[16813] in bugtraq
Re: Double clicking on MS Office documents from Windows Explorer
daemon@ATHENA.MIT.EDU (Microsoft Security Response Center)
Mon Sep 18 16:03:18 2000
Mime-Version: 1.0
Mime-Version: 1.0
Content-Type: multipart/signed; protocol="application/x-pkcs7-signature";
micalg=SHA1; boundary="----=_NextPart_000_03DE_01C02167.B861D020"
Message-Id: <C10F7F33B880B248BCC47DB4467388473493B2@red-msg-07.redmond.corp.microsoft.com>
Date: Mon, 18 Sep 2000 11:58:41 -0700
Reply-To: Microsoft Security Response Center <secure@MICROSOFT.COM>
From: Microsoft Security Response Center <secure@MICROSOFT.COM>
X-To: "win2ksecadvice@LISTSERV.NTSECURITY.NET"
<win2ksecadvice@LISTSERV.NTSECURITY.NET>
To: BUGTRAQ@SECURITYFOCUS.COM
This is a multi-part message in MIME format.
------=_NextPart_000_03DE_01C02167.B861D020
Content-Type: multipart/alternative;
boundary="----=_NextPart_001_03DF_01C02167.B861D020"
------=_NextPart_001_03DF_01C02167.B861D020
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
-----BEGIN PGP SIGNED MESSAGE-----
Hi All -
We'd like to thank Mr. Guninski for giving us an opportunity to
investigate this issue, and for working with us to provide additional
data as the investigation progressed. Both the Office and IE
Security Teams checked into the report, and our overall conclusion is
that, although there are circumstances under which a trojaned .dll
could be launched as discussed in the report, there isn't a
compelling exploit scenario. Specifically, it would not be possible
to launch a trojaned .dll simply by visiting a web site and opening
an Office document -- instead, the user would need to take a series
of deliberate steps that we believe would only occur as part of a
social engineering attack.
We considered two cases. In the first one, a malicious user would
seek to persuade a user to download a malicious version of
riched20.dll or msi.dll onto the user's machine, in the same
directory as an Office document. The malicious user would then
persuade the user to open the Office document. In the end, this case
turns out to be simply a case of persuading the user to download and
run untrusted code -- and if the malicious user can do this, there
are far easier ways to accomplish the same goal.
The second case is the more interesting one. In this case, a
malicious user would host an Office document on his web site, put a
trojaned riched20.dll or msi.dll into the same directory as the
Office document, and then seek to persuade a user into launching the
Office document. Our investigation found that this case has
significant limitations:
* We found no means by which the malicious user could cause the
trojaned .dll to launch automatically when a user visited his web
site. Opening an Office document via IE, Outlook, or Outlook Express
would not result in the .dll being launched under any conditions. In
our tests, we were only able to launch the .dll if we mapped a UNC
share to the malicious user's server and opened the Office document
using Windows Explorer or the Start | Run command. (We confirmed by
code inspection that Windows Explorer and Start | Run use a
completely different method of launching .dlls than IE, Outlook and
Outlook Express).
* Even if the user could be persuaded to use Windows Explorer or
Start | Run to open an Office document on a remote site, the trojaned
copy of riched20.dll or msi.dll would only launch if a bona fide
version was *not* already in memory. If the user had previously used
Word, Wordpad, Outlook, or any of a host of other programs that loads
the affected .dlls, the version already in memory, rather than the
trojaned version, would be used.
If anyone can devise a compelling exploit scenario for this issue --
one that would allow a malicious user to exploit it without the
user's consent -- we'd be most interested in investigating it.
Regards,
Scott Culp
Security Program Manager
Microsoft Security Response Center
- -----Original Message-----
From: Georgi Guninski [mailto:guninski@GUNINSKI.COM]
Sent: Monday, September 18, 2000 6:51 AM
To: win2ksecadvice@LISTSERV.NTSECURITY.NET
Subject: Double clicking on MS Office documents from Windows Explorer
may execute arbitrary programs in some cases
Georgi Guninski security advisory #21, 2000
Double clicking on MS Office documents from Windows Explorer may
execute
arbitrary programs in some cases
Systems affected:
MS Office 2000, Win98/Win2000 probably other applications
Risk: Medium
Date: 18 September 2000
Legal Notice:
This Advisory is Copyright (c) 2000 Georgi Guninski. You may
distribute
it unmodified. You may not modify it and distribute it or distribute
parts of it without the author's written permission.
