[8551] in bugtraq
(spoofed) RPC portmapper set/unset
daemon@ATHENA.MIT.EDU (ga)
Sat Nov 14 15:56:40 1998
Date: Fri, 13 Nov 1998 23:27:35 -0000
Reply-To: ga <duncan@MYGALE.ORG>
From: ga <duncan@MYGALE.ORG>
To: BUGTRAQ@NETSPACE.ORG
This is a multi-part message in MIME format.
------=_NextPart_000_01BE0F5D.320DE860
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
pouet pouet,
As every RPC programs, the portmapper has his own remote call procedure
(using xdr notation for arguments). These one are :
-pmap_dump : this rpc procedure is called when you do a 'rpcinfo -p
server'.
-pmap_getport : this one is used when a (local || remote) program wants to
know on which port a special rpc program is listening on (for example, when
ypbind tries to talk to ypserver, it asks first to the portmapper on which
port ypserv program is running).
-pmap_callit : this is the proxy call for the portmapper.... this flaw has
been widely used in order to steal nfs handle, to bypass nfs host control
access, or to remotely retrieve files server by ypserv (ie. passwd).
Hopefully, Wietse' portmapper secured these security problems by forbidding
callit() to rpc.mountd, rpc.nfsd, and yp* rpc programs.
-pmap_set : it is called when a rpc program wants to register itself in the
portmapper list (rpcinfo -p returns this list).
-pmap_unset : same as above but it's used to unregister a rpc program.
Again, Wietse' portmapper fixed almost all the holes related to pset/punset
rpc calls.
However, due to a restriction in the protocol, all the security problems
cannot be fixed easily. When a rpc program (such as rpc.mountd) wants to
un/register itself on the portmapper list, it sends an udp || tcp packet to
the portmapper (port 111) using the pmap_set or pmap_unset respectively.
The portmapper checks the validity of the call by determining if the rpc
packet comes from the localhost using a priviledged source port (between
512 and 1024 when -DCHECK_PORT option is used while compiling portmapper).
Unix authentification is not checked.
As you can see, it's not big deal. By spoofing a pmap_set/pmap_unset udp
packet, it's possible to register or unregister any RPC programs on the
remote host (the program I attached to this mail illustrates this). All in
all, this can only lead to a DoS on the server for a _remote_ attacker (by
flooding the portmapper with pmap_set request or by unregistering services
such as mountd, nfsd or ypserv) but it can be worse because a _local_
attacker can set up rogue rpc programs on the server (registering his own
ypbind/ypserv program for example). This last local attack can lead to root
compromise (including the hosts which trust the ypserver); but well, it's
fairly clear that when an attacker cracked into one of your server, all
your systems are almost already compromised.
possible solutions :
- use a firewall/router that filters ports 111 _and_ 32771 and configure
it so that it rejects all packets coming from outside with a source ip
which is inside your network (note that it doesn't protect you from an
attack coming from your internal network).
or
- compile your portmapper with -DLOOPBACK_SETUNSET flag.. notice that
it's damn hard to implement because you have to change other things in your
rpc services as well as in your kernel config.
Btw, D.J Bernstein, do you really think that Wietse should have rewritten
BIND when he developed his tcpwrappers ? following this idea, maybe he
should also rewrite the whole 'libsrc/rpc/*' when he codes his portmapper..
oh come on, he can't be aware of all the security holes even before they
have been found, can he ? We all know that Wietse has done a good job with
his tcpwrapper/portmapper and the least we could do is to respect him.
another last note (maybe not important) :
in libc-5.3.12 code, we can see that the xid of an rpc message is not
totally random :
Mithrandir:/tmp/libsrc/libc/rpc# grep call_msg.rm_xid clnt* -n
clnt_tcp.c:207: call_msg.rm_xid = getpid() ^ now.tv_sec ^ now.tv_usec;
clnt_udp.c:176: call_msg.rm_xid = getpid() ^ now.tv_sec ^ now.tv_usec;
getpid is usually not a high value so higher bits of the xid are defined by
the now.tv_usec value. An attacker may easily retrieve the date of the
system (ie. port 13) so, with a lot of luck and time, he should be able to
guess the next xid (ypbind uses a timeout of 10sec I think). Anyway, this
is pure theory and I haven't tried it yet so xid prediction may not be
easily done but, guess what, crackers are usually lucky and they have
plenty of time to spend on their computers...
