-----BEGIN PGP SIGNED MESSAGE-----
__________________________________________________________
The U.S. Department of Energy
Computer Incident Advisory Capability
___ __ __ _ ___
/ | /_\ /
\___ __|__ / \ \___
__________________________________________________________
INFORMATION BULLETIN
Cisco IOS Syslog Denial-of-Service Vulnerability
January 12, 1999 18:00 GMT Number J-023
______________________________________________________________________________
PROBLEM: Cisco has identified a vulnerability in certain versions of
their IOS software when invalid user datagram protocol (UDP)
packets are sent to their "syslog" port (port) 514.
PLATFORM: Devices running Cisco IOS software versions 11.3AA, 11.3DB and
all 12.0.
DAMAGE: If exploited, an attacker may cause the system to crash or
hang.
SOLUTION: Apply software fixes or workarounds.
______________________________________________________________________________
VULNERABILITY Risk is high. Exploit details involving this vulnerability have
ASSESSMENT: been made publicly available.
______________________________________________________________________________
[ Start Cisco Advisory ]
Field Notice:
Cisco IOS Syslog Crash
==================================================================
Revision 1.1
For release 08:00 US/Pacific, Monday, January 11, 1999
For Cisco internal use only until release date
Summary
=======
Certain versions of Cisco IOS software may crash or hang when they receive
invalid user datagram protocol (UDP) packets sent to their "syslog" ports
(port 514). At least one commonly-used Internet scanning tool generates
packets which can cause such crashes and hangs. This fact has been announced
on public Internet mailing lists which are widely read both by security
professionals and by security "crackers", and should be considered public
information.
This vulnerability affects devices running Cisco IOS software version
11.3AA, version 11.3DB, or any 12.0-based version (including 12.0 mainline,
12.0S, 12.0T, and any other regular released version whose number starts
with "12.0"). The vulnerability has been corrected in certain special
releases, and will be corrected in maintenance and interim releases which
will be issued in the future; see the section on "Software Versions and
Fixes" for details on which versions are affected, and on which versions
are, or will be, fixed. Cisco intends to provide fixes for all affected IOS
variants.
There is a configuration workaround for this vulnerability.
Who is Affected
===============
All Cisco devices which are running classic Cisco IOS software with any of
the versions listed as affected under "Software Versions and Fixes" are
vulnerable to attack. This includes 11.3AA, 11.3DB, and all 12.0 versions,
up to the repaired releases listed in the table. No particular configuration
is needed to make a Cisco IOS device vulnerable.
It is possible to filter out the attack traffic using access lists; see
"Workarounds" in this document. However, except at Internet firewalls, the
appropriate filters are not common in customer configurations. You should
carefully evaluate your configuration before assuming that any filtering you
have already configured protects you against this attack.
Affected Devices
- - --------------
It is impossible to list all Cisco products in this notice; the lists below
include only the most commonly used or most asked-about products.
If you are unsure whether your device is running classic Cisco IOS software,
log into the device and issue the command "show version". Classic Cisco IOS
software will identify itself simply as "IOS" or "Internetwork Operating
System Software". Other Cisco devices either will not have the "show version"
command, or will give different output.
Cisco devices that run classic Cisco IOS software include:
* Cisco routers in the AGS/MGS/CGS/AGS+, IGS, RSM, 8xx, ubr9xx, 1xxx,
25xx, 26xx, 30xx, 36xx, 38xx, 40xx, 45xx, 47xx, AS52xx, AS53xx, AS58xx,
64xx, 70xx, 72xx (including the ubr72xx), 75xx, and 12xxx series.
* Most recent versions of the LS1010 ATM switch.
* Some versions of the Catalyst 2900XL LAN switch.
* The Cisco DistributedDirector.
The affected software versions are relatively new, and are not necessarily
available on every device listed above.
If you are not running classic Cisco IOS software, then you are not affected
by this vulnerability. Cisco devices which do not run classic Cisco IOS
software, and are not affected by this vulnerability, include the following:
* 7xx dialup routers (750, 760, and 770 series) are not affected.