Disclaimer:
The opinions expressed in this advisory and program are my own and
not
of any company.
The usual standard disclaimer applies, especially the fact that
Georgi
Guninski
is not liable for any damages caused by direct or indirect use of
the
information or functionality provided by this advisory or program.
Georgi Guninski, bears no responsibility for content or misuse of
this
advisory or program or any derivatives thereof.
Description:
If certain DLLs are present in the current direcotory and the user
double clicks on
a MS Office Document or launch the document from "Start | Run" then
the
DLLs are executed.
This allows executing native code and may lead to taking full control
over user's computer.
It also works on remote UNC shares.
Details:
If either of the following files:
riched20.dll
or
msi.dll
(other DLLs also may do, don't know)
are present in the current directory, double clicking on an Office
document in the current directory executes
the code in DllMain() of the above DLLs.
(Excel seems not to work with riched20.dll but works with msi.dll).
I could not make this work from HTML and IE, if you can, please let
me
know.
Demonstration:
1) Download dll1.cpp from http://www.guninski.com/dll1.cpp and build
it.
I discourage downloading native code from unknown site, but you may
try
at your own risk
the compiled version: http://www.guninski.com/dll1.dll
2) Rename dll1.dll to riched20.dll
3) Place riched20.dll in a directory of your choice
4) Close all Office applications
5) From Windows Explorer double click on an Office document
(preferably
MS Word document)
in the directory containg riched20.dll
Workaround: Do not double click on Office documents or use "Start |
Run
... office.doc".
Instead start the Office application from "Start Menu"
and
then use "File | Open"
Regards,
Georgi Guninski
http://www.guninski.com
_____________________________________________________________________
** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
SEND ALL COMMANDS TO: listserv@listserv.ntsecurity.net
-----BEGIN PGP SIGNATURE-----
Version: PGP Personal Privacy 6.5.3
iQEVAwUBOcZlZ40ZSRQxA/UrAQEPswf8Db5OEITXn3tEDbhyLH6HEwvSAElgWUzP
B1KPNAboOYwrOj8OAdGKELSlMJPafrkmEkeVbaGNT35/v87ZoTxKvD51I1JUbWvQ
cri/JtdKydbmgPRd6ozYOItW2J4lBr/T01AgByggTnKprKbzHIa9pxj0rMw6/APg
G3MQ3aYE7SBDn8O7CGFtwHiRUAsTEoPIwRk9fNvVVgy9TmRDmfUXU4tt1CgscWyJ
D5ja3m5cJVeQT/rvQHZ9MOUUkyRIAPcKM9Ad4I4xoV1bEoogcT4jGKkKFg4AuNet
voXRoFb/jRqD3r0u0PKzNTAyMQs9xRXEpmzSKkoperUNH8up/LKTOg==
=F27U
-----END PGP SIGNATURE-----
------=_NextPart_001_03DF_01C02167.B861D020
Content-Type: text/html;
charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2//EN">
<HTML>
<HEAD>
<META HTTP-EQUIV=3D"Content-Type" CONTENT=3D"text/html; =
charset=3Diso-8859-1">
<META NAME=3D"Generator" CONTENT=3D"MS Exchange Server version =
5.5.2788.0">
<TITLE></TITLE>
</HEAD>
<BODY>
<P><FONT SIZE=3D2 FACE=3D"Courier New">-----BEGIN PGP SIGNED =
MESSAGE-----</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">Hi All - </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">We'd like to thank Mr. Guninski =
for giving us an opportunity to</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">investigate this issue, and for =
working with us to provide additional</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">data as the investigation =
progressed. Both the Office and IE</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Security Teams checked into the =
report, and our overall conclusion is</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">that, although there are =
circumstances under which a trojaned .dll</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">could be launched as discussed =
in the report, there isn't a</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">compelling exploit =
scenario. Specifically, it would not be possible</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">to launch a trojaned .dll simply =
by visiting a web site and opening</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">an Office document -- instead, =
the user would need to take a series</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">of deliberate steps that we =
believe would only occur as part of a</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">social engineering =
attack.</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">We considered two cases. In =
the first one, a malicious user would</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">seek to persuade a user to =