ga
------=_NextPart_000_01BE0F5D.320DE860
Content-Type: application/octet-stream; name="hoze.tgz"
Content-Transfer-Encoding: base64
Content-Description: hoze.tgz (WinZip File)
Content-Disposition: attachment; filename="hoze.tgz"
H4sIAE5aSzYAA+w6C3BT15VXtgyycMEkJKVNmtxQO9iJLUvGNoYQAgYZWGwQEQ50iVGepSe/50jv
KU9P/ixxQlYxQVXUONtkk+3MtrBJJ+TTDJ0hrbswrQMem+1kO26WnWUnmZY22ay8ZnfzIeAQB+05
970nPxnbTGc2u7OzvXB077nn3HPPOffc++7HgvxnfBX5chOtca6sraWEYnJOy3WE1tVVV9fV1tTU
uih1OZ2ulYTWfsl6sRSLqpxCKVFkWZ2L71r0/6NJwPHHny+xDxjOOca/2lntrJk2/i5ndS2hzi9R
p2z6fz7+j7qbGi0WSxbPI/kEsdGDVlsN5Gu+odXXEEoKSBm5gSwh8xgOsB94AA5BGaEAwAqQD3AG
AWgI10P5ep1m0YEloCG8tpQQBGxPijX6UcCPHrHaECIgsAwaz9PpeZA9fxPAq1YbwkHAEebpfVSF
xLaqUKAyJEqxbkdUdrgIKYX6coBvTLN/qZ7bdL2NVKTnX9PzJQDzAb6p47cD3KqXCwFuNtm4bFof
t2lqkxIAUJss1uspwIJpvGhbqQm3mMoF5NrJrucLTXXXAXwF4Aai+WgRwI067esAy/XyLXpepudf
naMf1Lv+CasNeZfpfWwGnOg4ysWxQXwx+SiDftsN9JBV48W1nb5mte1k9MVkPeTdJrwZcsEkD+u7
AS/R+/IBHDTRg9ifCQ8DvAXyrLo8nLtHgL5bp+8jWnxp9CLSh/ro7a+DkU5CPgB4o97fcyZ+Cvw/
gPy0qb+XAM4Cvkrn/zFAGu3V6ScARkGfPF2fX0J+xqTfryGfAP7b9fb/DGCDOdiptz8HsBTwv9Dp
H+A4HZzq/xMcD8ArdPplHA/At+g4TvHdgG/Q8QWAC4A36+PxNcAPPWPYbye3At6trwFIvx3wMtN4
rgH8IND36/T1gD8P+FodbwL8iEm/ewEfMOG7AH/mmSl5ey1aPBg4Pw1/CPCzJpzAHPfj3K4lEUWU
1CBp51U+JgaIb+O3tq1v3rKB+HxRVVHlkA/IvCJxIeLbsh3qAnJM9RllXlF8JAK/sgIN5E5eCYbk
LhSGssJcKCT7iRyBb0Q7icr+B3kV2HipU1RkiYBkEXHURSsblKCulCjxqo8LBBQS5VVsD6KgQTAS
8/llSVXkEAoXpQABXSV/OAJ8UkCVSZtfjvSgGqoY5uVggGMItg7zYZClSZZUmcN6QY6qbT0SF+aJ
LwiKEE7lu1G1TU3bG9Y3+bY3NnrdO3071zc0uX1EI/lACujh7yL+kBzlSVDhoTU4sRuIfIBTOeBp
i0Z9+IHEKlBSG5OCAm2uFszT5ljBAi22C5ZoMV0AC00NxMp8GLN6zCHo12AOsbYOc1hIN2IOo7kZ
c1hAmzCHxcuDOSy+OzGHhWo35rBg3o85BNYDmMNCG8AcFjEBc1ioQpjDYh7BHBZtFXNYhLoxh0X3
Ycxhkd6POXwEHsccFvCDmMMC/STmEJj9mMNi9QzmsNikt8LKeZKQTG0F1GRKnfocyJSihQIWx85l
IJWipQLSxkYZjhYLuOyPDTIcLRfwczN2lOHoAYEifojh6AkBl9OxfoajRwTcAo3tZzh6RqhHPMJw
9JCwDvEHGI6eEjYj7mE4ekzwIL6O4eg5AZe/MSfD0YPCA4hThqMnBTRorJjh6FEhgjhhOHpW6Eb8
wyuIo4eF/cx+hqOnhYPMfoajx4V+Zj/D0fPC88x+huMICIeY/QzHkRCOMPsZjiMiHGX2MxxHRhhg