* Catalyst 19xx, 28xx, 29xx, 3xxx, and 5xxx LAN switches are not
affected, except for some versions of the Catalyst 2900XL. However,
optional router modules running Cisco IOS software in switch
backplanes, such as the RSM module for the Catalyst 5000 and 5500, are
affected.
* WAN switching products in the IGX and BPX lines are not affected.
* The MGX (formerly known as the AXIS shelf) is not affected.
* No host-based software is affected.
* The Cisco PIX Firewall is not affected.
* The Cisco LocalDirector is not affected.
* The Cisco Cache Engine is not affected.
Impact
======
Attackers can cause Cisco IOS devices to crash and reload. Furthermore, an
attacker can repeat the process at will. By striking continuously, an
attacker might be able to completely disable a Cisco IOS device until that
device was reconfigured by its administrator.
Some Cisco IOS devices have been observed to hang instead of crashing when
attacked. These devices do not recover until manually restarted by reset or
power cycle. This means that it might be necessary for an administrator to
physically visit an attacked device in order to recover from the attack,
even if the attacker is no longer actively sending any traffic.
Some devices have crashed without providing stack traces; devices crashed
using this vulnerability may indicate that they were "restarted by
power-on", even when that is not actually the case.
Workarounds
===========
You can work around this vulnerability by preventing any affected Cisco IOS
device from receiving or processing UDP datagrams addressed to its port 514.
This can be done either using packet filtering on surrounding devices, or by
using input access list filtering on the affected IOS device itself.
If you use an input access list, that list should be applied to all
interfaces to which attackers may be able to send datagrams. This includes
not only physical LAN and WAN interfaces, but virtual subinterfaces of those
physical interfaces, as well as virtual interfaces and/or interface
templates corresponding to GRE, L2TP, L2F, and other tunnelling protocols.
The input access list must block traffic destined for UDP port 514 at any of
the Cisco IOS device's own IP addresses, as well as at any broadcast or
multicast addresses on which the Cisco IOS device may be listening. It's
important to remember to block old-style "all-zeroes" broadcasts as well as
new-style "all-ones" broadcasts. It is not necessary to block traffic being
forwarded to other hosts; only traffic actually addressed to the Cisco IOS
device is of interest.
There is no single input access list that will work in all configurations.
It is very important that you understand the effect of your access list in
your specific configuration before you activate the list.
The following example shows a possible access list for a three-interface
router, along with the configuration commands needed to apply that access
list. The example assumes that there is no need for input filtering other
than as a workaround for this vulnerability.
! Deny all multicasts, and all unspecified-net broadcasts, to port 514
access-list 101 deny udp any 224.0.0.0 31.255.255.255 eq 514
! Deny old-style unspecified-net broadcasts
access-list 101 deny udp any host 0.0.0.0 eq 514
! Deny network-specific broadcasts. This example assumes that all of
! the local interfaces are on the class B network 172.16.0.0, subnetted
! everywhere with mask 255.255.255.0. This will differ from network
! to network. Note that we block both new-style and old-style broadcasts.
access-list 101 deny udp any 172.16.0.255 0.0.255.0 eq 514
access-list 101 deny udp any 172.16.0.0 0.0.255.0 eq 514
! Deny packets sent to the addresses of our own network interfaces.
access-list 101 deny udp any host 172.16.1.1 eq 514
access-list 101 deny udp any host 172.16.2.1 eq 514
access-list 101 deny udp any host 172.16.3.3 eq 514
! Permit all other traffic (default would be to deny)
access-list 101 permit ip any any
! Apply the access list to the input side of each interface
interface ethernet 0
ip address 172.16.1.1 255.255.255.0
ip access-group 101 in
interface ethernet 2
ip address 172.16.2.1 255.255.255.0
ip access-group 101 in
interface ethernet 3
ip address 172.16.3.3 255.255.255.0
ip access-group 101 in
It can be complicated to list all possible addresses, and especially all
possible broadcast addresses, to which attack packets might be sent. If you
do not expect to need to forward any legitimate syslog traffic received on
an interface, you may wish to simply block all syslog traffic arriving on
that interface. Remember that this will affect traffic routed through the
Cisco IOS device as well as traffic destined to the device; if the IOS
device is expected to forward syslog packets, you will have to do the
detailed filtering.
