Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
SECRET//20350112
(S) The Tomato exploit can determine the password for the DLink DIR-130 v1 fw 1.12.
It can also determine the password for older firmwares (4.30.7 and older) for the Linksys
WRT54GL. Tomato could be made to work against the 4.30.11 ETSI firmware for the
Linksys WRT54GL with a few man weeks of development effort. Tomato may work
against the Linksys WRT320N fw 1.00.03 with a few man weeks of development effort
as well. Tomato requires the UPnP service to be enabled on the device.
(S) The following summarizes wireless upgrade and admin password exploit support
(note this information is in the “WiFi Devices.xls” spreadsheet but is filtered here for
convenience):
Make Model
HW
Version
FW
Version
Wireless
Upgrade
Admin
Password
Exploit Notes
Belkin F5D8231-4 4 4.00.16 Y
1
N
2
1
Wireless upgrade requires WUP.
2
Similar reference design to
WRT300N v2, so similar password
exploit could perhaps be developed.
DLink DIR-130 1 1.12 N
3
Y
4
(Tomato)
3
Wired-only router.
4
UPnP enabled on device by default.
Linksys WRT300N 2 (UK) 2.00.08 Y
5
Y
(in WUP)
5
Wireless upgrade requires WUP.
WUP includes password exploit.
Linksys WRT320N 1 1.00.03 Y N
6
6
Tomato password exploit may work
with a few manweeks of development.
Linksys WRT54G 5 1.02.0 Y N
7
7
May be able to circumvent
authentication with a direct firmware
POST (more testing needed).
Linksys WRT54GL 1, 1.1
4.30.11
ETSI
Y N
8
8
Tomato password exploit may work
with a few manweeks of development
(works against earlier firmware
versions).
Linksys WRT54GL 1, 1.1
ddwrt
v24 sp1
standard
generic
10011
Y N
30
SECRET//20350112