[21463] in bugtraq
Re: Check Point response to RDP Bypass
daemon@ATHENA.MIT.EDU (Jochen Bauer)
Wed Jul 11 19:34:24 2001
Date: Wed, 11 Jul 2001 20:45:11 +0200
From: Jochen Bauer <jtb@inside-security.de>
To: bugtraq@securityfocus.com
Message-ID: <20010711204511.A8375@bender.inside-security.de>
Mail-Followup-To: bugtraq@securityfocus.com
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="EVF5PPMfhYS0aIcm"
Content-Disposition: inline
In-Reply-To: <F108146KXzQt1aP5N1l0000fc89@hotmail.com>; from jlindq@hotmail.com on Wed, Jul 11, 2001 at 11:41:23AM +0200
--EVF5PPMfhYS0aIcm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
On Wed, Jul 11, 2001 at 11:41:23AM +0200, Johan Lindqvist wrote:
> The original advisory
> (http://www.inside-security.de/advisories/fw1_rdp.html) says that a
> workaround is to "Deactivate implied rules in the Check Point policy editor
> (and build your own rules for management connections).". I've not been able
> to find any changes in the INSPECT code generated to confirm that not using
> the implied rules from "Policy/properties/Security policy/Implied
> rules/Accept VPN-1 & FireWall-1 Control Connection"
Hmm.. strange. I cannot reproduce this. Here's the test i carried out:
I set up a policy with all implied rules, the policy file w_control.W
is attached to this mail. From this policy the INSPECT file w_control.pf
was generated (also attached). The relevant part of this file is:
[...]
#define REVERSE_UDP 1
#include "code.def"
accept_fw1_connections; <-----
accept_proxied_conns;
enable_radius_queries;
enable_tacacs_queries;
[...]
accept_fw1_connections is defined in $FWDIR/lib/base.def:
#define accept_fw1_connections accept_fw1_connections1 accept_fw1_connections2
accept_fw1_connections3
and the macro "accept_fw1_connections3" includes "accept_fw1_rdp" which is
the flawed macro.
#define accept_fw1_connections3
[...]
accept_fw1_rdp;
So, the RDP vulnerability finally comes into the INSPECT
file "w_control.pf" with the macro "accept_fw1_connections".
However, if i go to the policy editor and uncheck policy->properties->
Security Policy->Implied Rules->VPN-1 & FireWall-1 Control Connections and
re-compile the policy (wo_control.W, see attachment), i get an INSPECT file
(wo_control.pf, see attachment) that does not make use of
"accept_fw1_connections" and does therefore not lead to this vulnerability.
I've also tested this with our proof of concept code. (BTW: I'm going to
post this code tomorrow on BUGRAQ)
Can you post the policy and INSPECT files you generated?
Jochen
--
Jochen Bauer | Tel: +49711 6868 7030
Inside Security IT Consulting GmbH | Fax: +49711 6868 7031
Nobelstr. 15 | email: jtb@inside-security.de
70569 Stuttgart, Germany | http://www.inside-security.de
--EVF5PPMfhYS0aIcm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="w_control.W"
("##w_control"
:rule (
:src (
: Any
)
:dst (
: Any
)
:services (
: echo-reply
: echo-request
)
:action (
: (accept
:type (accept)
:color ("Dark green")
:macro (RECORD_CONN)
:icon-name (icon-accept)
:text-rid (61463)
:windows-color (green)
)
)
:track ()
:install (
: testfw
)
:time (
: Any
)
)
:rule (
:src (
: Any
)
:dst (
: Any
)
:services (
: SSH
)
:action (