9jMcR0gYZPYDTvT0rcR7iXOJX1rehn+j8UGr699bWloS/+Lx7hhA3Y4jz9/vT24ssb2Ay/minxZg
5HrST4LI+JA1/SLIEnAhTP+pXnP5i0wm/Y8Q8p70LqjakzqGazTRswELEzh+Sce9x0tAr/jd+EvU
r/Qn8zOj8VPW+F0kdmHPqVTdqf7+ftAnft626z6v6+3jA6CE62KqLvFb5+Dkz9DRH79+6deJ05s9
SbfN4020TKZ3gEqJN+NDRcmWyb6/ixUmDxyDRuO39MdPlcSHSxril4s7BzsI/sM26cdA4cTJFH9+
z15f4nzrKezPm2y1deQLR8Awb5pcQcuK+gZjhQO4Fxm/M1UHxNcY8b0vdKJarMn0pp1QNT4/VTeA
m4dk6yQKzdoAgpO9RbuEo+izDyah69ZJ18X4kG3VlUWp/4QGidaJVCe5NIyOilX2XVTLD9eAy1cV
1MNv1/UdVMA1JT0+if3axhek6oYJzRQgz6Vh3HIt6sOR67u46HGMtuM4xVJ1SfdE+dlvFx8ctZ5b
s7frhkU/OekRTqAKfl0O2JTbj0PrJ27ux6H1s7XvnUdfN3Mv7rBr3C06d+EwsWu8yeaJRT+xeIRf
YGcXP2fkjHuiEcx98qswfK6L/ZdGUG2VJib6Mr35qU3zSyYSn5W/mTj9M9QdC5bBcWuqzjWoc96R
2m29inlz4uSb/3arZfTNCUv5qcTZVcMP28Zr+9etGu6tMqt6neHAVzRdxu39Wf81jj0EGhn6FGe7
SAzHP5gYvy/VNTG+A8Ym2Tz57SULdVfeOOXKpbrECuCZ0ZcrP7/al+CIh18XhrD92cuZzFQYpupY
zFi9I+5JjAUB52xHfkdemoKYxCkMund65wsj0HT8tg5ryj3pATLE3zrWzZK+wYcLEmfHi/uFX6H0
V0D6AE6YZOtEjnyISG96EqgJ9yRM4PhEJrbGm96HnZwEvO/t2Ne9wvvP4GqGRpwEzg4Lo6MvGoo8
2HOyoTgJM/5TICbdk0YXnUSLezadSMo94Um/BxwjeHKwwDRnhY1QgPA8MPTm6eIDQ4l8o74QCoc/
h34T+YczmG2wBg/nP2u1BRMbbPFTRYyJGNzE3Cy3JttTnlHI9mE1CvOMgt0oLBjZgJtNmMAXpmxh
zhIKnjWc8cZnmYxXuD6L/5Dh27P4s5/hUJR0wHfxMvNXVkYyy/MQa/N0FucY/loW36HJEH6frbkH
agTLXxqoE9E7s+htiLZm0etYcyo8la0hyDCSRT+aAPRfs+jvEbU+Z6D/MMGagwUJaKatxR62jhWN
uN9FB42432ILfPOHieZjrosj7nOIujIj7vc1clrLRrXsjJadxSxdC9KDsHbS9PglrXSjUJ3te9cE
C7VitKDXZnl0YTLfk+5kq7EVfCl4gNObbLbtSP8107IIYnfR4z+C2RIf/EF8YsmiJ97ArUdJ34mn
rLZUXXc/fmGngD6dixdPoyO8qOdE5z0IUA+wDvAHkPZAVtuXwQJhfxb9HqDgNe8EG3fhhSzhMeT7
bRZVNL47Nb6M+92xEpykYOkofEfGFmdY/Yj7NO6NMu70WAGuUfHeNCz0l/HL7n4fiGwjNX6F8R7G
Teb++ntiDcLH0E16/0XmMf3b+YuJV6y2fq/2VfQIi58Hjr0XNfexD+Sqzzt/Bwqh/qk6T/qRCVwZ
zm4aewKk9zPZ2ofOk950EUmj8aHixjHZ1LdBX87oZ4CecZ8ba86296T/igl9a2wF1iVvwF0wfIvL
R+MT+bGmpPW7nrQP1x/3+cOMtDFuBQNAqB3Fjn6K2hYHE+4hg2wzaMeytMHxhbg+gR83so+SNZh0
DwULMl8E775i6bxOuO15YwQ+ZG1s6FK1MOk+d9tE33Dsxnjv+0Qt6Os9F1uAQjJsUbXGe98lqv0x