download a malicious version of</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">riched20.dll or msi.dll onto the =
user's machine, in the same</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">directory as an Office =
document. The malicious user would then</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">persuade the user to open the =
Office document. In the end, this case</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">turns out to be simply a case of =
persuading the user to download and</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">run untrusted code -- and if the =
malicious user can do this, there</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">are far easier ways to =
accomplish the same goal.</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">The second case is the more =
interesting one. In this case, a</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">malicious user would host an =
Office document on his web site, put a</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">trojaned riched20.dll or msi.dll =
into the same directory as the</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Office document, and then seek =
to persuade a user into launching the</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Office document. Our =
investigation found that this case has</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">significant limitations: =
</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">* We found no means by which =
the malicious user could cause the</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">trojaned .dll to launch =
automatically when a user visited his web</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">site. Opening an Office =
document via IE, Outlook, or Outlook Express</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">would not result in the .dll =
being launched under any conditions. In</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">our tests, we were only able to =
launch the .dll if we mapped a UNC</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">share to the malicious user's =
server and opened the Office document</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">using Windows Explorer or the =
Start | Run command. (We confirmed by</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">code inspection that Windows =
Explorer and Start | Run use a</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">completely different method of =
launching .dlls than IE, Outlook and</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Outlook Express).</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">* Even if the user could be =
persuaded to use Windows Explorer or</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Start | Run to open an Office =
document on a remote site, the trojaned</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">copy of riched20.dll or msi.dll =
would only launch if a bona fide</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">version was *not* already in =
memory. If the user had previously used</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Word, Wordpad, Outlook, or any =
of a host of other programs that loads</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">the affected .dlls, the version =
already in memory, rather than the</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">trojaned version, would be =
used. </FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier New">If anyone can devise a compelling =
exploit scenario for this issue --</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">one that would allow a malicious =
user to exploit it without the</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">user's consent -- we'd be most =
interested in investigating it. </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Regards,</FONT>
</P>
<BR>
<P><FONT SIZE=3D2 FACE=3D"Courier New">Scott Culp </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Security Program Manager </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Microsoft Security Response =
Center </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New"> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">- -----Original Message----- =
</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">From: Georgi Guninski [<A =
HREF=3D"mailto:guninski@GUNINSKI.COM">mailto:guninski@GUNINSKI.COM</A>] =