: (accept
:type (accept)
:color ("Dark green")
:macro (RECORD_CONN)
:icon-name (icon-accept)
:text-rid (61463)
:windows-color (green)
)
)
:track ()
:install (
: testfw
)
:time (
: Any
)
)
:rule (
:src (
: Any
)
:dst (
: Any
)
:services (
: Any
)
:action (
: (drop
:type (drop)
:color (Firebrick)
:icon-name (icon-drop)
:text-rid (61465)
:windows-color (green)
)
)
:track (
: Long
)
:install (
: testfw
)
:time (
: Any
)
)
:filename (w_control.W)
)
--EVF5PPMfhYS0aIcm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="w_control.pf"
// INSPECT Security Policy Script Generated by admin@blackmore at 20Jun2001 20:00:22
// from Rulebase w_control.W by FireWall-1 Version 4.1 Code Generation
// Running under SunOS 5.7
// Number of Authentication and Encryption rules
#define NAUTHENTICATION 0
#define NENCRYPTION 0
#define NLOGIC 0
#define NLOGICFOLD 0
#define NACCOUNT 0
/////////////////////////////
// Exported Rules Database //
/////////////////////////////
export {
(
:auth ()
:crypt ()
:logic ()
:logicfold ()
:proxy ()
:rules (
: (rule-1
:src (
: Any
)
:dst (
: Any
)
:services (
: echo-reply
: echo-request
)
:action (
: (accept
:type (accept)
:color ("Dark green")
:macro (RECORD_CONN)
:icon-name (icon-accept)
:text-rid (61463)
:windows-color (green)
)
)
:track ()
:install (
: testfw
)
:time (
: Any
)
)
: (rule-2
:src (
: Any
)
:dst (
: Any
)
:services (
: SSH
)
:action (
: (accept
:type (accept)
:color ("Dark green")
:macro (RECORD_CONN)
:icon-name (icon-accept)
:text-rid (61463)
:windows-color (green)
)
)
:track ()
:install (
: testfw
)
:time (
: Any
)
)
: (rule-3
:src (
: Any
)
:dst (
: Any
)
:services (
: Any
)
:action (
: (drop
:type (drop)
:color (Firebrick)
:icon-name (icon-drop)
:text-rid (61465)
:windows-color (green)
)
)
:track (
: Long
)
:install (
: testfw
)
:time (
: Any
)
)
)
:rules-adtr ()
:party ()
:conf_params (
: (tcptimeout
:val (3600)
:type (int)
)
: (tcpendtimeout
:val ()
:type (int)
)
: (udptimeout
:val (40)
:type (int)
)
: (udpreply
:val (true)
:type (str)
)
: (addresstrans
:val (false)
:type (str)
)
: (nat_limit
:val (25000)
:type (int)
)
: (nat_hashsize
:val (16384)
:type (int)
)
: (stack_size
:val ()
:type (int)
)
: (skipmaxtime
:val (120)
:type (int)
)
: (skipmaxbytes
:val (10485760)
:type (int)
)
: (icmpcryptver
:val (1)
:type (int)
)
: (fwsynatk_method
:val (0)
:type (int)
)
: (fwsynatk_timeout
:val (10)
:type (int)
)
: (fwsynatk_max
:val (5000)
:type (int)
)
: (fwsynatk_ifnum
:val (-1)
:type (int)
)
: (fwsynatk_warning
:val (1)
:type (int)
)
: (disable_ipsec
:val (false)
:type (str)
)
: (anti_spoofing_active
:val (true)
:type (str)
)
: (tcp_fastmode_active
:val (false)
:type (str)
)
: (logical_servers_active
:val (false)
:type (str)
)
: (tcpestb_grace_period
:val ()
:type (int)
)
: (fwfrag_limit
:val ()
:type (int)
)
: (fwfrag_timeout
:val ()
:type (int)
)
: (fwfrag_minsize
:val ()
:type (int)
)
: (tcp_reject
:val ()
:type (str)
)
: (udp_reject
:val ()
:type (str)
)
: (fwz_encap_mtu
:val (1)
:type (int)
)
: (ip_pool_dst_static_timeout
:val ()
:type (int)
)
)
)
}.set;
// List of services which have prologue
prolog_services = { <99999,99999>, <21,21>, <111,111> };
// List of known TCP services
