[26052] in bugtraq
UT DDoS risk
daemon@ATHENA.MIT.EDU (bugtest@sitoverde.com)
Wed Jul 3 15:54:23 2002
Message-ID: <20020703191031.10415.qmail@securityfocus.com>
From: bugtest@sitoverde.com
To: bugtraq@securityfocus.com
MIME-Version: 1.0
Date: Sat, 01 Jan 2000 10:43:30 +0100
Content-Type: multipart/mixed;
boundary="----=_NextPart_000_00BF_01BF610E.1038FD70"
------=_NextPart_000_00BF_01BF610E.1038FD70
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
########################################################################
Application: Unreal Tournament (Win version, Linux and Mac not tested)
Version: all the version (436 vulnerable too)
Bug: UT servers send a great number of packets to every host
that send only 1 packet to them, for 2 min and 30 sec
Risk: UT servers used as flooders, DDoS risk
Author: Auriemma Luigi (e-mail: bugtest at sitoverde.com)
########################################################################
Sections:
1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy
###
1) Introduction
First, I want to say that this bug has been showed to Epic
(utbugs436@epicgames.com) over one month and half ago (and I have
resended a request of infos about the bug some weeks ago), but the only
answer that I have received from them has been the auto-reply of the
server!
Then some days ago I have contacted the support of Lokigames that have
worked to the Linux porting of the game (support@lokigames.com) but
no answer (the bug-tracker fenris.lokigames.com is unreacheable).
I think that they are not more interested to UT because Unreal
Tournament 2003 will be ready in some weeks (July if it is all ok).
However I have specified my choose of post this advisory also if no
patches are ready at the moment in the Philosophy section.
- Important:
Some days ago I have found, with some difficult, a discussion started
by Jeff Calvert in the "Vuln-Dev" section of the SecurityFocus's
Bugtraq, a lot of time ago (May 28 2000), that show the problem of do
a DoS with the UT servers, but this discussion was dead after about
some mails.
I think that is INCREDIBLE that a so important and danger problem
(for me a DDoS attack so simple to do is a real risk...) that is
known from the year 2000 already exist.
However it exist and this advisory want to explain it.
---
2) Bug
The UDP is a connection-less protocol so is "normal" that it is
insecure, but UT don't do any control about the packets that it
receives!
However the bug is really simple and really danger, the follow is a
simple example.
First the list of the UT default ports found on the home of the
game, http://unreal.epicgames.com:
* UDP 7775 and 7776 are used only for LAN games. You don't need
to route them through a firewall.
* UDP 7777 is for gameplay (...the dangerous port...).
* UDP 7778 is for server querying.
* UDP 7779+ are allocated dynamically for each helper UdpLink
objects, including UdpServerUplink objects.
* UDP 27900 is for server querying, if you enable the master server
uplink. Some master servers use other ports, like 27500.
Now the example, we have 3 hosts:
A - the attacker
B - the UT server
C - the victim
- The host A send 1 empty UDP packet with the source IP of the host C
to the port 7777 (UT default port) of the host B.
- The host B begin to send about 10 packets/second of the size of 46
bytes to the host C and it will stop to send after 2 minutes and 30
seconds (default UT timeout).
- The host C will receive all these packets and it will reply with an
ICMP port unreacheable message that will be ignored by the host B.
- The host A after 2 mins and 30 secs can restart the attack.
So with this bug an attacker can flood (in anonimity) other hosts.
Every packets that the UT server send have a size of 46 bytes (and
the packets that we send to it are 28 bytes), for this IN THEORY if I
send 156 packets to an UT server with the sender address of an user
that have a 56K modem and the sender port that is different for each
packets (a good choose is to use incremental or random ports), this
last will be flooded with 7200 bytes for 2 minutes and 30 seconds.
The number of packets sended by the server seem to be the same also if
I change the "Network speed" option in the net settings of UT.
Naturally this attack have 2 effects.
The first is the DoS against the victim and than the DoS versus the
same UT server that must send a great quantity of packets, so it use
a lot of network band and CPU.
I think that this attack is a bit similar to the smurf attack, but
UnrealTournament is really a great game with a lot of players and
servers in all the world, so there is no problem to found servers to use
for the attack (for the smurf attack you need misconfigured routers that
are more difficult to found, but with UT you can found servers without
any problem).
For this I think that this bug is really danger and can be used for do
DDoS.
Then I hope that the same error wille not be present in UT 2003, but I
also hope that this problem will be fixed soon.
All the tests, are been made on my LAN on the Win version of
UnrealTournament (v436). (Linux and Mac has not be tested, but it use
the same protocol of sure).
Naturally I have done also some test on Internet and the results are the
same.
---
3) The Code
I have attached the proof-of-concept of the attack, it is called
utflood.c and it must be compiled on Linux.
With little modifications it can be ported to Win (for example using
Winject at http://big.badlink.net).
The others files are a simple program for see info about the server
(hlinfol.c for Linux and hlinfow.* for Win), only for fun.
You can also found a copy of this advisory and an italian version of it.
---
4) Fix
No official fix (sorry).
The only fix that I have found and that is really useful is to set a
different port in the unrealtournament.ini file near the option
"Port=" and change the 7777 with other ports.
But not only this!!!
From the console we must insert the "preferences" command and do the
following for erase the MasterServers support:
- Under "Networking / Master Server Uplink", set "DoUplink" to False
or
- Under "Networking / Server Beacon", set "DoBeacon" to False
The master servers are that servers that contain all the info about
the multiplayer-games in the world, and the most big are:
unreal.epicgames.com and master0.gamespy.com.