92n8xo4X9Mfdpzcmm0/vSO/7VFuUrX3vxG4UvFnh3/2UxXATuAL5cH0m6JbfpLYuSTQfTXlvTm2t
STSfQPcz2anjmuhUXWrfRla1IJVkVfPAntTWjYnmgeF5brDm9IGhYKIxLzjSaG3nhhttmeHGwsWA
wbFgpLHoUVj4ku7zicZiNPzAULL5aDBhgfIgNlufhwKC8cHzDLMGR9bDbmUkr51r50Ya2MI30oBB
lTfSUEQsBw6NNGD85Q3ggZx5qoBt5YxVu2EJq6xPus8aVfOT7jNGeROs8G9lERjr0SxSNH4rjlO2
XbJ5IGExNV2v+bwo2XxiR/pHn2mbzN9h/IzEM5nYQm+aai4euwCxtOin7iGPgLanX77AeD1CAEN8
3yeZDBAHYZ943pNOGTQJab5PcHDe2pFsHgU4A3B2hxBDivsT5KvAkbsvXQ/jFhxxf5hHIFqg8HH+
U/jZvQAfQBB5GVg7ipPNx2CMkd+7K/1PrHUJflFvFV5CeaVQsyvtg969afECU7v6As6zXek/YZU7
EeNfNLai/d7jS9n+GH8z2f3xZPyuzNT+mJhS+lUQAOevWCBCVH+ElJUGaFuPykfL7aTUT0qd1d3E
bjeO5lOHbLrF49u88d4t2zY0ET8nLVepwkflUCdP8axMS6N2Aid7LoQYEfhQhK6GSlopgNgo3VMZ
a6WVHK2UqBiglTzt5BVaGaERWVFppUojiqzSAB9VxQiNssoA/praKrltp6dZ2q6265filSL8iFJQ
jlKuTY5pCuuk6DRStCeq8mEqS7RLEP0CmtHFRSn4SOUD2VYC/AixcFiJCA66U+mhMDFEKUuOwQ8X
CFAl4qcxSeymXEwVeEkVg6KfU0V5ipPTOTFDR7QrXJiqMqBoRpiLRMDekBhVsy3QfIUPy+D8qRZB
RQ7P2kLCFqCJwYw3G1RW0KFlyyule5bTdrGTBwewZuXZdvy0duD6qFn3yDS65nidqE4nwiDLfjlE
yyD4sHeIP+gqIGM08Z28RFVBlB7UR0EVONVhJ2JUiHGKtJpfHVmtro4Rk4UQnFUxCX5x2OUgRhQl
fjnAY0TT5e3ccromEJMgWteFe9q5EO+Qlfa1dtKE19i0WVQFhZMCokKrHU6Hk5Z5Q5z/wS5O4ekK
h6ucijX1dbQs0F1dWVdH68Nt5Si+3e83nADNVjqq7cQwEZ1JTSYzJ0MUilNRikEHHUii1A7TYzmL
1uU0KsixEOjMw3+1iwc/1LqqKahGXc7qGrt+aVZWToOcGMIILI2uBqmVa6lWshPsDnovFStYzzhB
jDKbEFkER4Bii6h2+6SlQwcsJr+SGdNh4FGiKqcGZqZj+hvkiUXBPbMzvQA8UjA6uxBILwJPTwTk
dM7O80PgCcsxaS59XmJy2kRpDp6XGU+Ei3YFZuV6Fe16KCar3OyCXgOeaETheubo68coh++eg4OQ
Y8CDw/1guH2WkSDkDfThNXgGUB8Yrtgcrv5b4GmTZTXCwfSchecE808sEuBg8ZuF56MteSTih1Gd
wzI8WJpz4y0D09onrLZtAHsBJIBHAL4D8H2A1wF+DvArgN8A/AfAFYCFB622WwAceEcOsA1gL4AE
8AjAdwC+D/A6wM8BjHcyfIfCdwl8v8FrKdzJpPdbbfgWNPC41YZXMmV/brXhu0+nRXuXwY3NDbqu
ePLDe3vc5pwm2jsW3vng287uA1Yblp2Q4509Xj7iG1bWUFMZdXG6HE7XH1BHNm3YsJqWbdrWUq4t
Po6Qo/rq2tn4HNGesMq1Qa4qWi4YJXajHyEOgYsKxBHokYBVy1WFOBQ+5GiLRrVCJKQivwi/rMju
tx3sktyhyOya26H9+lVZgUYBLWuXVSaRC4t+oomTZJUHNjkchg/j7KFzVbpJ9wuOAXsT1f1sJOON
D9/ICnQ+HGM8Z66zTL1LWnXAd8wFOh+OfRkU+vOm3letegy49PFHPoyVAasWI9P7xTerQp0PY8E5
