139475 2006-07-06 13:14 0000 Kernel: Privilege escalation through prctl() and suid_dumpable (CVE-2006-2451) 2009-07-12 15:20:53 0000 1 1 1 Unclassified Gentoo Security Kernel unspecified All Linux RESOLVED FIXED http://git.kernel.org/?p=linux/kernel/git/stable/linux-2.6.16.y.git;a=commit;h=9e4e45f19bdd41b4091e5fe556f816f4046c7598 [linux <2.6.16.24] [linux >=2.6.17 <2.6.17.4] P2 normal --- 1 jaervosz@gentoo.org security@gentoo.org agriffis@gentoo.org chrb@gentoo.org gentoo@getafix.net kang@gentoo.org kumba@gentoo.org langthang@gentoo.org passnet@zmail.ru raistlin@s0ftpj.org sgtphou@fire-eyes.org jaervosz@gentoo.org 2006-07-06 13:14:30 0000 During security research, Red Hat discovered a behavioral flaw in core dump handling. A local user could create a program that would cause a core file to be dumped into a directory they would not normally have permissions to write to. This could lead to a denial of service (disk consumption), or allow the local user to gain root privileges. --- linux-2.6.9/kernel/sys.c.orig +++ linux-2.6.9/kernel/sys.c @@ -1702,7 +1702,7 @@ asmlinkage long sys_prctl(int option, un error = 1; break; case PR_SET_DUMPABLE: - if (arg2 < 0 || arg2 > 2) { + if (arg2 < 0 || arg2 > 1) { error = -EINVAL; break; } jaervosz@gentoo.org 2006-07-06 13:15:19 0000 *** Bug 137627 has been marked as a duplicate of this bug. *** plasmaroo@gentoo.org 2006-07-06 13:34:31 0000 Dan; please add to genpatches and commit new gentoo-sources as soon as possible. Thanks. jakub@gentoo.org 2006-07-08 07:52:15 0000 *** Bug 139668 has been marked as a duplicate of this bug. *** bugs@stalag99.net 2006-07-08 07:56:25 0000 Please bump vanilla-sources to 2.6.17.4, which fixes this problem. passnet@zmail.ru 2006-07-12 02:04:30 0000 Proof of Concept can be found here: http://www.rs-labs.com/exploitsntools/rs_prctl_kernel.c I've tryed it, but it doesn't works for me: user@host ~ $ ./rs_prctl_kernel Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t By: dreyer & RoMaNSoFt [ 10.Jul.2006 ] [*] Creating Cron entry [*] Sleeping for aprox. one minute (** please wait **) [*] Running shell (remember to remove /tmp/sh when finished) ... sh: /tmp/sh: No such file or directory user@host ~ $ uname -a Linux linux 2.6.16-gentoo-r7 #2 Mon May 22 14:19:25 MSD 2006 i686 Pentium Pro GNU/Linux passnet@zmail.ru 2006-07-12 02:25:30 0000 I was pointed out that this exploit acctually may create /tmp/sh more 1 minute. So I've modified sleep() time in exploit to 3 