</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Sent: Monday, September 18, 2000 =
6:51 AM </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">To: =
win2ksecadvice@LISTSERV.NTSECURITY.NET </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Subject: Double clicking on MS =
Office documents from Windows Explorer</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">may execute arbitrary programs =
in some cases </FONT>
</P>
<BR>
<P><FONT SIZE=3D2 FACE=3D"Courier New">Georgi Guninski security advisory =
#21, 2000 </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Double clicking on MS Office =
documents from Windows Explorer may</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">execute </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">arbitrary programs in some cases =
</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Systems affected: </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">MS Office 2000, Win98/Win2000 =
probably other applications </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Risk: Medium </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Date: 18 September 2000 </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Legal Notice: </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">This Advisory is Copyright (c) =
2000 Georgi Guninski. You may</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">distribute </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">it unmodified. You may not =
modify it and distribute it or distribute </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">parts of it without the author's =
written permission. </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Disclaimer: </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">The opinions expressed in this =
advisory and program are my own and</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">not </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">of any company. </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">The usual standard disclaimer =
applies, especially the fact that</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Georgi </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Guninski </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">is not liable for any damages =
caused by direct or indirect use of</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">the </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">information or functionality =
provided by this advisory or program. </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Georgi Guninski, bears no =
responsibility for content or misuse of</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">this </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">advisory or program or any =
derivatives thereof. </FONT>
</P>
<BR>
<P><FONT SIZE=3D2 FACE=3D"Courier New">Description: </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">If certain DLLs are present in =
the current direcotory and the user </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">double clicks on </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">a MS Office Document or launch =
the document from "Start | Run" then</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">the </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">DLLs are executed. </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">This allows executing native =
code and may lead to taking full control</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">over user's computer. </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">It also works on remote UNC =
shares. </FONT>
</P>
<BR>
<P><FONT SIZE=3D2 FACE=3D"Courier New">Details: </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">If either of the following =
files: </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">riched20.dll </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">or </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">msi.dll </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">(other DLLs also may do, don't =
know) </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">are present in the current =
directory, double clicking on an Office </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">document in the current =
directory executes </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">the code in DllMain() of the =
above DLLs. </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">(Excel seems not to work with =
riched20.dll but works with msi.dll). </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">I could not make this work from =
HTML and IE, if you can, please let</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">me </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">know. </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Demonstration: </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">1) Download dll1.cpp from <A =
HREF=3D"http://www.guninski.com/dll1.cpp" =
TARGET=3D"_blank">http://www.guninski.com/dll1.cpp</A> and build</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">it. </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">I discourage downloading native =
code from unknown site, but you may</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">try </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">at your own risk </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">the compiled version: <A =
HREF=3D"http://www.guninski.com/dll1.dll" =
TARGET=3D"_blank">http://www.guninski.com/dll1.dll</A> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">2) Rename dll1.dll to =
riched20.dll </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">3) Place riched20.dll in a =
directory of your choice </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">4) Close all Office applications =
</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">5) From Windows Explorer double =
click on an Office document</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">(preferably </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">MS Word document) </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">in the directory containg =
riched20.dll </FONT>
</P>
<BR>
<P><FONT SIZE=3D2 FACE=3D"Courier New">Workaround: Do not double click =
on Office documents or use "Start |</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Run </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">... office.doc". </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New"> =
Instead start the Office application from "Start Menu"</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">and </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">then use "File | Open" =
</FONT>
</P>
<BR>
<P><FONT SIZE=3D2 FACE=3D"Courier New">Regards, </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Georgi Guninski </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New"><A =
HREF=3D"http://www.guninski.com" =
TARGET=3D"_blank">http://www.guninski.com</A> </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">____________________________________________________________________=
_</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">** TO UNSUBSCRIBE, send the =
command "UNSUBSCRIBE win2ksecadvice" </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">** FOR A WEEKLY DIGEST, send the =
command "SET win2ksecadvice DIGEST" </FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">SEND ALL COMMANDS TO: =
listserv@listserv.ntsecurity.net </FONT>
</P>
<BR>
<P><FONT SIZE=3D2 FACE=3D"Courier New">-----BEGIN PGP =
SIGNATURE-----</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">Version: PGP Personal Privacy =
6.5.3</FONT>
</P>
<P><FONT SIZE=3D2 FACE=3D"Courier =
New">iQEVAwUBOcZlZ40ZSRQxA/UrAQEPswf8Db5OEITXn3tEDbhyLH6HEwvSAElgWUzP</FO=
NT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">B1KPNAboOYwrOj8OAdGKELSlMJPafrkmEkeVbaGNT35/v87ZoTxKvD51I1JUbWvQ</FO=
NT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">cri/JtdKydbmgPRd6ozYOItW2J4lBr/T01AgByggTnKprKbzHIa9pxj0rMw6/APg</FO=
NT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">G3MQ3aYE7SBDn8O7CGFtwHiRUAsTEoPIwRk9fNvVVgy9TmRDmfUXU4tt1CgscWyJ</FO=
NT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">D5ja3m5cJVeQT/rvQHZ9MOUUkyRIAPcKM9Ad4I4xoV1bEoogcT4jGKkKFg4AuNet</FO=
NT>
<BR><FONT SIZE=3D2 FACE=3D"Courier =
New">voXRoFb/jRqD3r0u0PKzNTAyMQs9xRXEpmzSKkoperUNH8up/LKTOg=3D=3D</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">=3DF27U</FONT>
<BR><FONT SIZE=3D2 FACE=3D"Courier New">-----END PGP =
SIGNATURE-----</FONT>
</P>
</BODY>
</HTML>
------=_NextPart_001_03DF_01C02167.B861D020--
------=_NextPart_000_03DE_01C02167.B861D020
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="smime.p7s"
MIAGCSqGSIb3DQEHAqCAMIACAQExCzAJBgUrDgMCGgUAMIAGCSqGSIb3DQEHAQAAoIIJ/TCCAj0w
ggGmAhEAzbp/VvDf5LxU/iKss3KqVTANBgkqhkiG9w0BAQIFADBfMQswCQYDVQQGEwJVUzEXMBUG
A1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGljIFByaW1hcnkgQ2Vy
dGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTYwMTI5MDAwMDAwWhcNMjgwODAxMjM1OTU5WjBfMQsw
CQYDVQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVi
bGljIFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwgZ8wDQYJKoZIhvcNAQEBBQADgY0A
MIGJAoGBAOUZv22jVmEtmUhx9mfeuY3rt56GgAqRDvo4Ja9GiILlc6igmyRdDR/MZW4MsNBWhBiH
mgabEKFz37RYOWtuwfYV1aioP6oSBo0xrH+wNNePNGeICc0UEeJORVZpH3gCgNrcR5EpuzbJY1zF
4Ncth3uhtzKwezC6Ki8xqu6jZ9rbAgMBAAEwDQYJKoZIhvcNAQECBQADgYEATD+4i8Zo3+5DMw5d
6abLB4RNejP/khv0Nq3YlSI2aBFsfELM85wuxAc/FLAPT/+Qknb54rxK6Y/NoIAK98Up8YIiXbix
3YEjo3slFUYweRb46gVLlH8dwhzI47f0EEA8E8NfH1PoSOSGtHuhNbB7Jbq4046rPzidADQAmPPR
cZQwggMuMIICl6ADAgECAhEA0nYujRQMPX2yqCVdr+4NdTANBgkqhkiG9w0BAQIFADBfMQswCQYD
VQQGEwJVUzEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xNzA1BgNVBAsTLkNsYXNzIDEgUHVibGlj
IFByaW1hcnkgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNOTgwNTEyMDAwMDAwWhcNMDgwNTEy
MjM1OTU5WjCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRy
dXN0IE5ldHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5j
b3JwLiBCeSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0Eg
SW5kaXZpZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZDCBnzANBgkqhkiG9w0B
AQEFAAOBjQAwgYkCgYEAu1pEigQWu1X9A3qKLZRPFXg2uA1Ksm+cVL+86HcqnbnwaLuV2TFBcHqB
S7lIE1YtxwjhhEKrwKKSq0RcqkLwgg4C6S/7wju7vsknCl22sDZCM7VuVIhPh0q/Gdr5FegPh7Yc
48zGmo5/aiSS4/zgZbqnsX7vyds3ashKyAkG5JkCAwEAAaN8MHowEQYJYIZIAYb4QgEBBAQDAgEG
MEcGA1UdIARAMD4wPAYLYIZIAYb4RQEHAQEwLTArBggrBgEFBQcCARYfd3d3LnZlcmlzaWduLmNv
bS9yZXBvc2l0b3J5L1JQQTAPBgNVHRMECDAGAQH/AgEAMAsGA1UdDwQEAwIBBjANBgkqhkiG9w0B
AQIFAAOBgQCIuDc73dqUNwCtqp/hgQFxHpJqbS/28Z3TymQ43BuYDAeGW4UVag+5SYWklfEXfWe0
fy0s3ZpCnsM+tI6q5QsG3vJWKvozx74Z11NMw73I4xe1pElCY+zCphcPXVgaSTyQXFWjZSAA/Rgg
5V+CprGoksVYasGNAzzrw80FopCubjCCBIYwggPvoAMCAQICEAVbo7ZcNCuluzJSdf+s4CIwDQYJ
KoZIhvcNAQEEBQAwgcwxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYDVQQLExZWZXJpU2ln
biBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3JlcG9zaXRvcnkvUlBB
IEluY29ycC4gQnkgUmVmLixMSUFCLkxURChjKTk4MUgwRgYDVQQDEz9WZXJpU2lnbiBDbGFzcyAx
IENBIEluZGl2aWR1YWwgU3Vic2NyaWJlci1QZXJzb25hIE5vdCBWYWxpZGF0ZWQwHhcNOTkxMjMw
MDAwMDAwWhcNMDAxMjI5MjM1OTU5WjCCASoxFzAVBgNVBAoTDlZlcmlTaWduLCBJbmMuMR8wHQYD
VQQLExZWZXJpU2lnbiBUcnVzdCBOZXR3b3JrMUYwRAYDVQQLEz13d3cudmVyaXNpZ24uY29tL3Jl
cG9zaXRvcnkvUlBBIEluY29ycC4gYnkgUmVmLixMSUFCLkxURChjKTk4MR4wHAYDVQQLExVQZXJz
b25hIE5vdCBWYWxpZGF0ZWQxNDAyBgNVBAsTK0RpZ2l0YWwgSUQgQ2xhc3MgMSAtIE1pY3Jvc29m
dCBGdWxsIFNlcnZpY2UxKzApBgNVBAMUIk1pY3Jvc29mdCBTZWN1cml0eSBSZXNwb25zZSBDZW50
ZXIxIzAhBgkqhkiG9w0BCQEWFHNlY3VyZUBtaWNyb3NvZnQuY29tMIGfMA0GCSqGSIb3DQEBAQUA
A4GNADCBiQKBgQC5p8rQpjuPFFZf+KLtESi391k/8oOw6zOIOx6odUMFfulf0clSmvKn8ubcfOeR
/4n0uTGhvBnMO0zP/g6xKoDwFIzY/5DNY2VmZ7wLIxpvfwDjBTSAdw53t60rJzs8PmB26FgbJ69B
Y+rnsR3xg+HUok+BIvYS6GTHUzmwQdonEQIDAQABo4IBBjCCAQIwCQYDVR0TBAIwADCBrAYDVR0g
BIGkMIGhMIGeBgtghkgBhvhFAQcBATCBjjAoBggrBgEFBQcCARYcaHR0cHM6Ly93d3cudmVyaXNp
Z24uY29tL0NQUzBiBggrBgEFBQcCAjBWMBUWDlZlcmlTaWduLCBJbmMuMAMCAQEaPVZlcmlTaWdu
J3MgQ1BTIGluY29ycC4gYnkgcmVmZXJlbmNlIGxpYWIuIGx0ZC4gKGMpOTcgVmVyaVNpZ24wEQYJ
YIZIAYb4QgEBBAQDAgeAMDMGA1UdHwQsMCowKKAmoCSGImh0dHA6Ly9jcmwudmVyaXNpZ24uY29t
L2NsYXNzMS5jcmwwDQYJKoZIhvcNAQEEBQADgYEAOZ+QMi8SC6JAG4j9hdZPbZtHPPsJ0o8g7g2y
N6IBGcQkiuxStuH+QfYv1P6/o14un3gk1CEFmNvj2a9ed1Ah7rbhM+jdhsS4zdZvIevU7AQzfY6Z
FNfi6feQlseXgvKD0kSIvhyw9sUu4vvugYN4wtiYJRFHDCUKm4L2+Cs2pXsxggM4MIIDNAIBATCB
4TCBzDEXMBUGA1UEChMOVmVyaVNpZ24sIEluYy4xHzAdBgNVBAsTFlZlcmlTaWduIFRydXN0IE5l
dHdvcmsxRjBEBgNVBAsTPXd3dy52ZXJpc2lnbi5jb20vcmVwb3NpdG9yeS9SUEEgSW5jb3JwLiBC
eSBSZWYuLExJQUIuTFREKGMpOTgxSDBGBgNVBAMTP1ZlcmlTaWduIENsYXNzIDEgQ0EgSW5kaXZp
ZHVhbCBTdWJzY3JpYmVyLVBlcnNvbmEgTm90IFZhbGlkYXRlZAIQBVujtlw0K6W7MlJ1/6zgIjAJ
BgUrDgMCGgUAoIIBrDAYBgkqhkiG9w0BCQMxCwYJKoZIhvcNAQcBMBwGCSqGSIb3DQEJBTEPFw0w
MDA5MTgxODU4MTJaMCMGCSqGSIb3DQEJBDEWBBSBEN+6rFJNEsriJ0VawHknD0V67zBYBgkqhkiG
9w0BCQ8xSzBJMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAHBgUrDgMCBzANBggqhkiG9w0D
AgIBKDAHBgUrDgMCGjAKBggqhkiG9w0CBTCB8gYJKwYBBAGCNxAEMYHkMIHhMIHMMRcwFQYDVQQK
Ew5WZXJpU2lnbiwgSW5jLjEfMB0GA1UECxMWVmVyaVNpZ24gVHJ1c3QgTmV0d29yazFGMEQGA1UE
CxM9d3d3LnZlcmlzaWduLmNvbS9yZXBvc2l0b3J5L1JQQSBJbmNvcnAuIEJ5IFJlZi4sTElBQi5M
VEQoYyk5ODFIMEYGA1UEAxM/VmVyaVNpZ24gQ2xhc3MgMSBDQSBJbmRpdmlkdWFsIFN1YnNjcmli
ZXItUGVyc29uYSBOb3QgVmFsaWRhdGVkAhAFW6O2XDQrpbsyUnX/rOAiMA0GCSqGSIb3DQEBAQUA
BIGATrLJKLBDe6Cyk4G218NmUyLG7GW9OmCZdzYXyO22U3o1aDlhkAvBojrBleUe9dyhvJKlXV1q
Mb/SvhWNCxeW4kD98X/QidF0W3aeSNx1Qpz8jyyUBL5Z7raphMtaOSrSvJALNwVjMzHX+oi8x9my
VtbJgp0l8RSwrc7fBmM07BYAAAAAAAA=
------=_NextPart_000_03DE_01C02167.B861D020--