T4sFbLtYl4fj22Diw9jZPU+LqXydbvBt1WVjbGLs0vm5MVWs5ztMfGX4lgh8h0z6GfbeZ+LDd+lR
EDa04Gp595v4cK4cWjJzv21kajzwRvQI8FmtV/ulQy+jfewteikhQl6ufpgiJj7c1y69Kbdfg6/L
xEeBj87C94iJD+du2U1aH9P9EtdtRT72Fn6T9g5uNfGh/CfJ1Ps23tvRmyEeTPIMHZ4m2hu3kZBv
jQk3/PIcyX2Xvh/41s7At5jkvql/72bt7wSm8/0x/e+l7N//OPxfWh8up7Oupma2v/+pcdXVuKb/
/U917Yo//v3P/0SqusNup9r4wxY/AltqfBeuYoXcw0qZ6SjT6dA2/DKcEZUo7tXbuLZQT7nDTu10
D+zPVCoH4UjEG6eLDt6vVtBV9S4Y2lZgstOdMm2Rgj0VjCvMtYt+kZOw1WZUxg6BYb/q1HyN1M7N
eICy31Flt39TlPyhWICna2CLAOcZh7C2sLCwqooC6o/0UF71Oxw5XAFRBqbcqpDYlm0YhBOhdtSp
oPh2XkG1PzcwtYCDNDTKaaE94pt4eEWR5BwW7a8RTCwSrwam+s157jer1xOtwj8WmKY01vZE+KjW
fhpFuzbJ6V2romyHFeT85h7Y31OZ21xFEyM5skQ4bws8F8DDr6rE/CotEyNCQCm/uqE0veHU6XuL
x3Pv9p3bfXeUwzAGeNi68bTJvQ2vd3xbPIXVzqtqWzZ6Cuuvqr3Xs6EQzqfm6vUtOzf7WrZt2Q3R
U19jt+taihEfaFmo6QPy92VDEaaE2C7Bid0vcPqtDpxe75qLrsrRGehwiFaYl2mIl9pVYU4WMWC+
iZmTNahw7XIwOLdGamhOuuH6OTvyC7z/wWgsPANTSJbaKWOKipE56QGk996VdXwsYPZ8PTi+cIau
2T3EXTOSArOTDD/PRJsyxqQMLF3mMKix75vZkG4xMKuROPV84Wj7rAz65YwPOpuVB69CfHN0wugz
h6GJAX78OfZFYHX34dFHM9BVN1Oc/zdrkDM2ZhIbNrNy7OPD1Lu2Wnq0XFO53MGFtVsf2xV1OZHG
mmVNLmQTA1FccPesqG6dQRALFuSJ7nGtbKV3o7x9sO+BVEGXTX05l/VWGAQXELQbqmWo9BShGgna
tdSyHMIKIEjB6DLdzClCDRC0CyhdVKFBqQWKdu00rZOVrAneNU0jrGIE7YJpmYngYvpqt0o5arlQ
X+0qKVeUC/vA+6Nl0/StRp8Yl0bmPqqxD2kmAlqoXQ/l9lFdB4TsndAyE6Ge2aFfBDGCER77XLW6
+/+rvWNtbts4fhZ+xZlJJEB8045li4Y9jq1M06ZWJnbbD4mHhYijiBEIsHiIYibub+8+7g4HENQj
/dCZjvDBFIG9vb29fd+C5iIQY6Q9rYuAOjFA3YxCl8TgmEuXHuwvGWYYA/7KjfzRNHrl5tFvMl24
Rha8oboz+sXc++x506jb9QRJdbQQrvtE9f65kQU20BLHpdAo7AEU2LB2IA8uxJfJoswSsQsEouyB
3DoOQ7gcq7gKtVCrO/Y+/O3HH3ti5DHwXn6Qi7BYQt89R63JfeLqJZmHvQ4Y907vKRCqqDSOHdy1
N71tZDHfM/LTOzVyd1U8tG1hAI5rGx6D6Z+nKyxuY5ASgBMQECpep1EownK1nq0DjHTcuoc8Xl9B
JKscCvyNi87kJQR6EOXgbXAite+J9b2BCq0bSBC5XGwXdTvV8davSaenp2AYhPbdcsZjPXhAS8d4
yV2BAK5eMfh0ZcSLeSqAq6tvJsC+w0MAfeKPPOGBhS0Qk3skjrxpE/hFAxjMmUh8y9nztIn/Ypq8
Hk2Tfr+aUaMCyT52kejuqp94r5+OGaV179V4cgITOeLgwHDgmzms24LxpjW0Ms7lTmZgljI44u09
AH3effprUq30i3msbpj5R5ObTk8ToKb/0mC0+6LvusxtYNWb6s9TYNzxpOs+a3/eH3unJ95w4mnq