minutes. It creates suid root /tmp/sh: nstorm@linux ~ $ ./rs_prctl_kernel Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t By: dreyer & RoMaNSoFt [ 10.Jul.2006 ] [*] Creating Cron entry [*] Sleeping for aprox. sleep(180) (** please wait **) [*] Running shell (remember to remove /tmp/sh when finished) ... sh-3.1$ ls -l /tmp/sh -rwsr-xr-x 1 root root 659552 Jul 12 13:19 /tmp/sh frilled@gentoo.org 2006-07-12 02:28:06 0000 Fromm looking at the patch I changed - prctl(PR_SET_DUMPABLE, 2); + prctl(PR_SET_DUMPABLE, 3); Then it works, unfortunately: ./pop Linux Kernel 2.6.x PRCTL Core Dump Handling - Local r00t By: dreyer & RoMaNSoFt [ 10.Jul.2006 ] [*] Creating Cron entry [*] Sleeping for aprox. one minute (** please wait **) [*] Running shell (remember to remove /tmp/sh when finished) ... $sh-3.1$ ls -l /tmp/sh -rwsr-xr-x 1 root root 632016 12. Jul 11:21 /tmp/sh :(( frilled@gentoo.org 2006-07-12 02:42:37 0000 This is freaky. There is obviously something seriously wrong. The code is supposed to back out if the parameter is invalid, right? So the patch won't work at all, IMHO :( plasmaroo@gentoo.org 2006-07-12 06:32:58 0000 (In reply to comment #8) > This is freaky. There is obviously something seriously wrong. The code is > supposed to back out if the parameter is invalid, right? So the patch won't > work at all, IMHO :( You need to upgrade to the new kernel which is actually patched against this vulnerability :) frilled@gentoo.org 2006-07-12 06:51:28 0000 We were actually trying to mark this as valid, I believe :D And it is, obviously. unledev+b.g.o@gmail.com 2006-07-13 03:43:05 0000 That patch is not a real fix unless prctl(PR_SET_DUMPABLE, 2) isn't expected to work anymore. In that case manpages should be updated. Otherwise a better fix maintaining functionality would be to dump core on user writable directories only. malverian@gentoo.org 2006-07-13 10:50:03 0000 A temporary workaround to the local root escalation is to chmod o-rx /etc/cron.d - This prevents the program from calling chdir("/etc/cron.d"), thus preventing the core file from being dumped there, and so on. I'm sure there are other ways this kernel bug could be exploited, but at least this prevents root escalations from the method described in the example. frilled@gentoo.org 2006-07-13 11:08:34 0000 Does anybody know if PR_SET_DUMPABLE,2 is going to be supported in the future (since it's quite a new feature so it possibly just got pulled in order to hotfix it)? plasmaroo@gentoo.org 