However I can't continue, because this is a security advisory not a
DDoS paper...
This is my fix, other suggestions?
---
5) Philosophy
Ok, it's not rigth to post an advisory if there are not patches or
tricks to fix the bug, but I think that this is a good method to show
the problem to the community.
Then the UT team don't have answer to me and I hope that this
advisory can get their attention.
I'm really hopeful about the full disclosure, because with that
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of programming (I have learn a bit of
C from the source code of some exploits) and it's useful for all the
people that are hopeful in this type of disclosure.
No secrets!
---
Any type of feedback is really welcome!
Byez
------=_NextPart_000_00BF_01BF610E.1038FD70
Content-Type: application/octet-stream;
name="ut.tgz"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="ut.tgz"
H4sIAAAAAAAAC+xbbXMbN5LOV7GK/wHWVixSpihSoqTEtnwrW3ZOF1nS2tKmduOUCuSAJKKZwey86O0u
99vv6QYwnCFp+S4VJ7d3nkpEDgZoNPr16R66yDe/+txXrzfo7e3s4LPX29sd0GcfQ3zvrq96e73t7a1B
f2cb3/v9we72V2Lns3OGq8hymQrxVRFfxeYm/vi8Tzz/J72KfLPIZXC9oXPZzW/zz7EHtN3bHQw+ov/+
Xr+/ZfW/Pdge0Lz+oA8zEL3Pwcz89f9c/3/6za5mo9k4SJJQj+S9NrF6Ki7iVMlQnJsijWWk4ly0ftCx
uFZphgkdcazj4lbIOBBv5UjEJhe5ynIVtJuNv9o5IELXeZHnSoTKL9UiM7ER10UYq1QOdag7YmSiJFWZ
FKEUg+3dZuNlMbGr+ToSmUppuQi0Y6zCl46vtQRFFZs00uIfhYxzOMQaJjcbonYlcjSaqjzXQgbCTMDL
1GS5wJiIlSUkwIRJDZgMjeh3xfEaDZtmY8WSAAczKkGRSrElIsgCd0ps98DpyMS08zudjabaPF12hHOR
mIzFoDKMK4Hlob6/l6ACWSgxDo0JMLszfwIQFzqkj0xNChxfidRuRISLWBwemvfQZZGbVHkRHhSpVlEk
xXGhJ1q01EYkdfhUDIsJKU3IXGQ6N2AvUF3s3yZz+G2N670a5VB+9rTZ6LfFUZynJijY1JqNrbaAvpuN
bTygowV6hNFBW7zRt83GDn2GJjNjLR1f9LFApdk4imMZ3+scBgf7MpOQhQLpkn7/UeCkho4s1JpA3MAN
RBjLkL7JEJb3OtGjZqNV5JiUwQz/rDAwgZFlLBRhwpxUFQuMKGg7Uvf3RoxhaS0d24dTY60oh8EUsYRu
oBpsLEk7Oh7DQtnBNJ5MCpkGhkweGjShPQfNm7HabMCaQ2I/I3uLJEhiv3ZHQJnhWhHDX2k1rAlb0Dww
gD3VNfQ/O2ezEa5JjGykKgnvRCBhwiksJ1ChM3a2zUfNxplhB+ItJ9qksT0fqAZqBC6JPdgeqCLwKrg/
TYQ9ZkWSmDQ37HPH5kqz2ETLjf859EMsyY5lFRzDf7AIBGiWjicgZCMLnbDZsPQD55Kx9vZO51WiNVYx
bro14kx6XMQTXscyzFM5ulKpSPA/pD1jDwLSaSonE435GqFItbtg38l1ZDIr02vsy9QSFWd0bKzjkAFf
ZCeOoHxSfA5XzjJpw8vFebOBHTFxTYADsajJwFynajhUPgiMC5MuiW9bvd42zBKcB9IaUqpDmY00a/i4
YDvPmCtr+uaKjtFsbIijiOSKeKjgd39Zqle40DV00OHIQidKzIg2GY/1CMeSax1BhhwgyBRZZl0tK8hd
MmUtdvWvCOUbgbpeJd7g6Ig2+d0bg/lCQgLEsxT/psZj8UqGsLNcgAYUJ0PWJ4Vidp4t2BM8gx1q6xvk