Input access lists have an impact on system performance, and should be
installed with a degree of caution, especially on systems that are running
very near their capacity limits.
Software Versions and Fixes
===========================
This vulnerability has Cisco bug ID CSCdk77426.
Many Cisco software images have been or will be specially reissued to
correct this vulnerability. For example, regular released version 12.0(2) is
vulnerable, as are interim versions 12.0(2.1) through 12.0(2.3) The first
fixed interim version of 12.0 mainline software is 12.0(2.4). However, a
special release, 12.0(2a), contains only the fix for this vulnerability, and
does not include any of the other bug fixes from later 12.0 interim
releases.
If you were running 12.0(2), and wanted to upgrade to fix this problem,
without taking the risk of instability presented by installing the 12.0(2.4)
interim release, you could upgrade to 12.0(2a). 12.0(2a) represents a "code
branch" from the 12.0(2) base, which merges back into the 12.0 mainline at
12.0(2.4).
In every case, these special releases are one-time spot fixes, and will not
be maintained. The upgrade path from, say, 12.0(2a), is to 12.0(3).
See the following table for information about affected and repaired software
versions. All dates in the table are tentative and subject to change.
+----------+-------------+---------------+---------------+-----------------+
| | | Special | First fixed | |
| | | one-time spot | interim | First fixed |
| Cisco IOS| | fix release; | release** (fix| regular |
| Major | Description | most stable | will carry | maintenance |
| Release | | immediate | forward into |release (or other|
| | | upgrade path | all later |long term upgrade|
| | | (see above) | versions) | path) |
+----------+-------------+---------------+---------------+-----------------+
| Unaffected releases |
+----------+-------------+---------------+---------------+-----------------+
|11.2 and |Unaffected | | | |
|earlier, |early | | | |
|all |releases (no |Unaffected |Unaffected |Unaffected |
|variants |syslog | | | |
| |server) | | | |
+----------+-------------+---------------+---------------+-----------------+
|11.3, | | | | |
|11.3T, | | | | |
|11.3DA, |11.3 releases| | | |
|11.3MA, |without |Unaffected |Unaffected |Unaffected |
|11.3NA, |syslog | | | |
|11.3WA, |servers | | | |
|11.3(2)XA | | | | |
| | | | | |
+----------+-------------+---------------+---------------+-----------------+
| 11.3-based releases |
+----------+-------------+---------------+---------------+-----------------+
| |11.3 early | | | |
|11.3AA |deployment |11.3(7)AA2, |11.3(7.2)AA |11.3(8)AA, |
| |for AS58xx |8-JAN-1999* | |15-FEB-1999* |
+----------+-------------+---------------+---------------+-----------------+
| |11.3 for | | | |
| |Cisco NRP | | | |
|11.3DB |routing blade| - | - |11.3(7)DB2, |
| |in Cisco 6400| | |18-JAN-1999* |
| |xDSL DSLAM | | | |
+----------+-------------+---------------+---------------+-----------------+
| 12.0-based releases |
+----------+-------------+---------------+---------------+-----------------+
|12.0 |12.0 mainline|12.0(2a), |12.0(2.4) |12.0(3), |
| | |8-JAN-1999* | |1-FEB-1999* |
+----------+-------------+---------------+---------------+-----------------+
| |12.0 new | | | |
|12.0T |technology |12.0(2a)T1, |12.0(2.4)T |12.0(3)T, |
| |early |11-JAN-1999* | |15-FEB-1999* |
| |deployment | | | |
+----------+-------------+---------------+---------------+-----------------+