tcp_services = { <7, 7>, <9, 9>, <13, 13>, <15, 15>, <21, 23>, <25, 25>, <37, 37>, <49, 49>, <53, 53>, <70, 70>, <79, 80>, <109, 110>, <113, 113>, <119, 119>, <123, 123>, <139, 139>, <143, 143>, <210, 210>, <256, 259>, <261, 261>, <264, 265>, <389, 389>, <443, 443>, <453, 453>, <455, 455>, <512, 514>, <540, 540>, <636, 636>, <709, 710>, <750, 750>, <900, 900>, <1235, 1235>, <1352, 1352>, <1503, 1503>, <1521, 1521>, <1723, 1723>, <2000, 2000>, <2049, 2049>, <2299, 2299>, <2626, 2626>, <2998, 2998>, <5190, 5190>, <5510, 5510>, <5631, 5631>, <6000, 6063>, <6499, 6499>, <6660, 6670>, <7000, 7000>, <16384, 16384>, <18181, 18184>, <18187, 18187> };
// List of TCP Fast Mode services
tcp_fastmode_services = { <0, 0> };
// List of known UDP services
udp_services = { <7, 7>, <9, 9>, <13, 13>, <37, 37>, <42, 42>, <49, 49>, <53, 53>, <67, 67>, <69, 69>, <123, 123>, <137, 138>, <161, 162>, <259, 260>, <500, 500>, <512, 514>, <520, 520>, <750, 750>, <1525, 1525>, <1558, 1558>, <1622, 1622>, <1645, 1645>, <1812, 1812>, <2049, 2049>, <5500, 5500>, <5632, 5632>, <7648, 7652>, <22555, 22555> };
///////////////////////////
// Beginning of Prologue //
///////////////////////////
// Define Log Preferences
#define LOG_TIMEOUT 62
// Define Session Timeouts
#define TCP_TIMEOUT 3600
#define UDP_TIMEOUT 40
#define AU_PORT_TIMEOUT 15
#define PMAP_CONNECT_TIMEOUT 30
// Log macro for IP Options
#define IPOPTNS_LOG 1
// Log macro for Established TCP Packets
#define LOG_ESTABLISHED_TCP
// Define flag for enabling decryption on accept
#define ACCEPT_DECRYPT_ENABLE 0
#define NO_ENCRYPTION_FEATURES 1
// Address Translation definitions
#define FWXT_EOX 0x0
#define FWXT_TCP_DPORT_STATIC 0xb02
#define FWXT_UDP_DPORT_STATIC 0x1b02
// Include Common Definition File
#include "fwui_head.def"
SRV_icmp(echo-reply, icmp_type=ICMP_ECHOREPLY)
SRV_icmp(echo-request, icmp_type=ICMP_ECHO)
SRV_tcp(ssh, 22)
/////////////////////
// End of Prologue //
/////////////////////
///////////////////////////////////////
// Beginning of Security Policy Code //
///////////////////////////////////////
// List of FireWalled Gateways, Hosts and Embedded systems
firewalled_list = { <192.168.1.200, 192.168.1.200>, <192.168.2.1, 192.168.2.1>, <192.168.3.1, 192.168.3.1> };
// List of Check Point Management Stations
management_list = { <192.168.1.200, 192.168.1.200>, <192.168.2.1, 192.168.2.1>, <192.168.3.1, 192.168.3.1> };
// List of Floodgated Gateways
floodgated_list = { <0.0.0.0, 0.0.0.0> };
// List of GUI clients
gui_clients_list = { <127.0.0.1, 127.0.0.1>, <192.168.2.2, 192.168.2.2> };
// List of RADIUS Servers
radius_servers_list = { 0 };
// List of TACACS Servers
tacacs_servers_list = { 0 };
// List of LDAP Servers
ldap_servers_list = { 0 };
// List of cvp Servers
cvp_servers_list = { 0 };
// List of ufp Servers
ufp_servers_list = { 0 };
// List of Servers, operated by Logical Servers
servers_list = { 0 };
//time lists
MAKE_ALERT(alert_tab, <"![alert]">)
MAKE_ALERT(snmptrap_tab, <"![snmptrap]">)
MAKE_ALERT(mail_tab, <"![mail]">)
MAKE_ALERT(useralert_tab, <"![useralert]">)
MAKE_ALERT(spoofalert_tab, <"![spoofalert]">)
MAKE_ALERT(userauthalert_tab, <"![userauthalert]">)
ADDR_net(testfw-net-if0, 192.168.1.0, 255.255.255.0)