FSjG0PF7sBjknlGhkURifS0h8QwyzclEkqSIc3YjiqmkRRf8BXaErAvSWKC0QGAkRUQae2pn8jYaszvh
WHDPHIfNWe6KSFaOjRXREHp0yoKuEfZZISYxpXYpsEL4R4aNxbCdZJokcI3tyEhGqQrY1vgZokmSmmGo
IjY4DYssdUZigvxIDwh/okX2Gykf5AWZCeUMS4vXjuVIh5Z5WAMmutwAcWOy6na7bd6VDBiGCxuiOBEg
z5OUcTRNcQReZ1KJU7wyUREjGonRGlaUMRSIE6EgvUMON7Q1jJxlDKEmWk1kGhprfxv010d3cqyLwzPH
GA6dGxwMSRacxDY7bIQQLrkpbHuNJq5SSgfjq16OzYaOMw0LM6wzJFIyWa9oJPEsA3GKUCnTzopquiYi
HB3VI+KnPB7ij8sLJHdypoigkLJYglTpldARKuB455Mvnwam41co+qbt+c+g8DWcFN6OdJSmijyXlZuy
cYUsbQRhCJGGWYRwbI4m+BqosSzCvNlwRmpdFXKA+61NARMSObFBHH4yMmKa58nTzc2CA0i3lrzg/uuC
pL+3t7fDqA1fdgUxUmQ4komRF2D+4vjgRNhV4m+mgG3HaznEqgICImArNQU4yKcqwh/cTKYATGMk2Ruk
0G5llz2hM6ZI1JJQ3okWzI+9NHW5aqRnMZNMs7r8G7/c+SnUlN4hQVTnfPuED4CNEbIAPUVwh5CJ0B26
wyg5moqpCslxLoIEieWKjmGGP8PeMoopo7AIKO3g6Xve6AJqjK/8lHK3rb1v4R/LWQKdsbiDsFQs4cgk
HNgmEpSfSXsWTLcr3hO6qz3NSAPCYFXKsgFfsIwrhMO9nV6PDek0pWzvTOuZkMOhlpHhIMZmqMU2A1lo
+UBsYCql59GIYgigNEbYYplpykqvaA5MUnMispnieI2R8IEDwf3SawyfH56es6eC+NEZAC8wfWwRRGhX
vmIMRUe1CmYTaJX6npmzDbntytKXXVpW4eIluND3hMUDyw9hOI0oI/q9KoYPHdo2TIw3n6QwbuAy3nGw
K4Z3QLjEmudSuSTpYhmZRg3AExGH4QHrQgERKdj84gHmmX7FoYWELG0ihnVXmAVckDngjgvPDGLAKU0m
sVIQEQQsM5v1sMfRq7dnLD3BHg06bF7sOT5yAY6AgJ4gTjLmFBTMF8R6SBlK23OWVYoIvcqTAmEKkSlV
xJAq7cdGsSOkMdQOFiBUUDTi7MzMLA2uWkhZwMMIMoC5EediYjgmQIzQil1GfLwhFCUJf1Eu0aYNJeWp
Lciw7ykVZzMb9DDTG7EzU0BIAifLld7iUI0UWqMSA+ECMVkCEUMoirqkFmCNb+xa4A2fhY5OxPnr03dH
BxTkhbb4HpXhzm69moQ4ZtxZR9GwoVRTjYATTqy/aNZ0Yb2Hkxqcw1d/ZMlUXqD0ixBWd3a/F0qULlQh
gnyXKvZusl9Tl1WLRDIsDP5mIwUIR2eE4kLGM+VmqU86JDwTNRuU9zANFRRwBSSA6VZHviRZg/FriAyH
JKvL2J4turPeuQcU0WxY6S84lvcqQkehiIuI4FCtmraVk2Y84mRZx1wUAG3qRPyEp+D4RSpGMkI8JNmF
ayZxmPRE5TcmvRLvE+SuVWQwzcCbnMv6L9v2SdUlPbqxtk+2teWQheOZMrlx+IUAmIUZlVAqSKR6/rGx
3JoyG5CBUFkDHFKGN2/GtfZFFbqgdi4iPqVVCnT/6uyiSyjD48y5A4BRZAqkGhTFkBh8MbTJUmRRkY5t
hbVQbWAVhTArEpyEmbL4gqyaAJLOiBgPIujAZ6kksPqC5iIKyDP/IXzG8FFmVOR6bO2QWol9pUU3KUjN
sLmsGStVb5XIdGZTMJ04Mrm+riLuerHvsXcFS9uA1WzMt1+MKxLjEWuFcDbp3lX3WUJkaIOZUuELJnW1
ICIStbH4gIiA0DPVboxUeakvaOl/nBz2NMtDXhAocCauI+AqY8aPvrZRbLfnLr1w94ZLUCr0ZxUPvtoa
LQJLBOmqEYbs1XXomg3q6c0QZOt6sL3b7oq3vDnxRNWF1ZhlnU2IZFF28xIyaeoBKtcTnKKKq5o9tACm
X9fzHyrPkllP2yJhLmto72tCutTkUWmscqqWFcdzyAaBSFYbHOVmlbqj3k0iJVrPmLKZs0lyqUDPaTsz
3sB/sPGRSnKLTpyxdWzBj3Rh+zo557kunfia0zdgGXeRfPOCSycYt8bikL1FUVDXKKmnLlU6w+PITj7L
AsB60kcL6cSBPdptpjk8JFgKEZEpD50/V/KMqwBubm66Qxkw4oToCKp8F2qXYMdYllmj4ZzlChdIAK5O
TULygGtlkYCqNa1I9ty1oiBQz8ct8ImZIaRC660lIAHb4ZvuOg/jAO2qPzF6KV1mvry0kb6YmatY5Xoh
Zm6oLGw2CGkAg+NIql1Rvm8eIsRzoKGOV45ioKC2hpbsRrbPQ9EDoq1ESpK4DTdjfUtRAFvYftmsTuR0
artdnFbSSp4md6p3F8oTxnhE8reIDj7mw25Xk3SvwVvMzchZIjsDzf3VjgOJlIxJGpJxnkPZM2jaJU90
fanQx5ZHj1DtHvJ0yiJUsnPLQloOJzp3PTgYMpvZKvhlgDFS2Srm2nKj2cippUpmUW34SS3e2nLGFlBP
CXDyZtdmNEvEVGRt1mcKW2vhbF6Eq4fGjXEXvNl4I8MMG5sEeV49RNhRfAmYbOI6RTfm+uqWIEywXoRZ
fwhUmXssyobO4gk9yf1LjLo76JhxGIViCqBTwjAiIphEFS+JV5UJkdCoeGKxqn0H8pQg8WKtLnyB2Ovy
WHJHo9V2jG3TUWwlFuFqzkpdu8L5kQ1wpTexrVLrhIFyzOYEuyY7R9xh6RTc3bT1ESdveqhtFuyyd/2l
JA0biJC+4CIdF1iyYjJBWCJz1v8yc8X5/v3pVUdwv9r20kv+4CH3ZV8g4zc61mfZQ3XNIUPb2OXezxq7
BTdrbR92SEiXk+4CIKAMHVbdnolKJDDbDnPGPUMl1mkgdkJklchFhaGSkXuZQ3wAEE3LXjwBjBlYmItr
QK3QnaRspFPfCqL+tqSimt3edhCtTTrwMtZBAZ1kpvbmYIwsz01KCLiwIIkbzhQtLEJehVWy1azaxFM7
KHcFXSL2L5DKpOefz5qQbgZk37ENT6romKp7ERAhTjq9JsYiWJ9W3Fualqb4hoXcsrTdq1fkWPTmhJdT
gSO1TczaFz3aFmlYBytWt0lodJ61yafolGwEZdS2tTfx6+TPcvTy09ZRSCOIaDqxnbaKBB0uY4eISBM2
g1CvJVWIpjPLpoY6LAokPZ0xio2hHF0RQ0MVA8sVvOLIZhASIoknmjW+lH0DkGFTCN51JmwrGRyQL80U
Tq9xdKDcuyRqXSlrPWV+hJWGml8tKKpxS99if+MKS1DQ4nTJ/vzyTt3T5x/6GvvL9Ssv/v2HA6Ofa4+H
f//R2xvs0O9/dnqD/k5vq7eF+dvbvcGX33/8HtfmOvnu4i81XDygn1L4XxKI1nyJ0242VoZ3C78NePA3
ARbWO/JciE51Jlw8pgweIO1hG8Rl6hon9N41zwQXOEt+UeIbIvQ+IidKQzVBiOI3MBiitJgLM67Soeb6
WF4pnqFSSpRjHrT32Ce7wceNzqe0J/dQa+1TQq0dXoHE7RlwMErRDiwwRNLuwvmmkjhUsfuli4CE3bvq
YZHbLTMzK/VkzkLCwhE4SZFCsEBSDfTtrWjx+4lbiepL2aW+uDNcJiUjmXiQ3e5YEbl3BCg1CYNmzOC6
YBYzCBWgGN9GpDIwB9XSIb87uRDfnR1j4ib/eMLlDfE8ywNtutMXc2OhHs4NIuVifH7mXbaZGdLKkgf5
XQIkWx+XaSI3AZfn52OERjd18pEHRbDkSTDPZAYAGk94EMOohrBWHJ29P/r765VM3yszbmFKAfHqZBqk
7dkk2OmSWdi1Pu3s/euLw9MlM5NMFYGpT+ZpLbs9IL/bokrt9N35CtVus6Hzo7evTy/OVxBG7bWyuen6
p/QCA+ovW6iZaPlXEbBh94KiQv3w9fHB31Z2HJGdnoj8e6uYX3ZJ51Akq/lTiH9HWCguNXmnDIL0WXkb
zG5HU0Tde6DSyq1/oWuHsim9twhRPeVTjPwi1ssdntG210YHtnV2OcXZQtWiLTDQfkZFUaYnMWzYUtHx
5egqK6LW3Pg6MUQv8XijNtOlm0jqmMnJdDKin5qAu3V8v/7xpzYfD8XhsCAFBpBbR5xcHB/T6hU9btES
8VwM7MQVIME4H7dWP8QXmZyop+LrTDw/OrvMzSWHiRfi+cX5pY0il0dnuP1TJV69ED+S+5bKIoW3f/pA
9Smz0/uJt11Rtzpv9fn7L3SIlfKgxPsKeB2T6n4kI/qJZlmlrZADkgygHrGSKJVWnrGZi3X+qAxbuxbr
9pMPHYOQ1UGHmUlT/tT8N5K3Yh+5wOgWs7xtWS4Z5NXOMDAeqQjCbXmOO6J32+t12B+sfuxkkCTfvqTv
lm7f0qVDdDMonJ50s8vlk7d+8up6xPcD6LVcyS/M9sU0N3HWIj9zMg4z9ZFJs9OBUJ2NsYx0eIeZB28u
j05en9szWNnStS9qYUWst/3RmUzpVLN5s7H1diknxAgXLDYqgcZKOvCbzWh4JS4hYKXsfyx4M0VNBMsi
YxZzFwJCS4No7xkq/Odwmlt8efKE55LA3M4bL1xq8dLSVp7l44DAglgi8XIGMi8qIt6qNg6nFZWVPkry
JJ5YygpMsCXw7DIs1SYEswnLjGhhPkUvp8LewkMfy/Dw6Ozs3en56SW4W5hmwxvTqJzp2Zz87PH3Z2Gs
5cPjersk1qnovZIxHC2vM20p6mkoHO87z5Y89/APzwfLnucm8+t7t/3e8in5Jetnn5132ZRxKieXZjwu
JThPIi+53P122YQHpDw301mQ+NhWS61jbs6nDYS15kIhUWJ403KejyB2+ur7y3cHP3RKbnHjTL2WyRyJ
2SMiBifNjX9EgNFHSBIv4mSn9G4f1WEej4nTjnCAg27ayzZ0aRPD1MSYZ8DnsO6q98ssVCppMUqwQ79U
c91/uHlumsMliEx2hVinWNH22WrJlrOkueoMOFU5MH+rR7e/PJz+Oe8ispPYnouez8M8l0i+pi+ry/Im
E/510KEaHxn5FJEzNT/qXdaVF/WHKaoW7iWXjn1DSdNa1cIk2iAO1ZgSkA0XfgqHa9GyD18IxO1lgZuY
e7KPPZ48ebb41C7e2BdblYe/VI439hvs74vlmWG95SAdEsxje+A2eK0M34glOzu+7ILlm1u5tujjBc63
20ao47vHCERjXO1n9clParMrD0s9/Cce16TMlua49ub2R9fpn+vi/o977fa59vhE/2cw6Jf9n36fnve3
t/v9L/2f3+Pa3FzsqXyn8iNYhGjZXo37tzioDjc3/8ftnv+N3YL/Xun/8uLNG67CB71vdxfr7m8qTYKT
N6crqx8+kBt9+LBaKeLPD84v3tMj6p0XWe3hq3/9+0rvdmeE+nq1Om5L762ygO9R8f3JgpcfInXctGqV
n1gnmEAIwN5NlQxsVPvNCt2thwpd+inefA37dVCvYDuiUmN9uo790SvmY3XsXBlLLJBVr0+Th4rVVI2u
S+iN0y1Wl5Tujk4ODg/fXZ6cnrxemvimCRLKROW06ZB+SqxqxSkRpin7BEtqqtzot5ckxHrJ6UrZ9VZZ
Mbqx9fY02Xgx5Zv28rz5cYofrZH7czXy1m9VI299tEY+K2tkrw8CvhXs6joA8wj7rIawD797d/C2U60I
2gu9Bd9X8MbEDC0H2uTeJYKmm/YnwLZj3ZNcRNl2H5o2Tk1Uh/Qzlj6xy+NPbsPhwNJcPbI/OqB+sofU
8yD+VwvIhrlSRPb2n1FI7zlKe/kslCWLhcnvWJY8GODnwrvdCoHuZ0iwXy+oPsQbGxsf4q8z/oIoPEsJ
K9TQeWYpikf7Yu1Db+0Zy9s1dTh+texzxDBksLZ4/Fi0fraVgJuzIKQV5sP1SPx7klnV+ADN3gLNpx/y
KtH+A0TLczBNT+DrEc7Mj2ri/aNx2B91lfj/5o/C//2t7Z1Bif+3+hb/b+1+wf+/x/Ug/v9Bx4G5yfzb
2s9RAdzomKL2PwUg/4LGf3h/cHhwfrByk0n6h8S19zi/K0AHI0jWaV4krbcH37/+4fTdYWurQ//I97Hj
zcvlC47/guP/b+P4LzD+IRjvHWYelDK6d2ZXffWAyPIqVDJGZPlVCJ/D4Do/L3sJdcif3eh8NG1hIyTa
Y5nljPz/q72rgY3juM5z1Ek6rWiRQmVZUfyzlE8WlZKMjn/6sS4iJR5jOvqhSEqUEsnyHW/JO+p4R9/e
iWItuwpYJaEvVzFFjLRFisCV0KRGgap2nSpJDaiREtkwjNpOECcIYjh12p5BVnUK1ZYBVdf33szszh33
SKqWjbjggsN9tzv/8+bNmzez81VLVbcvCF3Ph3bRLTwZqL419AlLMj2Me4bMUZCXQzp+o7wG1HMYvY/e
XxBwsxJwezDMPxeIp4dCRtIxgK9BCdCJhxLQcQV62IhHjbBzkMaiNLC9DNN09FxfX1CSY8EY1CBIkDQ/
EwgP/gmBprHeObCaUk8iAYNkfFRPDINIoc9QHAM1NCmB9sAcizqMPpJIx8J6KAat7hys2TEY6H30AQfu
Qy5VxoaNjkGDMfAZHp09+CYleDdxJZZRxMKP1ajl3OocXm3zNtDF8FwJygBvF+iAj6SjyRKt2bhBCb2L
PiDGfWz4UVR8wDmET2UZuQo7kgT/Olpj+Wah0vltrC/iH2slNzFMss0xUINTosg+YpdbqeI1Tq9cyuQc
gjozUkFAnb6VKV3UZqdci6FyDjlQGatVtKZTaNyuN1wYvXOEmxwiVPg0bRrO4VQW2xHEQx2CJup+xFt8
O+NMUqBJZTL5bW3U1GGG4dzcTT7nAGIvJm7FdA5XXxhODycTw8OooVqnhOAOSfygyrnFmhoK+KU/NUKn
BwTpmAslkmAIKt45BpXjdtghKE1qKKOELG5SGW53QucTBt0cDvYZevBYMBorXe7m6WwetZtWZLwEmzVt
