Vault 7: Projects

This publication series is about specific projects related to the Vault 7 main publication.
UNCLASSIFIED//LES
UNCLASSIFIED//LES Page6
IfFulcrumisrunviatheLoadLibrary techniqueandtheparentprocessdies(e.g.asaresultofasuicide
timer)thenFulcrumwillsto prunningaswell.However,iftheparentprocessentersintoamin‐opslike
state,Fulcrumwill continuetorun.
RecommendedMitigatio n:RunFulcrumusingtheLoadLibrarytechniquefro maprocessthathasa
suicidetimer.Ifaneventisapproachingthatmayresultinthelossofcommunicationswiththepivot
machineorrequireamin‐opslikestate,thendirectlyissueFulcrumtheshutdowncommand.
AdditionalNotes:
3.6 RUNNINGFULCRUMINSIDEOFA VMCAUSESTHEHOSTTODISPLAYANALERT
Description:IfFulcrumisrunonapivotmachinewhichisactuallyavirtualmachineandthehost
machineisrunningLinuxandVMware,thenanotificationisdisplayedonthehostsystem.The
notificationisamessageboxthatstates:Thevirtualmachinesoperatingsystemhasattempted to
enablepromiscuousmodeonadapterEthernet0.Thisisnotallowedforsecurityreasons.
Reason:Fulcrummustspeciallycraftpacketsforitsattack.Thisrequiresadministrativeprivilegesfrom
theoperatingsystembecausethenormalnetworkAPIsprovidedt oauser‐levelprocessdontallow
thesetypesofaccess.Inthecaseofthepivotmachinebeingavirtualmachine, thehostmachineviews
thatpivotmachineasbasicallyjustanotherprocess.Asaresult,thatprocessmustalsohave
administrativeprivilegesonthehostmachine.Bydefault,thevirtualnetworkadaptersonthehost
machineareaccessibleonlybytherootuseronLinuxhostmachines.
RecommendedMitigatio n:Dont runFulcrumonapivotmachinetha tisavirtualmachine.
AdditionalNotes:
3.7 THETARGETAND/ORDEFAULT GATEWAYSMACADDRESSISUNKNOWN
Description:TheMACaddressesofthetargetandthedefaultgatewayarebothrequiredparametersin
orderforFulcrumtooperate.Ifeitheroftheseparametersismissingorincorrect,Fulcrumwillnotwork.
ThesetwopiecesofinformationmaybeunknowntotheFulcrumoperator.
Reason:FulcrumusestheMACaddressesofthetargetandthedefaultgatewayinordertoverifyitison
thecorrectnetworkandtargetingthecorrectmachine.TheMACaddressofthedefaultgateway will
nearlyalwaysbeinthearptablecache(arpa)ofthepivotmachi ne.However,thetargetmachines
MACaddressmaynotbepresentif thepivotmachineandtargetmachinearenotgeneratingtraffic
betweeneachother.
RecommendedMitigatio n:Inadditiontoissuinganarpacomma ndonthepivotmachine,on
WindowsVistaandlater,thenei ghborcacheprovidesmoredetailedinformationandcanbedump ed
usingthefollowingcommand:netshinterf aceipv4showneighbors
AdditionalNotes: