Trove of CIA hacking tools
 

https://wikileaks.org/ciav7p1/

Perhaps we can maintain a thread that highlights the key articles with reverse engineering related exploits and zero day vulnerabilities. There is a huge amount of documents and unfortunately key code snippets are redacted. Nonetheless, I think a lot relevant to RE can be gleaned.

WARNING- DOWNLOAD AT YOUR OWN RISK!!

I was searching regarding this and found this torrent-:
PS- I have not seen what's inside it!!So use it at your own risk!!

Regards

The published "leak" doesn't really contain anything interesting, just a bunch of text messages and a few PDFs. No libraries, binaries or sources are included.

I looked into a few of these messages and some of them made me really believe they were written by some business economist since no "spy" or "coder" could be that stupid.

A few examples:

• The registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run was classified as "secret" and "don't share with foreign nationals" in the year 2014. It's not like that was public information worldwide for 20 years...
• SHA384 must be used without truncating. I have no idea how SHA384 is supposed to do that since it is truncated per definition.
• AES must be used with at least 256 bit. AES is only specified with a maximum of 256 bit. And what should we use as a key? A non-truncated SHA384?
• Coders should use secure random number generators. If that is not possible, coders should use SHA256 on that weak random number in order to make it a secure random number. Did they get that information from the tabloids?
• If some covert US spy enters a country and customs asks him what he's doing there, he should answer "I'm an engineer, I'm here for engineering stuff". No comment on that... ;)
• The CIA has a 3-user WinHex 16.1 license. If somebody gets access to a newer license they should share it in the CIA wiki. Seriously... ? (no WinHex license in the leak, don't ask)
• Don't compile malware binaries in US business hours since the timestamp would allow to trace them back to the US. I'm wondering if paying for all that overtime is cheaper than telling the coders about SetFileTime.
• In order to update their iPhone/iPad operating systems the employees must fill out a form so an admin can activate internet access for that device from the secret CIA network which isn't connected to the internet. And they're really wondering how things "leak" to the public? ;)

I can agree to Kerlingen, same with UAC bypass codes or code injection. Most if not all techniques are known since x years.

Without citing sources for you claims, your "collection" of statements is practically worthless, sorry.

Just a few less hyperbolic comments:

• The registry HKLM\Software\Microsoft\Windows\CurrentVersion\Run certainly wasn't classified as "secret" as you claim. The page talking about a *module* which exposes functionality to create a key in that path was. It even says that on the page "Technique Origin: Internet/open-source (Well-known)".
  
• wrt SHA384 it's pretty clear that advice is to not truncate the result any further. Not that truncation may never happen in any form.
  
• Same for AES. It says minimum bit length is 256 - entirely correct from a mathematical perspective.
  
• It's not only about the time stamp of the executable file itself - it's also about time stamps in included files, resources or other lesser known compiler/linker artifacts that might carry time stamps with them. In general, these folks of course do care a lot about making it harder for 3rd parties to attribute anything to them. See their internal discussion about the equation group kaspersky reports.

One interesting find is that the CIA use an internal debugging environment developed by the NSA called Ghidra. Obviously no binary included but interesting none the less.

Yeah it doesn't contain binaries but has many interesting things!!
For eg-:CIA hackers were able to bypass the encryption implemented by most popular secure messaging apps such as Signal, WhatsApp, and Telegram. And much more....

So the CIA is allowed to violate license agreements at will because its the CIA. Fun. :( What truly pisses me off is they can claim its for some bullshit "national security" reason....

--not needed anymore--

Yup! All rules r for us! & No rules for them!!
Hope they will not read this thread! :D

more links contain fake leaks!

I so hope we'll see some binaries once they got the zerodays fixed.

it would'nt be a leaks anymore,a lots of noise for nothing as usual,the recents leaks created articles but nothing usable.

It's giving the alphabet agencies enough time to cover their tracks and update their stuff.. These tools will be useless once they are released..

Yep, and considering the billions in government funding these agencies have...

You are aware that a journalist's scope of duties doesn't cover providing script kiddies with free 0day exploits?

Wouldn't like to see what would happen if skiddies got hold of this crap, although anti-virus / firewalls being insecure is nothing new... remember what happened with OptixPro years ago...

Inheresting article
Has by chance anyone anywhere proved what the guy says?
I'm not too much into kernel debugging, but if there was a solid old fashion kernel debugger, was it able to reveal and analyze the malicious blocks?
I remark that Intel Management Engine is being present on all intel Core powered devices...maybe another reason why not to upgrade to Windows 10.

Curious what these government hackers/coders annual base salary is/was.

I don't think that's true, knowing typical 4chan it's just mild trolling, I don't think anyone dumping this kind of info would go about so much detail about how they got to know said information, it's extremely identifying. And intel ME isn't what it's chalked up to be, you can even remove most of it without much effect. https://github.com/corna/me_cleaner it's a bit crude but it wipes most of ME (except the init parts) out.

Intel ME is in all processors intel makes and can interface with any OS you install since it's operating under it's own OS and can read the memory and the registers as well as has it's own network stack.

There was a great talk about exploiting intel ME a REcon https://recon.cx/2014/slides/Recon%202014%20Skochinsky.pdf .

In all fairness I should add that AMD processors also have similar capabilities through a thing called AMD Platform Security Processor, it's basically the same idea, it runs off of a tiny ARM chip and let's the CPU's core out of RESET state on boot, so you can't really get rid of it afaik.