dAyMHDZLwE3T2ILvvO2nT6N4TGYknSrdzpudJLz9/VgNbn7FaOkrQ8comjc41zdubIT+mXZupWZfqVbq
x6Z2DlPvlNmYcQw0Zty3Z44OhRKQTx2/QXPuCM0qe7XT2Azzi5nlbbPKUA/gmQsz9ZzmIibq4ieuJHQM
6RxC5Z02GCj6UvjRBza/MTSccpYkzRud6gJkUB9+lVKi8JucwkB1J0v4LxjYomafvjedSAX1wPE+wwiX
aKSNKjuANghVvLu9m+tBXGdzDLbZSeB0p0PdXOEi0TNzF9ysckdvx26cxuhtO3fKNVRkReSSZDA+UCKG
AtmT7sOq7E/HdJzw9rR29ezrpEYZhU4FoxHOBUrVgW9mRk0aQ4mU+DA1FXGIArW8YqbDpPsT6bhTkqir
FbBdvLY1DRPoJH4cGj1m6HOJoaEohi6DNqPTtnt6YW7R2/d07Qp0ddXoXYH2fd2Bthp9956ejl2dzjGq
HWc/aZ7Y22p0+i4OGAnPEkmGeY3IYQyVg4LYhLFEiWofNwfyBwV+C3ZCCbM+ml/IyELe52388zb+35VL
sf8bx40PJw20/5c+/9nXRPTGJhDbvsaGpma0/zdvbJi3/38U167PT7AFcHeDy+cZOy+et8wh7Elwy+75
/jL290terjrv2vlyFX1IJL7XRa2NpvYGfbgEA03bnm46mKjutts0r4ijM8DYTtcC9oZ2p1/G+yZb5lrq
gofYY8v5s5eWw79KcLrIHdJljLlEGLcM3GL/WED/K7lf627d+AVMdq1sDoW9xVddyqDDtj0eniG6uwv9
6Iw9XIeDFNAHFvMHdF9W6K+FsQt1Ue6RyiLLtLLQ38Pg75YXZP76WF++Cy2ZnV73e63uRfArVZFp83oy
Pd7K8bLz2H0udu/vhUeVnYM3IqyyhYXzdCh/eHwt3uCNnjngyQyXj93Ip/T7U15vanW28Vim/FmI1JN5
oHzsxLNuln493/OsZ/LV8OmFGGrsUvmRh75wcd/4v0Lk+wbZIIv8CUSdT3tyNyATh+Hl+NThi9fBw9iU
B/1kDpdnAp4zG/QWNn5XI/x/r4Wym06OB65lApXjgetn8HE2cG18x/WMWZ551IM5CmXLj42dOO1mqS37
92WPVuZ7TrsPPwSxLbmQqj7uA1/duXQ+nx+75Ia3+7tzy+iHB4Jl3KczO8ohgAd84e/G05N/47sw+QjG
M5jvzr11A72WD7LLCysh6aWQncGlub9ehOXzLLmQrpJvsGMPenKnrTeLz6PQmlw3di2f+lRnvgk95Yb5
a/HrQfrlJo+yPsb8NfCKyeC5p/Dn4NL8mwf4g9fDT2HtQq0N5iN3wrvIn0OtdoqmGpuqhJocN3Kdv9jq
7f9iuZct+EWNF9Kg+q9G7178p2PyY9BO+SZ8mG/y0n98PL52Bb5cTU24yvfi+K7rnbkT4PXFi8ARZzCV
i5j8+bMgq3O/By+QeQ5DFT2109fCxi7onbnHFlIxxx7zlD32yUjobkinIeJdB9F+Dt4MunI15KEye+rQ
lXy+c7AsB/zD8qY71wt3qLG0F3/8AfwYv7wkn9YG87kQFP/g5B2Zz5ZnWIaNB65OLkU/96GfwNWxRz0s
XUlJ5RbDo/7xwH9Nrsqbntxz8Ovg+A8r/uG1rtx/LOBv+i8H3iljl09N/Wc+j8PE4PLBMsjEDXg9/uMI
CupBlj31DrztzGUh/GBlNvBOJ9Th4shdUIr9uRfQ5+Xe3MsQOEvRdHIfFFgE3Z97Unj7K/AWWQ4hZaRX
QW5HXoCnOQ2iL0rxk1gXz2GkItUlEQ+l2iWi65051XuEN1SsIi4l1ccx1fx90AyXFmD9t+zP3QtEbvsC
lBDAgC9id93fC+3GKrI7wXeuAl75V6xjrOKrVfDbPwTkHy7Oe0/lxrYx//ufwhcefHEdydP/A40EL/8x
vY1l/f8OKb39W3iS9b+O5L8R+SMkf0nk95B8hci/QPJHRI4j+X0iTST/lsiDSJ4l8n4k/4zIO5H8YyLz
a4EcI/IKkseJ/Gckh4j8AZIhIs8i2UvkE0juJDKCZCuRDyLZTORqJH+fyAVI6kT+xgvk7UT+FEmNyOeR
zDMqEJJXiTyB5NtE9iH5BpEdSP6EyFokXyDydiSfJ/LqvUA+Q+RrSH6byOeR/CaRTyP5NSK/guSXiEwD
Ofk4lAbvx7L+XrzHs/4deO/P+jfg/aGsvwrv+7P+2/C+O+t/bw3c27P+n+H9M1n/c3hvzvqzeK/L+o/i
/b6s/xDe74ZWwPvKrF/D+7Ks/1dVcF8ENQ733shF+J97yEWdfZtLjAaHOXtlHvP43m3Pp8sj30Vfm+i1
Z7Lj5LZD6RVjN1zpCs6k92CP9707+Wl6seRd6N/PYoDF/Hn75Ep4kVpe8d3FnZFz+OIKySzPZ09uY+ln