ADDR_net(testfw-net-if1, 192.168.2.0, 255.255.255.0)
ADDR_net(testfw-net-if2, 192.168.3.0, 255.255.255.0)
ADDR_gateway(testfw, 192.168.2.1)
set r_xlate_pool 0;
ip_list1 = { <192.168.2.0, 192.168.3.255> };
ip_list2 = { <192.168.2.0, 192.168.2.255> };
ip_list3 = { <192.168.3.0, 192.168.3.255> };
// Interface access groups
inbound hme0@testfw
drop (ip_src in ip_list1),
LOG(long, LOG_NOALERT, 0);
outbound hme0@testfw
reject (ip_dst in ip_list1),
LOG(long, LOG_NOALERT, 0);
inbound hme1@testfw
drop (ip_src not in ip_list2),
LOG(long, LOG_NOALERT, 0);
outbound hme1@testfw
reject (ip_dst not in ip_list2),
LOG(long, LOG_NOALERT, 0);
inbound hme2@testfw
drop (ip_src not in ip_list3),
LOG(long, LOG_NOALERT, 0);
outbound hme2@testfw
reject (ip_dst not in ip_list3),
LOG(long, LOG_NOALERT, 0);
// User defined init code and global init code
#include "user.def"
#include "init.def"
// Code for First-Bounded Properties
ftpdata_code;
ftp_record_pasv;
rpc_code;
accept_fw1_connections_first;
#define REVERSE_UDP 1
#include "code.def"
accept_fw1_connections;
accept_proxied_conns;
enable_radius_queries;
enable_tacacs_queries;
enable_ldap_queries;
#define load_agent_port 0
#if NLOGIC > 0
enable_load_agent_queries;
#endif
// Service other pre-match code
ftp_accept_pasv;
accept_prematch_crypt;
// Rule-Base And Before-Last Properties Code
start_rule_base_code;
eitherbound all@testfw
accept start_rule_code(1),
(icmp, echo-reply or echo-request),
RECORD_CONN(1);
eitherbound all@testfw
accept start_rule_code(2),
(tcp, ssh),
RECORD_CONN(2);
accept_outgoing;
eitherbound all@testfw
drop start_rule_code(3),
LOG(long, LOG_NOALERT, 3);
// Code for Last-Bounded Properties
/////////////////////////////////
// End of Security Policy Code //
/////////////////////////////////
#include "fwui_trail.def"
--EVF5PPMfhYS0aIcm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="wo_control.W"
(
:rule (
:src (
: Any
)
:dst (
: Any
)
:services (
: echo-reply
: echo-request
)
:action (
: (accept
:type (accept)
:color ("Dark green")
:macro (RECORD_CONN)
:icon-name (icon-accept)
:text-rid (61463)
:windows-color (green)
)
)
:track ()
:install (
: testfw
)
:time (
: Any
)
)
:rule (
:src (
: Any
)
:dst (
: Any
)
:services (
: SSH
)
:action (
: (accept
:type (accept)
:color ("Dark green")
:macro (RECORD_CONN)
:icon-name (icon-accept)
:text-rid (61463)
:windows-color (green)
)
)
:track ()
:install (
: testfw
)
:time (
: Any
)
)
:rule (
:src (
: Any
)
:dst (
: Any
)
:services (
: Any
)
:action (
: (drop
:type (drop)
:color (Firebrick)
:icon-name (icon-drop)
:text-rid (61465)
:windows-color (green)
)
)
:track (
: Long
)
:install (
: testfw
)
:time (
: Any
)
)
:rulename (wo_control)
:filename (wo_control.W)
)
--EVF5PPMfhYS0aIcm
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="wo_control.pf"
// INSPECT Security Policy Script Generated by admin@blackmore at 20Jun2001 20:00:57
// from Rulebase wo_control.W by FireWall-1 Version 4.1 Code Generation
// Running under SunOS 5.7
// Number of Authentication and Encryption rules
#define NAUTHENTICATION 0
#define NENCRYPTION 0
#define NLOGIC 0
#define NLOGICFOLD 0
#define NACCOUNT 0
/////////////////////////////