| |ISP support: | | | |
|12.0S |7200, RSP, | - |12.0(2.3)S |12.0(2)S***, |
| |GSR | |27-DEC-1998 |18-JAN-1999* |
+----------+-------------+---------------+---------------+-----------------+
| |12.0 for | | | |
| |Cisco 6400 | | | |
| |universal | | | |
|12.0DB |access | - | - |12.0(2)DB, |
| |concentrator | | |18-JAN-1999* |
| |node switch | | | |
| |processor | | | |
| |(lab use) | | | |
+----------+-------------+---------------+---------------+-----------------+
| | |12.0(1)W5(5a) | |12.0(1)W5(6) |
| |12.0 for |and | |(platform support|
|12.0(1)W |Catalyst 8500|12.0(1a)W5(5b) |12.0(1)W5(5.15)|for Catalyst |
| |and LS1010 |(LS1010 | |8540M will be in |
| | |platform only) | |12.0(1)W5(7)) |
+----------+-------------+---------------+---------------+-----------------+
| |One-time | | | |
| |early | | | |
| |deployment | | |Unaffected; |
| |for CH-OC12 |Unaffected; | |general upgrade |
|12.0(0.6) |in Catalyst |one-time |Unaffected |path is via |
|W5 |8500 series |release | |12.0(1)W5 |
| |switches | | |releases. |
| | | | | |
| | | | | |
+----------+-------------+---------------+---------------+-----------------+
| |Short-life | | | |
| |release; | | |Upgrade to |
|12.0(1)XA3|merged to |Obsolete |Merged |12.0(2a)T1and/or |
| |12.0T at | | |to 12.0(3)T |
| |12.0(2)T | | | |
+----------+-------------+---------------+---------------+-----------------+
| |Short-life | | | |
| |release for | | | |
| |Cisco 800 | | | |
|12.0(1)XB |series; |12.0(1)XB1 |Merged |Upgrade to |
| |merged to | | |12.0(3)T |
| |12.0T at | | | |
| |12.0(3)T | | | |
+----------+-------------+---------------+---------------+-----------------+
| |Short-life | | | |
| |release for | | | |
| |new features | | | |
| |in Cisco | | | |
| |2600, Cisco | | | |
|12.0(2)XC |3600, |12.0(2)XC1, |Merged |Upgrade to |
| |ubr7200, |7-JAN-1999* | |12.0(3)T |
| |ubr900 | | | |
| |series; | | | |
| |merged to | | | |
| |12.0T at | | | |
| |12.0(3)T | | | |
+----------+-------------+---------------+---------------+-----------------+
| |Short-life | | | |
| |release for | | | |
| |ISDN voice | | | |
|12.0(2)XD |features; |12.0(2)XD1, |Merged |Upgrade to |
| |merged to |18-JAN-1999* | |12.0(3)T |
| |12.0T at | | | |
| |12.0(3)T. | | | |
+----------+-------------+---------------+---------------+-----------------+
|12.0(1)XE |Short-life |12.0(2)XE, |Merged |Upgrade to |
| |release |18-JAN-1999* | |12.0(3)T |
+----------+-------------+---------------+---------------+-----------------+
* All projected dates are estimates, and are subject to change
** Interim releases are subjected to less rigorous testing than regular
maintenance releases, and may have serious bugs.
*** The vulnerability is fixed in 12.0(2)S. The 12.0(2.3)S interim release
is available to the field before the 12.0(2)S regular release because of
internal process considerations. This entry is not a misprint.
Getting Fixed Software
- - --------------------
Cisco is offering free software updates to correct this vulnerability for
all vulnerable customers, regardless of contract status. Note, however, that
because information about this vulnerability has been disseminated by third
parties, Cisco has been forced to release this notice before updates are
available for all software versions. The projected fix dates in the table
above are subject to change, but represent Cisco's best estimate of the
dates on which fixes will be available.