MDmWX1sJMmliAqVWfu0KhV6l0HcqtK7QXoWuVugahd6g0I0WffCLU9gla/HfKbfXj3dzcv0loPO/Jr8t
SrhOhe5R6AMKfUihH1bosEJHFDqm0MMWvWCO+sL89f/qusJQp0B38uYCmitaWHRloXu86Nk4/P66gz/V
fUu8f3oWf6p7DvxeAPcSuJ+B+zW4KXDvgSu7vYXdBm4VuHvB1YHbDK4N3B5wnwdngBsG9yi4L4H7Grhv
gvs2uGfAPQ/uBXA/AffG7SjOW9hvwb0PzgXpLwG3HNwnwFWBa51jvufq1oPzgdsMrgPcXnAHwQXBre1j
W5YwTautrdXWmnhjmmVi1FiBWZLdjL2T3ay5lc1m4WVFP2c1QrM52rvZbJZ1NpvxnjkuCjCH9QVWuEbB
pi9zMIflEla86MLUNRs2fdHHqXIKl5LY9AUq5rTSxWZdQWOzrdKxEut/bIZFRVZyrZKVWv9ksy2tslkW
b5nzojArWlxmMy9WM+c1cHaTa+1sxqV9NuveAVZyYwJz3urAHLZNsJm3YrDivR1spq0ibOZ9KGzGXS6s
5PYZ5rgfhzls7WEz7BViyqYjNm3PEiva9sRK7J9iGuObxZjcEMyUDXaMbyBm2hy20KKpEme58pq4dWP0
h3m5zypG9hP1jFX6GPup8uwcPGuBZ28qzy7VY1k/ukweh7ROgvsquD8FdxbcOXAXwL0C7jfgrir5cdfb
dCXQq8BVg2sEtxVcG7hOcIfAhcEN13/0aS1htJuWLWXWbl22nMltkoytYHx7Jmham+5goscxlv4EK9iV
DHq7spGRJZLrWdG+QmbotczeLs1YMlrH7E2OjMX1ZWVdqdi++Aj0K3aZHYkmQlAOduQIRLMrGI23JgdM
dtJ1hPaZMmaE33fhHmDGFpbhGiZje8v4hlMs1/4yvggHpOsLZclgFCRpqIzvW4dnPzfKUAoHY8BRrt7u
+iMN9XUwisObDS1zcp8LdO0O7JShFr66Ap7t6OqBX/xJNfyei3PRjAeN6WgoX8QaF3oW/dGytop8/u5l
93Rnfv7qWwfy37jG7nnpTKPrK3UrXXszKxtdYz90n/vvK1N/534t952K9NKJiYkfL4JJ6uSqCa/H+ul6
e4zhvWzyxIQMtOjK9invyb9sdn3PzX6w15W5Y+o7J1OLIMBk54T3nfKFV6a8FVsX8iefmUDv556+krnj
3GIgnkQCI9j6NPdw1wR/M7X1Sf6gfCKzuNbNzqxwTS6aGLtY9i/fmlwy8VSjy+2GRwcbfvnEr155K/Pl
za4zq1yZL3e4zqyGW6vrTI3riX8ibtQF/9IdrV6rxY+a/1N3nb8+RpfEf/2wsF/xmuX7ryafz8b/bWyk
9d+Gpnn814/kulUAnZrEfkXF6QNAv0rkV447CioaHUEpj6OqxuNIJexrjPTY9YVAr9aJnKY8ABSUzmBK
6IFFJ4HCVAtmbTiaFn5fk4oExfyIQM18Iow4PHSohlRqDoVkn6qIaK1Htzjkg+Y2QdMGZBXYe+Bd4/Nn
EeqmMVa1W4awqtnoqgosKj0R6HsIhtEDTbEDyiCwEfBc9s4IHcw+HBmlzGjTQmvt0aSZqtE79JFgnKrQ
DI7yGubntaYH7FNRce8T2iMSBKSqzwSkiifs43nVQ4k4ndMahlhi/XpwIKFX468O+H3M0Ag2IYwNIGd+
yAOo15s4yUyniL8wE3Tu6ohhHDUxkvX8RFZ8iTygidOCKN88arSkGNFjEDVqbBzPzj7eFcIpcKkJOmBW
INxUaVCPcZ5eODhKyck4CRi1j2wyBOZBcz0MbiOOUhaobDjJ5bWFnnmXkiCoPEVCzisFoYoF1BArghet
WlRErcQ6dYRGtafadBbu+jqtA9sxflQ2qTFKiHrYpYcShClAp5SneEahW4QMmu4LEaEVoZTqI1Ho8yHC
cOEzSqVdqh9MQ2VGof2EESJGQKXaA8A1yA+iEs1hoy/aD9NAfWhU74sk8JB47PhogiGesw41RygHjC+e
0AgoAI9JTcq0eXGgFAIimn7Z/I59Hjm8TlNRUrdo3U7tShawGuWAX46OCrPHGl2FCEUwGpzca6HRQrhT
kTwHSm1DoFRTWkN4SxeApq4zUSpCQz5SYx+BjCYi3j92QQ+s3yRhUbm0g55H8QjgAgwQTmhBgqGibBec
d2zK7oE2Fjv3I8D/YSMo7UrUwTR+oDFIMrOIWSBsx+4dXYG2ju07A/wRQpTZ8KXUrcNo0UvKfGl06jEW
hEtRgho4iqHMKB2EjCAECeIOgh4gMUugpSJJjRtIZZ/VRw0Y/gm6VFoxYFJjpmymAl6jJ7p1xLTFPlKi