eK9qW6FIUrPxyP2z7dn1lj3Y3YG7+f/HuF+x1xbtXxMQaTYroHqr4EqKCNxnsOmJdCm2MkflIwWC
RzO4P+NMw9XGFsJo/ID0yR+zRtD6cl/Bvf1+9sOHs0898fH83V9mP7/9R09oOwFfPO/VqOIP51hu
h4d2zDKV/eyPq23nSczBsptXaH/4qWedMxtj4x0CHKSDbPvhb2/P5G2n1bfSom7lLcYZWaMNNOaH
M3QLiqAluQi2zs1RssD2dJpCRTR0Qg4JB4ybwcdU5+LECD3AN53tLmP3fB+k2zI7aEgIgV/LWDV4
TVZVu7zLDfngmVuP7Mkk8nBLLLGb3R1Xiq0+qYGeCei/XhKl1gbpZQA+DcH5QSXBllvR0EZ6W0/I
B3BRNSOF7HKzTGF0HIFYp3RQnHN2LedlFhVbAd9DcDrG4ZDQI8YZ4nbxr3UBiXJ9u47V/Snspdot
TPmvg1gU16wT9isD7mFxDYu2IH9D2o49gd7QMzt77AqhZ/SXRZrEyFAMjhWPIUbG57RuHtDtNgbU
0un++Dkxsu0CXMxqQrkHW3E9KK5nwC0iwxqJPRu0kj0DX8IAPdPB3plRoJTEz0FKtFgYbBif6u6Q
zp6VADZ8TFUYYfjX9d2nzLqD2qwuwnrfPNvD7lGT3SXIBJYc9yxzB/7ydviXTfiXNOIyW+eOQpCl
5ZpQ9ASkBT0IN+Qqhc98CxYvCFdwJ8qveiDZUsY9sYjT9XoLjMJMBZF19pIqpi23x+23JyyVLU+e
tg941n77+V48Y+Bd2+1x6+0R6zzpaJkHl9IKei2rumPA7JYisltmwLQV/o83HT0I+4Pbklqwk8G1
+YJvMKXJPRmDXU4NpCrgaUIySS2dUPdZsRr8oF4pwIu4Kj0xl3Wnd7+J29utOAK6ZdidbVh3Yrh3
e9admO7dtnUnpge2c92Jb0+b153j2tq/7hx0r7Ywg0Urh6Akc0fBHnQ5KxAZFwO7ILuc91QmC39f
o3JRMBws4uCyJzL+SPhD8seaPwr+KPEDkhdnt8yFBQDVh1U1YVkdWDjKqTLeHgbt6BMyQBtZCE1+
3JwE68B+UqRLsKc3Jwsqi429Hpd/9xV4e7qY2xoDTRvFeubYcbReThvFZH4AX6onqrLLT+BL9cTU
RPEJfgmnLRVJeERfwooKDOQxRJxFEJ7DP9PmA5orhwS+cR+CUYanIII2iXbTp830aS992kqfdtKn
jZxyZoV756ut8/XO+WbjqixJuPxGq+tRQo9ZoHpfVt2pwvEdPbit4dHIvagH4lV6vSPUosomUKxf
TTzlWFGwfxl9hkiFyAYDHUvIOOC2z6dmBE9yB1Ftp9Fp2YGM4ol/dv49rkRRlG8iSE1xWC3bmAeQ
xR5FR6c1/dxZ9x2tm51Gbrybw9zV2mkzz2IhutYDRWQORB60Yv8vukI7NEEb0p12USbxoEZbg49l
g48kn91ufWEXmQyuEFEoF0EZF6dNLEu9UBVMGGHguzxeles/nH/6+eztuz+dvW9iCRq0sMHyVSbO
Cu3xcYE+6tYpAZ002GODW9bRmDZrTEvJL41vVmTgytrwttDKFsamliVwH72ocvegNdGMpnQeTbZ3
7PIL7pDCH7054mIfX7p2c2vPsCUjgupWf6Qc7lgxlylF1VqRKeprq2v3nJ14rfVqL5xXlFvKh+zk
D2Vj60cBil0KMrm/oKwbgmJMtipcM+KWqnUd+fr+M0q93dpLPGwmef+ZCnsmjht2DgwM42x0xZ1z
aNH+UlX90BX0+acTQGyfVnoGMYW/Wwcjc8Lgn830FGb41qRBkUY2aHdcAYd3Ak8+W8ViqpQ2/BpR
Pzw2FefKv6yCLfbTz9PVGlvmBfitpei/BxP37i+zn85//iTI6YPPLXPumKk8ksK2ieIYcWQSe20A
B/bnQMY+DzJwQwPx5zIvKMyGKDvHvhWhOvsHA+q2OR7W6nzEm9c+dvR74vffBd945X87nni6er3j
Ph76rgBbDsWV8jLeNqh4AvvMVhQDFtKzQ5LIw3X1rzr5UvBZKzyWG9s2g21u16/aSbpWD0nX6hzp
uuTX3tTKXKdY5nKq2dF+q7cf1MmNd0tc1XhPYl8opSWKf/fDpQB81DgagrCXRNOtxcTHHo12GQ7+
wiDYt8BUhMxwCNatGKHO1SA4tkeoyLl1hM06Hk2ROgx3GxH8XaNtxjMm8tx+RYeJ0xHXPTF1iZtW
dr9vS9WU7IBNwG7F/8feg6a87bqFBqUXVDveLFMIhvOiXCwsnYJcgzLzubiAgHwj4xhL0NjuxjLR
f40Wf3Tz7NupucPhA1W3ctcIkX5a7zRSUKOb5yfPxxZUUcSAVXUZ0R2dFPvWmW71VLfXaHwWKswM
dZcQ3UD7HaobKK8AQpaXh9LfnvUwtB6GzYcta+03JZwh2ylE6e+/vgH/r4qBxAhmBoeiFAjRMfFR
jo1A1Sjd+VMr2OII+a9ScvWZAa0OoKoGyrBljta03ndZDVThj6Ft/OJ5MFLxognQuAdF+BaWBgYU
kca81N6J9SpI9SXkLWGQFI1RKHVqGJnoN+PTSTOyBrdhxa1vHG3aQagNDDXPaO9DOWE9bCbFN2sV
Qs2p2jCmLVBY17Sg4GsrGEqsBcYNDK2AWsAUIMmYsA6J9HJ4mbQgXo45LTWLYZNy93JqcPsW9EVb
CCz3tRYLkaFK3iQeNYnKtZbM5rZjJ8uluVjp8XcOZBtnfdj9WjmZhvsyVGJLharFMntMmK9fD8T4
Xv+qFSQPa68nLH2vgYOzFMIGDwk83AV/6LuGmGbYVlsXyISoamRCWGUyYUW8ulPD6h7RZ0tg3BpO
G3iCrzWKtMyUDVGMwXrQAFR/tghWUbz11cH2tPbMsnsvx8YebZZBIa9Zx/kE9BA40xOHZhyfeqpE
TIcLfNuzd55/h8zlUp9b9Zz0TBVwVB0tVsUskQc19u2/6iRoDF5TuKrD8iSsAiT6yTIizty6hxQ2
R1lDvjjUCf8Jna2u9KozW7CArE5BDJqZrQGHmIE2bmcD8UMheMB1hMWeTpDD9w4GuA4F8VgoC5It
xtoZGNEteOefYgn50jEIK9XVypz6IFQ3eTSP0jLX0+TUT49UQdQerbA7vsO9+h2cNkkLrOwXMpjj
keYGv8gbOS8LyTlCtFrHlFWsMOJ2xBHWd/rnE9FPqedfNf5PB/QGyBGEzIwxh3QEy3tIGMxzwegW
UZYXVAK8BFz5PIvWhbiKwhAPuTcUk4SpNyBqIXuL20gG5JyDJAJ/a+86khsAcUAC1ck44gpLSeuq
Xh9QBXesh0OSULkyT4Qg7XG65kLbxzJxxF+jeZbyOU8+EN8FeYQmWb1oYPlSF88aJOUrYCnJFoxB
kRyhu7VySLDM31oocmYM1teCOE/F7DrKihInmNlohIub4hhRWgZ4ukFPg1zFwhizRRg3NAjjkylu
PeCH10FcSodfqUBxQyNHogEhpkVYEF/lmnEWPo4iEPQmzMg/5bhJmEluwF0AXfCsIhWCda9adlTk
Ml5wD4NsHvz0UEBQMWla66HDS3WRobjXEGQNi/lamzleIf4AImwoMgYJIx+Kk2svSpLk2GiD+Vyu
i5y5QI4W1RDt1Sly46APZqTM5hI9YibzHEUf5InOrMx5vg1HVCpNAodxjXnYJWyNe0cmbvq3RB8V
GJcAexRZbli4wJowlTnqOEWXLDi86UAYqIundRvfn4klGRwCQlbj4ZKRfFxumiSQ2IMZinFlIHpg
RsA7cEU6gPEO5dV7AgHQUBlcQXgFICS4zdGsuJkEQyTBgs+zYFGg3ATVS0Ec4BBhah+ROYqV0VpU
ZztECT9QoqDTf9fO/8Fjb8A+gYDYQkcGsybZLH0OnUYW3A40MKZacw7TH3GVpJuE8HMHEZgutdBF