As with any software change, you should check to make sure that your
hardware can support the new software before installing it. The most common
problem is inadequate RAM. While this is seldom a problem when upgrading
within a major release (say, from 11.2(11)P to 11.2(17)P), it is often an
issue when upgrading between major releases (say, from 11.2P to 11.3T).
Because fixes will be made available for all affected releases, this
vulnerability will rarely, if ever, require an upgrade to a new major
release. Cisco recommends very careful planning for any upgrade between
major releases. When upgrading between major releases, you must be
especially careful to make certain that no known bugs will prevent the new
software from working properly in your environment.
Further upgrade planning assistance is available on Cisco's Worldwide Web
site at http://www.cisco.com.
Customers with service contracts should obtain new software through their
regular update channels (generally via Cisco's Worldwide Web site).
Customers with service contracts may upgrade to any software release, but
must, as always, remain within the boundaries of the feature sets they have
purchased..
Customers without service contracts may upgrade only to obtain the bug
fixes; they are not offered upgrades to versions newer than required to
resolve the defects. In general, customers without service contracts will be
restricted to upgrading within a single row of the table above, except when
no upgrade within the same row is available in a timely manner. Customers
without service contracts should get their updates by contacting the Cisco
TAC. TAC contacts are as follows:
* +1 800 553 2447 (toll-free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* tac@cisco.com
Give the URL of this notice as evidence of your entitlement to a free
update. Free updates for non-contract customers must be requested through
the TAC. Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software updates.
Exploitation and Public Announcements
=====================================
A third party announced this vulnerability on the "bugtraq@netspace.org"
electronic mailing list on December 22, 1998. The third party's announcement
included sufficient information to allow any computer-literate person with a
moderate interest in security to exploit the vulnerability. On that same
day, Cisco sent an informal acknowledgement and a description of the
workaround both to the "bugtraq" list and to some other Internet discussion
forums, as well as to all Cisco customers who had requested security updates
by subscribing to the "cust-security-announce@cisco.com" mailing list.
Cisco has seen the information from "bugtraq" reposted on several Worldwide
Web sites catering to those interested in computer security.
All of the Worldwide Web sites in question, and all of the discussion
forums, including the "bugtraq" mailing list, are open to the public, and
many of them are widely read by people interested in computer and network
security. Customers should assume that any potential attacker is likely to
know that this vulnerability exists, and furthermore is likely to know how
to exploit the vulnerability.
This vulnerability can be exploited using tools available to the public on
the Internet; an attacker would not need to write any software to exploit
the vulnerability. Minimal skill is required. No special equipment is
required.
Despite specifically inviting such reports, Cisco has received no actual
reports of malicious exploitation of this vulnerability.
Status of This Notice
=====================
This is a final field notice. Although Cisco cannot guarantee the accuracy
of all statements in this notice, all the facts have been checked to the
best of our ability. Cisco does not anticipate issuing updated versions of
this notice unless there is some material change in the facts. Should there
be a significant change in the facts, Cisco may update this notice.
Distribution
- - ----------
This notice will be posted on Cisco's Worldwide Web site at
http://www.cisco.com/warp/public/770/iossyslog-pub.shtml . In addition to
Worldwide Web posting, the initial version of this notice is being sent to
the following e-mail and Usenet news recipients:
* cust-security-announce@cisco.com
* bugtraq@netspace.org
* first-teams@first.org (includes CERT/CC)
* first-info@first.org
* cisco@spot.colorado.edu
* comp.dcom.sys.cisco
* nanog@merit.edu
* Various internal Cisco mailing lists
Future updates of this notice, if any, will be placed on Cisco's Worldwide
Web server, but may or may not be actively announced on mailing lists or
newsgroups. Users concerned about this problem are encouraged to check the
URL given above for any updates.
Revision History
- - ----------------
Revision 1.0, First release candidate version.
22:00 US/Pacific,
9-JAN-1999
Revision 1.1, Correct upgrade path for 12.0XE
09:45 US/Pacific,
10-JAN-1999
Cisco Security Procedures
=========================
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering to
receive security information from Cisco, is available on Cisco's Worlwide
Web site at http://www.cisco.com/warp/public/791/sec_incident_response.shtml.