2006-07-13 17:29:22 0000 (In reply to comment #11) > That patch is not a real fix unless prctl(PR_SET_DUMPABLE, 2) isn't expected to > work anymore. In that case manpages should be updated. The manpages never said anything other than zero or one should ever work. At least the one I'm looking at here dated 2002-06-27, anyway. The issue was that the check didn't enforce this correctly due to an off-by-one and hence the bug. frilled@gentoo.org 2006-07-13 22:03:11 0000 Huh? From man-pages-2.34: PR_SET_DUMPABLE [...] Since kernel 2.6.13, the value 2 is also permitted; this causes any binary which normally would not be dumped to be dumped readable by root only. (See also the description of /proc/sys/fs/suid_dumpable in proc(5).) plasmaroo@gentoo.org 2006-07-14 02:01:05 0000 *** Bug 140303 has been marked as a duplicate of this bug. *** frilled@gentoo.org 2006-07-14 13:21:51 0000 Whatever, new versions don't exhibit the problem. plasmaroo@gentoo.org 2006-07-15 07:06:53 0000 CCing maintainers; please bump: mips-sources: Kumba rsbac-sources: kang sh-sources: sh usermode-sources: dang xbox-sources: chrb xen-sources: chrb, agriffis kingtaco@gentoo.org 2006-07-15 07:22:58 0000 (In reply to comment #18) > CCing maintainers; please bump: > > mips-sources: Kumba > rsbac-sources: kang > sh-sources: sh > usermode-sources: dang > xbox-sources: chrb > xen-sources: chrb, agriffis > you guys might want to use genpatches-2.6.16-15 instead of -14, because it addresses bug 140444 as well... gpel@mpex.net 2006-07-15 09:04:40 0000 Tested patch by reporter on vanilla, works fine. Just to make this clear: + prctl(PR_SET_DUMPABLE, 3); in the exploit code as written in comment #7 does not work to exploit a patched kernel! Caused quite some FUD to me so I checked. gpel@mpex.net 2006-07-15 09:45:57 0000 Two things just out of interest and then I'll shut up: < 2.6.13 is not exploitable from what the "case PR_SET_DUMPABLE" looks like in sys.c (securityfocus appears to be wrong on their The 2.4.x branch doesn't appear to be vulnerable to this either - same if (arg2 != 0 && arg2 != 1) like 2.6.12 dang@gentoo.org 2006-07-15 11:42:55 0000 usermode-sources bumped to -15 raistlin@s0ftpj.org 2006-07-16 02:56:58 0000 (In reply to comment #12) > A temporary workaround to the local root escalation is to chmod o-rx > /etc/cron.d - This prevents the program from calling chdir("/etc/cron.d"), Well, this obviously doesn't help much. It just prevents this particular exploit from executing, but if you can write files in that way, there's a bunch of other ways for breaking root. Anothere, not much better, "workaround" is to specify the core dump location: echo /root/core > /proc/sys/kernel/core_pattern (you create a denial of service possibility then) Or put a limit: in /etc/limits.conf * hard core 0 Or set it to /dev/null ... you can use fantasy. Another temporary workaround for those who cannot update a system right now for whatever reason is to load the LKM I upload... please beware, it comes straight from an infosec list, so usual precautions against unofficial patches apply. raistlin@s0ftpj.org 2006-07-16 02:58:41 0000 Created an attachment (id=91871) unofficial workaround LKM for this behavior plasmaroo@gentoo.org 2006-08-08 15:05:40 0000 All fixed, closing. 91871 2006-07-16 02:58 0000 unofficial workaround LKM for this behavior linux_prctl_lkm.tar.gz application/gzip H4sIADKNtUQAA+xb+3MbR3L2r57KHzHF8wNQQPAlUmfRUo6SKJsxRalE6VxXjos12B0AKy52cTu7 BOFc/vd83T2zDzxkJ/H5KolRMmnszvT09PPrnmGaZNX9zbyIyvQmvZ3tffJ3+Ozj8+j4mH4fPDre 5+8HDx/yb//55GD/4fHx0f7JQ3p/cPjo5OQTffz3YGb1U7nSFFp/ktn8Z8bZwv0WDP22n3RF/6/M rR0nqf011yAFn4i+N+r/aP9Y9H/46NHRI9gJXj48+ETv/5pMbPv8P9d/PvqwO/v08RPdMoTduSmj 6TBX3724eEvv9tJktDfL4yq1bu+znpvaNNVVZmZW7xb9vVGVpLF68/0LGhtezxdxX6nYjk2Vlo/V p5/1Xp19d97Xu88xhAj39fX7Z/h9/eSzHub2tV9AqSi1JvtFU3ikUv9oIf4v/qz6/7oZRP/jNX7G /4/3T46b+A/H3z84OUFK+N3/f4PP3gOlH+gznSWR1aNqsjcy0W2c5wUCwq3VcR5VM5uVNta9mck0 G0Zfj60pq8LqJNPl1Ers0Le2yGyqF8bpcXKPGQmcGMSnZTl/vLe3WCyGMmSYF5O9OBmP+cddYhfD aJL8C6WdJ58fvpxXI/xkmvgtU/A/d4fDE/xKsqigQWSbu3g0PHg0PNp9OBz9dHj605NDLEhrvpsm Tk/zEozoCHyPrIYCY13m2tzlSazt/TzNk9KUSZ7pfIxtYILfAcQwbNPJM+zU6Q8wFW30X6skutVT iImozYu8tFEJiSw0LOQORjLQpXUkMZfrMWwrz9JlkAU+zPPD3Qmkmue7xaF/fMky5Jf4d+Sf0q83 CHKO+dem1Mu8AslFpovE3Xou68+uNiNwbG//ZHO3m2RxYoaZLTFmT/0hGWcIx/rm5rvzt1fnlzc3 6g/4nmBz7UcWk8b14FevX7y/PA8D6wnhsQzG6CxKq9jqr1lrPlUMp0/X3ngD2PAmyZJy0/NyObdu 0wsSNZS36ZVbusik6cZpbMHdF8bN9qoscWVMz5W9L8ElNFbqNM/n7mZui5sPsNTlaXjnyqKC0qN5 lWTj/Ob+jyd6lOflDR7cxKY0p0qxlT14AFZuiJeb0oxSi+dpnk1070FeJJMbeike1cNqA6RUl0wy WA4NWv2q9JbPx2b1sWLnAViCBuObLl894rav/12tkqMdRJ71tXfzstjw9MEca+Kpn6ef6Kv3l5c8 cIyw0sMsPOt12fxiVdI06uu1UV0hEwP6n59ol/xk83FPJN7328BnvrYOXgem8UnG4OaHm5urtzdR mjv7o36yxphmQdHbhm5nc6sLYIXTZlxhEScz/YUf/8P+j+Hlfyj+oZpBIiY8gj3CVm/NxArN2bKx FDIUnc8pbK2oWpticrjh2dEGy1kb9HDDxOO+4h0n415PViT5vHl7c33+7ubF+1dvzp5dAp198YXu 0dJQ177+29+YDf1UH7QVUYDr2x4FmZur1+8unp/rnRc2S7DYPHcuIUl2ArIpSzubl/qHKomffB7r ifya868f/y3b6e4pqooC4XT3KYYPmm+TzjdM7gfhe4nvnl9c/flMbJP10dJG10F7QeQiZBarlxtL ivVGqpnm+e2Ns6V4lAiwSwo203U+sUB+9+OpZ2L7CDI5ov0Akm8bxmnblPa7/EC1XY4+Sr7L7ha6 FK7bFDep+DI3cQJbarYuGRn6E0102ah3hq1tilEyZ9NC3YGP9f7957TIoOWcmNTvDhNy9F+ts+ZR Z78cWMBR0t5wS7DbGXufpR+VAYhLrrxhedIPPPWP7D0e0bJ4JAn35hJUr67PezvfvLncaR6fvX/3 7eu3vR2f/L+O8/IpImRpvjbl08nMJCk/ivJZa9KL8+vnby/evLt4fdXbufzulR4ZQkgMrDhSNyy3 cSFR+EeD1t8/v9pntf4TU7r+Vdf4uf4PKsBQ/x0+Oj6h/s/+0cnv9d9v8TmTkKFfULgAFJavQ44e f+LQMUTYePq7y/8f/az6//PXb/5ycfXNr7rGx/3/4dHB0VHj/wfi/4e/+/9v8vn0U8LD31y919+c X52/PbvUb94/A8zQHmooGYDPn6Xe1oC//1plVh989dUBsOHzfL4EYJyWuve8j4d//GrAr/TLwlp9 nY/LhSmsfplXWWwEQ19k0XBbNXtME012C7vU1yiJXybjcqpfojwsBvpZ7koi8OpM6/3Dg4P93YOj /QOt31+fKX1+Z4ulb9WgjpwlZSkNnwgcapPFOkaJXySjqrQaY0fgZkYvE+tU3QJKk8gC1NWNrwHA Dwr9qckmBOOSkshneamBI/OFjYcKEmIRvSmsmQFXEl5+x00xpuQYS83AuXZBGPRfbD0yBYelucXD hVlyd0eNIbk4n9EbN+XxYJ5ZwObKodbPluA7KwvjwB814Fh/NrOFSfWbaoSl1aXfCNgFLrVZLEtN KgPxllANN5I+thS9U4Hn3V0MmRGfjhp/tGi9HSxBY3mjEAt4dJrdZai5gaa6rOnAmpnPUwifFmf5 sA5s13BUYzhfupYEM+nlZUudY05BfbhJYWZ6Mc2JclVO88JBSjPYAUaqyon6wFLvOp9ZP22bkXY2 F+UwF4hvtFRB2JfJqDDFUm/ZWZK50pp42Nf6L3nFHUja7FILMyx6zzG1C/N8SFbz/dRmegHBzq25 JWmwVAMnA3pFHBV2bIuCtgMJeAUOyCYVSpDIYoevQX4zZ27N9to6lfaimpo70XDLOlq+Iy6zxp/u edspJmwKiv2JeqLUWk7GRFovEjftD+qlsJfIJndEpCoiIh1DMwULbGLha6UKEw0VnWVrKo3xltqx RkynVil4jIRLIpLpzC6E3yD3UzGiQO42yxc13Tgnmo4oQ86OtfOuafay/jjoOdZKZluyLCxJKiIr ckIewhglsYKxUngiYdqMXd0vIpSIcTJpdyuvctJKQY5b8AZl1FC9kzmdVeDSLjUlE49sURpsGCPm eJmMkjQpEx+HiLJIVG3UaFuSA+LIix8laTIm82VRvMQLe29m8xSD/IiN5FyFWtIEkUNWU0tup/Ct THjHHDP02IIQr0M99kni7Q/WkYBUBuFQXGmkwHIlN9Jkq0PxMp67Ys6YsmQHG9Sm1jIvvFUtywOd M5hEzYebwiQwZhaMAVmFYhBTFYPB/yWFCqohH7abrAR2jyxWLqDT0s7dY9076HNekszZlTrMUvUO +5Af/NybSSszLaYJhEoycvwytRO4OWc8xwnap7xBW8OgucdpiNXYXo+5PksdJES6sIY0xuET8dZv hVtykAw2JAbP3hgM3hucYoHbkIUrMlxgqyx2tSoknGY55heUhZa8JO+uk2ygiIvxWo5h5hOOw3g+ s7SKTZ0kg7lx1L0gdLCwykcL17YgsOtVBmYWwTjYgEJOpxWp+5VkJh1gDdkSJRkIAql9xrm0yOMq EjY4iZB2YZ1EAKE5JdXnWYeW8vnoSwyYV9LjFHN5Sa/T5YAXaYcnYqmcAlIgdWMtpHuSZYkUwrv3 yXFOr0vKs7A7iq3NARetH1N0LGTHSGDBHCgzwjmNCL3OnLQJOjK6S+KKmNL5iAOJLFLjmQGd+lnY ZsTexnlo2pDBb6QhC1C9HPqgCZsgc4Ga2XhY4jMTE5jhE3zPIUTgNyTuN6oxVCym6U3rSw83KMrj Mcm9HmcYmA0DBpuT/mvP5fyUY4cSNYkmOUpCpya1cLytK7G2SNDAOCe0N1T/pH4WL+Ptu/O3r671 2dUL/fz11YsL6rBd65ev32pfXA30i4vrd28vnr2nVzzw1esXFy8vnp/RA2J+fyhHjxugkjdHFjZ2 IDhmkRe3PjIQMoTanDIkGsq989R4eyWjaMLONE8puTiz9NB2BgQKqTdxI1ZVnX9EhgEnb4YXQxH7 zhvhbwfo2UJwA8WYpWaf00JrD8Q9xz3Y5A5vRXqR3o0CNTWzyHPaJrzl1huiQXTBanIHjcG+mIow 