Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.

UNCLASSIFIED
Cherry Bomb Program Cherry Blossom Internal Test Procedures
when the copy exceeds each 1000 kB of data and that multiple copy files (each
1000 kB in length) exist via CherryWeb.
Cleanup: Reset the /etc/squid/squid.conf file back to the default setting and
restart squid (killall squid && sleep 2 && killall squid && squid -z &&
squid).
4.2.35 Copy Content-Length Reset Test
Description: Test the Flytrap’s ability to perform a Copy Action through a firewall
server that has been configured to reject (via TCP reset) HTTP POST’s with
Content-Length larger than a specified size.
Setup: It is convenient to use the squid proxy as the firewall (i.e., you need a
Linux server with iptables). Add the following rule to the firewall server:
iptables -t filter -I INPUT -p tcp -s <SOURCE_IP_ADDRESS> --dport
3128 -m string --algo bm --from 0 --string "POST"
-m string --algo bm --from 0 --string
"Content-Length: 100000" -j REJECT --reject-with tcp-reset
where <SOURCE_IP_ADDRESS> is the WAN IP address of the Flytrap and
there is a space after the colon in Content-Length: 100000".
Pass/Fail: The test passes if the Flytrap is able to perform a Copy Action thru the
firewall. To verify that the Content-Length feature of the firewall is working,
connect a computer with Wireshark to a (true) hub on the WAN side of the
Flytrap. Start Wireshark before initiating the copy action. Verify that the firewall
sends a TCP-reset in response to the copy handshake. Verify that handshakes
are repeated (each time with the Content-Length parameter being decremented
by a factor of 10) until they fall below 100000 bytes (i.e., 10000 bytes). Further,
generate more than 10000 bytes of copy data. Verify that the copy connection is
re-established when the copy exceeds each 10000 bytes of data and that
multiple copy files (each 10000 bytes in length) exist via CherryWeb.
Cleanup: Reset iptables back to it original setting with:
iptables -t filter -D INPUT -p tcp -s <SOURCE_IP_ADDRESS> --dport
3128 -m string --algo bm --from 0 --string "POST"
-m string --algo bm --from 0 --string "Content-Length: 100000" -j
REJECT --reject-with tcp-reset
where <SOURCE_IP_ADDRESS> is the WAN IP address of the Flytrap and
there is a space after the colon in Content-Length: 100000".
Note that the only difference between this statement and the setup statement
is “-D” instead of “-I”.
UNCLASSIFIED
39

e-Highlighter

Click to send permalink to address bar, or right-click to copy permalink.

Un-highlight all Un-highlight selectionu Highlight selectionh