This includes instructions for press inquiries regarding Cisco security
notices.
==================================================================
This notice is copyright 1999 by Cisco Systems, Inc. This notice may be
redistributed freely after the release date given at the top of the text,
provided that redistributed copies are complete and unmodified, including
this copyright notice and all date and version information.
==================================================================
[ End Cisco Advisory ]
______________________________________________________________________________
CIAC wishes to acknowledge the contributions of Cisco Systems, Inc. for the
information contained in this bulletin.
______________________________________________________________________________
CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.
CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
Voice: +1 925-422-8193
FAX: +1 925-423-8002
STU-III: +1 925-423-2604
E-mail: ciac@llnl.gov
For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), call the CIAC voice number 925-422-8193 and leave a message,
or call 800-759-7243 (800-SKY-PAGE) to send a Sky Page. CIAC has two
Sky Page PIN numbers, the primary PIN number, 8550070, is for the CIAC
duty person, and the secondary PIN number, 8550074 is for the CIAC
Project Leader.
Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.
World Wide Web: http://www.ciac.org/
(or http://ciac.llnl.gov -- they're the same machine)
Anonymous FTP: ftp.ciac.org
(or ciac.llnl.gov -- they're the same machine)
Modem access: +1 (925) 423-4753 (28.8K baud)
+1 (925) 423-3331 (28.8K baud)
CIAC has several self-subscribing mailing lists for electronic
publications:
1. CIAC-BULLETIN for Advisories, highest priority - time critical
information and Bulletins, important computer security information;
2. SPI-ANNOUNCE for official news about Security Profile Inspector
(SPI) software updates, new features, distribution and
availability;
3. SPI-NOTES, for discussion of problems and solutions regarding the
use of SPI products.
Our mailing lists are managed by a public domain software package
called Majordomo, which ignores E-mail header subject lines. To
subscribe (add yourself) to one of our mailing lists, send the
following request as the E-mail message body, substituting
ciac-bulletin, spi-announce OR spi-notes for list-name:
E-mail to ciac-listproc@llnl.gov or majordomo@rumpole.llnl.gov:
subscribe list-name
e.g., subscribe ciac-bulletin
You will receive an acknowledgment email immediately with a confirmation
that you will need to mail back to the addresses above, as per the
instructions in the email. This is a partial protection to make sure
you are really the one who asked to be signed up for the list in question.
If you include the word 'help' in the body of an email to the above address,
it will also send back an information file on how to subscribe/unsubscribe,
get past issues of CIAC bulletins via email, etc.
PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins. If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.
This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.
LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)
J-013: SGI IRIX autofsd Vulnerability
J-014: IBM AIX automountd Vulnerability
J-015: HP SharedX Denial-of-Service Vulnerability
J-016: Cisco IOS DFS Access List Leakage Vulnerabilities
J-017: HP-UX vacation Security Vulnerability
J-018: HTML Viruses
J-019: Intelligent Peripherals Create Security Risk
J-020: SGI IRIX fcagent daemon Vulnerability
J-021: Sun Solaris Vulnerabilities ( dtmail, passwd )
J-022: HP-UX Vulnerabilities ( snmp, sendmail, remote network command )
-----BEGIN PGP SIGNATURE-----
Version: 4.0 Business Edition
iQCVAwUBNpu9B7nzJzdsy3QZAQGMmAQArFYuTXoYulaBa4MlDEDs4XZvw3eG0TNq
F2T8vY9XztsjzkyBM7ReMSuBuWPLU91HQptV2y/KCmivjw4nYGFM5agqTgFBKl+v
wA0Emq0c8d+rDZXW6bRfxmpC2eiT6we75hDmOJ3FjB78ku6XK8wfZT5H7StKLffT
ggrHmXOpb2Y=
=VIRe
-----END PGP SIGNATURE-----
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH
