Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED
Cherry Bomb Program Cherry Blossom Internal Test Procedures
Pass/Fail: The test passes if the flytrap is able to Alert to CherryTree via the
squid proxy. This should be confirmed in two steps: first by confirming in the
squid server’s /var/log/squid/access.log that a connection has been attempted
(the access.log file shows each request that is processed, as well as it’s
originating IP address and the destination), and second by confirming the receipt
of the Alert via CherryWeb.
4.2.33 Squid Proxy Copy Test
Description: Test the Flytrap’s ability to perform a Copy Action normally through
a squid proxy server with a (nearly) default configuration.
Setup: Squid proxy setup the same as “Squid Proxy Beacon Test”. Have the
flytrap perform a Copy Action on a Target.
Pass/Fail: The test passes if the Flytrap is able to perform a Copy Action via the
squid proxy. This should be confirmed in two steps: first by confirming in the
squid server’s /var/log/squid/access.log that a connection has been attempted
(the access.log file shows each request that is processed, as well as it’s
originating IP address and the destination), and second by confirming receipt of
valid Copy data via CherryWeb.
4.2.34 Squid Proxy Copy Content-Length Filter Test
Description: Test the Flytrap’s ability to perform a Copy Action normally through
a squid proxy server that has been configured to reject (via HTTP 413 error code
response) HTTP POST’s with Content-Length larger than specified in the squid
configuration file.
Setup: Squid proxy setup same as “Squid Proxy Beacon Test”. Stop the squid
proxy (killall squid && sleep 2 && killall squid). Clear the squid proxy
cache (squid –z). Edit /etc/squid/squid.conf:
Change:
# request_body_max_size 0 kB
To:
request_body_max_size 1000 kB
Start the squid server (squid).
Pass/Fail: The test passes if the Flytrap is able to perform a Copy Action via the
squid proxy. To verify that the Content-Length feature of squid is working,
connect a computer with Wireshark to a (true) hub on the WAN side of the
Flytrap. Start Wireshark before initiating the copy action. Verify that squid sends
an HTTP 413 error code in response to the copy handshake. Verify that
handshakes are repeated (each time with the Content-Length parameter being
decremented by a factor of 10) until they fall to 1000 kB. Further, generate more
than 1000 kB of copy data. Verify that the copy connection is re-established
UNCLASSIFIED
38