4enOQUSRSdVxy6yUmdjT6Rhrys80lFJprDEpwwKpdI3IKWU2GjexXQ1e3VD9HE0T0WbioxKkVBFk1uDG
o9CEjDKrNKs8Ut5FTaog6FCi5rB84gmvc37GdT+ioI5QCTThUxw6XSeEO3lDJFLJi5hPYRshOErO/mg+
ShG+9JAhJeIA2aZnQh39oKCjc8EcnQ1yNEUI0lglibRJRSKs0TlAjX4wpNGbAxq9FTijHwRmVNN2Cxki
+APkncHFH8cWBd0CsUVpbKRuC+ltFw8syULQoqTzRaGrDKFw7SGmIZxJUsp83MiunA9vSyhx1GxHp+RF
DqzJuYB6CA6oHFm0iE3XFwTZXgdh1MS3Fx8tT52Oo4lin/s0P1lbRoJf0SLd2AzxcDxDkQOJdRrHI+L5
eGemEsN2xCQ7iw/utjBFnY/uLs7tDh6x6P9SkTZtCaEmz5UUceA9RFQCNnRIWo9RuMhxmoBD7cPineuu
VS2UehS5yQ+2N2jYUzgDmKk7IVtVaInBuMU2FIqfsq/ihI6uF9xJ3FanBUi/L5CJBbzG65s4NKg0mAT/
hGxq04TqCMcJwNaKpqhLK4if2OUovwj5+UBgT9dB7HAdGmdbjvepwhlYGbH5V2AQCFs85CdIyxFJzdL7
BKyngPiMh9Vw1GhycLVAPi35osn0q2FehLUntKMo5Qh7N4GLo8IDQyeusxCwJ+/tpCrAmBQDmWA1P5/U
hHkBELxTVJ41Q3I4e76OhsXpMzKhqQtOspoIZTZCMvGnqNAKtQ20ib4IimWuGsllH5PjdfIVEak4Ifwf
InqBEKRa3deD8orDCcZGxbjOdQmqY47bSWIVM9tP4xxWE/wgvWMABnwx9HFJJZoiGLf8oMhMm1zzx2zb
zU0tNJQ2U4WTVAHcOapUSg0pBylsG83S5OKipAjjSckijGexIm4XiJSPEKJrIIAnqDtCEBGGp/BECsZ0
KE9bSZB5pBkFFxUWtgYBlVEra3KkwF4pJu+Q1ViYyoF90+DLipaeiXAZpB3IkJwRNd6VpDzgYBfFmaah
DAd5YDQTWKs/OpBGWUSjfZJ3WI3QkhJJReW20lRQN6BtMDKSKwXZwbeoxYo1X8wzCNt2q6NPq/RC3Upo
r9hIGHdI6C1YGlCvCRaNTwdhopAYNmwhRRzDPzfCvsZnVCFDAgEWgINiKTo06hVqJHwvPtWy1V2jx3EF
LEHTllbRQGhcMGtIltHkdSgYxlkvzp5QrRJqm2K/gUafzioS+LO60LaDU2KRdW7i4dkVLG2V1F7I7NcR
RAvq2O6dYhIVxvk+lZKmFGQTgcxY8J5SFkINQSvzqZzsfFIxV60YmoiXY3qKOfc0GE8xnstuwqeeqLaB
bmnjeIrhlPp0yBCAngrAS53Wi2wWi6ZSsUJ4F1MX8C4hgaZMYwuBeKoAL2kTRJcmEV5wKOBKcyg6UAjU
SfKKhkFTAHWS3im1fPl1BtcOORqhMoEQSlh1JCaxOEm7tpqUP0cwzn6OMgOjgqWE96eBrQ6KbkQNxfsS
Tn2GhRWkYPpN4ktCjincpcykhKkJdEt4zpE3kYv1aoghOSqLSzmAp6p9RqTNpbIqyoDxcIsJH/RwQ0JQ
s4fK4YQ923aC2BTLyjhrJOMQjTKawNjk/dwek0jPJPmiaM11MDfn+2Io21glVVVVWruckUqETdA0iJ1w
DiiUo0JYTUR3kyNAmKSrxidrOEsg3kniV5AYkKNmdkvLKLcHbQEVbR+pDXOF2FThNaHuEFvT0BLJEvE4
IGqqaJpWBNSERTMN3neDKXtYwB9kHlOGFpt5SZIosJm13FgmGlIMQVJADKFOCh0HU9niDKCJXp0gNBVb
E99TIz9LrLEMW8TjNOaawiZjczy2epDEPsfNhHmkxhGi4G9olGNhcl4hLEyTJMQ20ReK7K17SByt4/I1
GUUgCYRcTpCtwk4z2i8GXmmXk6YuaLhUMtp3lPoB7z0GR2akAWXayEZlIrVxCNegSU6h3UhT7UZCt0De
RMjLUTG8Cb2bI17S5JyLXmFWTZBJh5ttC0YwzSoGypQBg/pBNMmBLrn5rWPdkOzZGBa7ti3PitAt7VYS
GjcoCGtoGQDGljWUBtqHxDACokZogUIRl4OA9VoM7zAeBnnN4ciEwxTGFAMhEReqF6pJAscSO0e1kFGF
XmDua9mlxES2LxGmWQmNeDZqJR9u1plSlmFvF51CGzYSZAgje1rSsCqF+gIKPdwUhOY9q1bqULoCsyZB
4awSvNYK+o70aWFS2jJ0xIghvCX4RvxHbf7b2vlr/pq/5q/5a/6av+av+Wv++hhc/wurXSeJAKAAAA==
------=_NextPart_000_00BF_01BF610E.1038FD70--