dAPbKW9QgkBiHLFNS3GBvcZEYE5aiwOfTk5OxjjlFh0zGD25IUnLUM5wkJIN8Y9IgnIc5TURVfLy
4/n5T9+9BZH5ePbpbx/gHxIb4WKRB2zHoozBj0YXaN7wI8jQ7pHXuJJZImORSAlaRTu1lMH1VqzS
0Gxn7qHnAcsBBh6mBsdSs9qoHo7Nmg/nn7Dqo3uPKJdEQcwCfH8LHi1kANZG6pe2FPNJ9gYso0ow
UHbRll3gXpJ7wXeh2fou0jhONygzBcs0yy4oYpFFJLngz4zIp9hiFoGXyKIczBYaVFJivNQ+B0WB
cpaJqmjqaK0D95hHF1GM64G1z8Hh4AjxPv2Ie4cihMzFnvhoLi0XfbFV9bMMwyRH3pwSxh945WZK
2/QDogE30ZOA4FfsG7ddAnBjKQ2VVItbZ3hkVlizsSGSN7hn1HWMAQZIEllPepVOaL9lUHGPPs3L
Hf6kLmHK53GbFF1yGKyCS8DiwuK9wS6vGpYbEYAcLuIUD6ioZ61EUUMLSXStgP3ZVtt8JslgdcHe
hfySFigN2gY+tLfmRZ46/s7lfPVkCIsZ5kvnK5KBv0cB8E9AghKB9UReUYtcLbAY4BatM39Y5hmN
xm+OA6r4i3givh6Lzw5y30wu58uUS33iVHw9ArNUPYJ4UIydRQTD/ZHD54tAaZhS0Ov/82vELb6O
RFeM/+loZBQo9UvVmQNP+5L+XdO/Bf4LZJycnKAFMZM9aJSYvD4ci9dDCGaGSRnHQFIi2zjI6LkJ
br92UARfk+aIeitoGLZr9UBYa3IE+w2GEtwfh3f5oEJ1BoK7tRsgtDlW+FRHjRKqTK7jYM5qFggY
UFr9wgrBVPvvBFKJIEThx7YzsqugIFEuremNgnIUQ2wl/Ybt5F91FhfpjVlQpbZEotIei3qDGDWK
9BazZ6QHHQcTrEax0tpuUc+iXApCGXysKsgKWA/CIDdZZQEJaNmZVlh8UxSbNMm56hmVhTDoKEAw
/AmaHEIeSNoZdIY5kSJDDv5gLWZe5+B8gbhoVqCQ3n2EKBuC5q32MQnFVXleV3gsLqYZvroJSJ0D
4ohmk7JEiqWgos73mCfdBOgQekgtMJziM/JHnBtQ7LCGh5fUzmuWvNHVzFPHqY6zT//9FWLBegEq
zWazGazTUhZ4cO7YfT/saAQfpzD7VM0LrgluzHxNN0HNGkWwJiRGNrdCfkt/VZAnz14KwZ6hDUrN
fIKvtO9APa3POhkhLnArbSCMqAHSfjVYWDdDat/AFE2Qqc+fP0dThATU+CtevHhBxsxhRVX5I/xp
mWrg+c6G1WfjiuQzM93oZvIywAnHJ/vms9CRwScTM8yz+XAJhmw9VLuypHy1JiBVeP8oHBrkWYN2
3G8lA47zaSkbeowbTPmUNqFgUNrzPu5zB5dBqRMl+47RZ6wMozXJykQn15TJc0yn7ZIDfvgGJUio
HKoebg+zlKoYKQZIOifgrCOvpR0m4U618aT4fSB+pnNQFULbo1Xayea3kS9yYhqRUWRs+smFxKMr
Cm5TJlX/rwJgRgsw65BbobFT6TzXSi7TOASjn5Wx9oIQYAdmkegVgqVceebnDvoqwUCLSIQ3c417
pRpqKmqkgahwGdChL4R7V2jUKcA/e/v+r2c6ZuOZSdcxtocdBQUE5gm5WOCHylmNoaZoYQNeCNIY
ZAfuXqHDX8oyJCQ1Il8GKEKc32yFK+U8HySbciDD8nS4Li+GBnZQBBnkNEKJAxBRZZmcGzTT1d4u
RZAfQYJUxmibmBYIb/ISNhRdHIVCKooISGmqjBqyKax0qKQiJrkD8SVWMSaL7aQiWLwiJLrIR/0K
O7nPm2pjkUmw++/PPu5m57wOVIjCTmrf4E9X/K9/IOTxerwer8fr8Xq8Hq/H6/F6vB6v/5vrP1Gl
7u4AeAAA
------=_NextPart_000_01BE0F5D.320DE860--