// Exported Rules Database //
/////////////////////////////
export {
(
:auth ()
:crypt ()
:logic ()
:logicfold ()
:proxy ()
:rules (
: (rule-1
:src (
: Any
)
:dst (
: Any
)
:services (
: echo-reply
: echo-request
)
:action (
: (accept
:type (accept)
:color ("Dark green")
:macro (RECORD_CONN)
:icon-name (icon-accept)
:text-rid (61463)
:windows-color (green)
)
)
:track ()
:install (
: testfw
)
:time (
: Any
)
)
: (rule-2
:src (
: Any
)
:dst (
: Any
)
:services (
: SSH
)
:action (
: (accept
:type (accept)
:color ("Dark green")
:macro (RECORD_CONN)
:icon-name (icon-accept)
:text-rid (61463)
:windows-color (green)
)
)
:track ()
:install (
: testfw
)
:time (
: Any
)
)
: (rule-3
:src (
: Any
)
:dst (
: Any
)
:services (
: Any
)
:action (
: (drop
:type (drop)
:color (Firebrick)
:icon-name (icon-drop)
:text-rid (61465)
:windows-color (green)
)
)
:track (
: Long
)
:install (
: testfw
)
:time (
: Any
)
)
)
:rules-adtr ()
:party ()
:conf_params (
: (tcptimeout
:val (3600)
:type (int)
)
: (tcpendtimeout
:val ()
:type (int)
)
: (udptimeout
:val (40)
:type (int)
)
: (udpreply
:val (true)
:type (str)
)
: (addresstrans
:val (false)
:type (str)
)
: (nat_limit
:val (25000)
:type (int)
)
: (nat_hashsize
:val (16384)
:type (int)
)
: (stack_size
:val ()
:type (int)
)
: (skipmaxtime
:val (120)
:type (int)
)
: (skipmaxbytes
:val (10485760)
:type (int)
)
: (icmpcryptver
:val (1)
:type (int)
)
: (fwsynatk_method
:val (0)
:type (int)
)
: (fwsynatk_timeout
:val (10)
:type (int)
)
: (fwsynatk_max
:val (5000)
:type (int)
)
: (fwsynatk_ifnum
:val (-1)
:type (int)
)
: (fwsynatk_warning
:val (1)
:type (int)
)
: (disable_ipsec
:val (false)
:type (str)
)
: (anti_spoofing_active
:val (true)
:type (str)
)
: (tcp_fastmode_active
:val (false)
:type (str)
)
: (logical_servers_active
:val (false)
:type (str)
)
: (tcpestb_grace_period
:val ()
:type (int)
)
: (fwfrag_limit
:val ()
:type (int)
)
: (fwfrag_timeout
:val ()
:type (int)
)
: (fwfrag_minsize
:val ()
:type (int)
)
: (tcp_reject
:val ()
:type (str)
)
: (udp_reject
:val ()
:type (str)
)
: (fwz_encap_mtu
:val (1)
:type (int)
)
: (ip_pool_dst_static_timeout
:val ()
:type (int)
)
)
)
}.set;
// List of services which have prologue
prolog_services = { <99999,99999>, <21,21>, <111,111> };
// List of known TCP services
tcp_services = { <7, 7>, <9, 9>, <13, 13>, <15, 15>, <21, 23>, <25, 25>, <37, 37>, <49, 49>, <53, 53>, <70, 70>, <79, 80>, <109, 110>, <113, 113>, <119, 119>, <123, 123>, <139, 139>, <143, 143>, <210, 210>, <256, 259>, <261, 261>, <264, 265>, <389, 389>, <443, 443>, <453, 453>, <455, 455>, <512, 514>, <540, 540>, <636, 636>, <709, 710>, <750, 750>, <900, 900>, <1235, 1235>, <1352, 1352>, <1503, 1503>, <1521, 1521>, <1723, 1723>, <2000, 2000>, <2049, 2049>, <2299, 2299>, <2626, 2626>, <2998, 2998>, <5190, 5190>, <5510, 5510>, <5631, 5631>, <6000, 6063>, <6499, 6499>, <6660, 6670>, <7000, 7000>, <16384, 16384>, <18181, 18184>, <18187, 18187> };
// List of TCP Fast Mode services
tcp_fastmode_services = { <0, 0> };
// List of known UDP services
udp_services = { <7, 7>, <9, 9>, <13, 13>, <37, 37>, <42, 42>, <49, 49>, <53, 53>, <67, 67>, <69, 69>, <123, 123>, <137, 138>, <161, 162>, <259, 260>, <500, 500>, <512, 514>, <520, 520>, <750, 750>, <1525, 1525>, <1558, 1558>, <1622, 1622>, <1645, 1645>, <1812, 1812>, <2049, 2049>, <5500, 5500>, <5632, 5632>, <7648, 7652>, <22555, 22555> };
