll hijacking or manipulating is possible in all programs unless the author specifically added some extra checks for this in it and even then it can be bypassed (see basically every cracked game). This, however, doesn't mean the program is insecure or dangerous if it would be dangerous someone already had figured out and it wouldn't be featured on Guru3d.
Just read the article and then re-read your reply. None of your points above addresses, what I pointed out. You wasted a lot of text to negate something, that I never raised within my text. Sorry, your text is pretty useless.
A little late to the war but I agree with CHEF-KOCH.
Ppl that dont know what and how to use this tool, properly are at a much higher chance to get there sys infected by many other means, than using this tool or 7 zip.
People give away the personal info on social media and/or for free stuff, and your worried about a few "be careful" messages (not even about an actual infection),
for something that most (of the ppl that this would be a risk for) wont even know how to use properly..
Its like worrying about the possible break in, when the person living there is a cop/mil.
Its ok to warn/inform ppl, but stating to avoid it, is way overblown.
Especially since you dont even care to update/recheck stuff, since initial post it has been 2y, lots changed.
@Frank: Strong words – but you should consider what you write. I'm not talking about 'giving a few social meda data' to third party. I've described a security issue coming with this tool, allowing malware to gain admin rights and overtake a system.
Concering your 'Especially since you dont even care to update/recheck stuff, since initial post it has been 2y, lots changed.'
Well, within my blogs are 14,000 (German) and 3,500 (English) posts – so there is no obligation, to check each post again and again. Smart people (and developers) are able to read, think and check itself and decide …
Nevertheless: I did a quick check and downloaded version 0.7 – there was a christmas tree of of warnings about DLL hijacking vulnerabilities … nothing learned/changes 'since my initial post'.
My evening prayer: Just working once with professionals …
And there was a nasty (but secret) thought in the back of my mind: The fools never die out – instead of forcing the developers to fix that issues, they are beating the bearer of the message (nothing has changed since the ancient Greeks) but that would be to rude and therefore I don't write this publicly here in the blog. Because it's not my problem, if you put your systems at risk ;-). Or are you a representive of the 'no risk no fun' fraction?
You picked Windows 7 to test out security vulnerabilities on this utility…. need I say more?
it seems you didn't understand the beef (same as Chef-Koch) – need I say more?
Normal people won't take care of dll hijacking if they only want to write a GUI, unlike you. If you always download from official site then it should safe.
'If you always download from official site then it should safe.' -> It's simply a wrong assumption – no more to say!
It's actually just a default behaviour for dotnet DLL loadding.It searches nearest matched dll to load and don't care wether it's valid or not.Most people don't mind when write or using these apps.If you really want complain then you should tell Microsoft(Although there're already some 3rd libraries to fix this,but most people don't mind,that's the core problem.)Also ther's no way to protect tmp directory from being modified by malware for just this app.For most people,it does the job,then it's good.
First of all: I'm aware that the DLL search order is a 'default behavior' of .NET environment. But that don't make things better.
Second: I'm discussing this behavior with some developers – some was able to fix it (specifying a full qualified path for loading dependant DLLs), so it might be possible.
Third: Microsoft is aware of this pitfall and has published several documents about that. I haven't all the links, but here are a few – hope it helps:
Secure loading of libraries to prevent DLL preloading attacks
Dynamic-Link Library Security
Microsoft Security Advisory 2269637 (Insecure Library Loading Could Allow Remote Code Execution)
Dynamic-Link Library Redirection
Some more ressources – randomly selected:
Hijack Execution Flow: DLL Search Order Hijacking
Best Practices to Prevent DLL Hijacking
Windows DLL Hijacking
Almost 300 Windows 10 executables vulnerable to DLL hijacking
Just keep in mind: I'm just able to point out the possible risk – but I'm not the developer of that stuff, nor I'm responsible for the use of that stuff ;-).