///////////////////////////
// Beginning of Prologue //
///////////////////////////
// Define Log Preferences
#define LOG_TIMEOUT 62
// Define Session Timeouts
#define TCP_TIMEOUT 3600
#define UDP_TIMEOUT 40
#define AU_PORT_TIMEOUT 15
#define PMAP_CONNECT_TIMEOUT 30
// Log macro for IP Options
#define IPOPTNS_LOG 1
// Log macro for Established TCP Packets
#define LOG_ESTABLISHED_TCP
// Define flag for enabling decryption on accept
#define ACCEPT_DECRYPT_ENABLE 0
#define NO_ENCRYPTION_FEATURES 1
// Address Translation definitions
#define FWXT_EOX 0x0
#define FWXT_TCP_DPORT_STATIC 0xb02
#define FWXT_UDP_DPORT_STATIC 0x1b02
// Include Common Definition File
#include "fwui_head.def"
SRV_icmp(echo-reply, icmp_type=ICMP_ECHOREPLY)
SRV_icmp(echo-request, icmp_type=ICMP_ECHO)
SRV_tcp(ssh, 22)
/////////////////////
// End of Prologue //
/////////////////////
///////////////////////////////////////
// Beginning of Security Policy Code //
///////////////////////////////////////
// List of Servers, operated by Logical Servers
servers_list = { 0 };
//time lists
MAKE_ALERT(alert_tab, <"![alert]">)
MAKE_ALERT(snmptrap_tab, <"![snmptrap]">)
MAKE_ALERT(mail_tab, <"![mail]">)
MAKE_ALERT(useralert_tab, <"![useralert]">)
MAKE_ALERT(spoofalert_tab, <"![spoofalert]">)
MAKE_ALERT(userauthalert_tab, <"![userauthalert]">)
ADDR_net(testfw-net-if0, 192.168.1.0, 255.255.255.0)
ADDR_net(testfw-net-if1, 192.168.2.0, 255.255.255.0)
ADDR_net(testfw-net-if2, 192.168.3.0, 255.255.255.0)
ADDR_gateway(testfw, 192.168.2.1)
set r_xlate_pool 0;
ip_list1 = { <192.168.2.0, 192.168.3.255> };
ip_list2 = { <192.168.2.0, 192.168.2.255> };
ip_list3 = { <192.168.3.0, 192.168.3.255> };
// Interface access groups
inbound hme0@testfw
drop (ip_src in ip_list1),
LOG(long, LOG_NOALERT, 0);
outbound hme0@testfw
reject (ip_dst in ip_list1),
LOG(long, LOG_NOALERT, 0);
inbound hme1@testfw
drop (ip_src not in ip_list2),
LOG(long, LOG_NOALERT, 0);
outbound hme1@testfw
reject (ip_dst not in ip_list2),
LOG(long, LOG_NOALERT, 0);
inbound hme2@testfw
drop (ip_src not in ip_list3),
LOG(long, LOG_NOALERT, 0);
outbound hme2@testfw
reject (ip_dst not in ip_list3),
LOG(long, LOG_NOALERT, 0);
// User defined init code and global init code
#include "user.def"
#include "init.def"
// Code for First-Bounded Properties
ftpdata_code;
ftp_record_pasv;
rpc_code;
#define REVERSE_UDP 1
#include "code.def"
accept_proxied_conns;
#define load_agent_port 0
// Service other pre-match code
ftp_accept_pasv;
accept_prematch_crypt;
// Rule-Base And Before-Last Properties Code
start_rule_base_code;
eitherbound all@testfw
accept start_rule_code(1),
(icmp, echo-reply or echo-request),
RECORD_CONN(1);
eitherbound all@testfw
accept start_rule_code(2),
(tcp, ssh),
RECORD_CONN(2);
accept_outgoing;
eitherbound all@testfw
drop start_rule_code(3),
LOG(long, LOG_NOALERT, 3);
// Code for Last-Bounded Properties
/////////////////////////////////
// End of Security Policy Code //
/////////////////////////////////
#include "fwui_trail.def"
--EVF5PPMfhYS0aIcm--