32w4NYvH4tMJ84KdY1kZ68XmzblDWc/zIpwTA4Ioz0BdQ9AOKL63TcaFkFvnZu5B0/5ZYyqFb1Zm QiLrfYvIiEAwhogH9QRakME7n1LGvEReka3PwjEJB13RjN5pr75DyPOcQrn3DA5xJo4BCthNnN5B 7tiBo5whvN8JQMi9XAlYbfOLziYZTBLwbBCyWIc3h1MJsYzKqtIl7PLIoKAeTMVQtByrosrWRO+D ckA6Nh54xMbUEEcRBvJZe4pqgXU5dR/zgqRbzgEcRpOSM6JeMzQVVu4hDNo5Qa+MqxJELGJuZIHP OXBhnxs47g/V9wJwdG1kRUVwm2jRPYI679SbjHMrmeBgKCDGLH9JwRqwmifzpWvjGFJvG1wTbE4y 9pAZskAFIAbnQ5i3Df5VJJp5ElV55VJZHTGHYzlsF0/m5OhIMNgEYwTPZHuUajzNRx6/iSg1yQxS AdMh85/qW2vn5BJkAR7dKZnmQsYi/EPlcScSSuVHmzcjZzOsQrkMe6tJKxrDILKpD1tAoCs6GAJv JQQ2v44yfAwquK0ZDVXVWpJKh8GrxzEItdOlg3Ok3q7FmUO5JisJwFt6KvWNjrmPMLTnGh618Bcl 3ftQmQfQzJZz2FiOx3dMUXZVbDaYEDF9ZFMS2TCi4rw4E3a3huKBz6Vip22gyaG9Gwh9gNcbUsm1 39yBMiP47Qa7hGkAcM+sFSORXTjbyuOP+YBSm35TBESmclJB1JiRLhdxzI8gWxYs9kju7U2OaTiK q+zTocZkeUvMEQohAsVUbXnDk1FD4WO0xgfbJgmgJtuSF4TjPcuXtojpRGaB5MxvGYAVZZ3W+ZmT VEf7WgmBXrFMg+cx7M7HVAR1EBVihPGrGJJCsGdKUeyNSRHXVMiAtiGBkPpl+1E/QPda9CHRZ7Ar xpVAtbH0Zrg6oPZUYSgNIc74zSPQIsC2akIRJdkov6SmLaXUEIX5vBKmx9NbBBkk+ltq0mMqYmTa gqIFF4ZybEtSg1IAlMigxZ6yLK8QXagJ6JMwO0Un4umNEc8wAf9ge+3TI0yL+mUQEFhtH94LhI96 Qr9pWHB3jT2+BevF4oO0WV1MYdVhfBq1aRryF5HTXOzmmq7jrcREptIgvN75fWQ5XD2mBNtJ2aWz 6Tj0HIMOwBuToFzHKb22BBG+dAmyjsgHEsQ6ESjsZh0h/LVKCmnBCMUVYsM+kHvom/DYmTQVuCfn s0ltr7xm4x5cjKqEsADe80UFZ33jhQVE5SRPETC01TUHnJf8bUT4gMszUONWLkGjghFigztosLPw PrIzWsB5vDeDjO+oDivJE9o+KJolxMMuOqA+Fveqm33mSG01++xKKwGJ+x3GrSxNTeeqrCeoFaNz dBW8JovZHHq4xpQQI6VJ4jpJRa0mFQ6sbcDpk5bQCEWhnxWikOpKQBrATTtE6jwBAQEMo4a4p5a4 V70i1RZ+mQAyK84W0g7BAy4+ZVuFnZgiRjJg/WOSXlCalubYO0wctI4JiFPuv5d1wPRy4mREwKjV /2Og6krVbh1hmFR3BZ1oAAUws9IIwLhTDS1NuXBoluLyRtl7W0j5Gxpn0huiFka6UditAiovAOdS 6maEcspthALY80VGpUUihzszinRmMiEpBbK+5pF9kFQ2EVKrWIsDJD/8CBLp03ej7/K0oqb+GFWv K/OC7s5JTG/2J9i3iUKjIsS/FncSNtmmqUrZmOWOPg7VV7ewyj2VkJJMA/w57FOOykcfqKcSeuDQ XlTJxShCZBvyr7oOHnfAPBxqRlHbQBSCAbXMvE9JSwMSaPDTWYScPCe4AvuttUHPUsu5rpCeMifC GTwDCGqXkjkxKQCqKUIG3ueD17aaCh9BgpJrutthBXvlRaCWz0yRwP6r0BhqmoSUdASNnUKEgxqR re/M1P7EkHug70yaCDnIjG5cl9x/k30treF73XlTVjBA4oCwHHhA7hFURsdZ0oDO5ECPgZE/4QoV AmU/WwSs7QXXttcBZ2GRPVNYlXgrR68qp6MHBn6SgH+ZDrbLX3by39BBtM266P40wAC7QatmZXzq EzMrSHL/yjnUli0TRuHumUnptrbEMw9j/LGttAfG3D7MCIlSpETZttbuCG0ESnpyc9Tz18ZaP++8 vN8aoJra6qgsh1wKae/o62oUssNIpA/oQsilc0A2boKKdMSEFz4WFHXM6sxJg+gwzndqu5UZ5Mkn oi+5aGgzLR252vVldcWry5LhPGaNLzz3f8jF7V1ftaCySyvHlYlxLo+S0BCDCxgyfPq7gkR6rVRn +fESh4tkLifKlLBVyF/EXOL7ZAx7qEOepqYNHJodYZffQvF3JHTCdsrNLWvcBjA7WNtP2134iI+y hu/H0WkeHw7WrZ4a1Lan9ahsl3ahpwwZjbgCUaSnfuMJM/OBEcAMFs3otCc7JI7lzyYEmjgK432/ Q4UcVUjR6pauBHTjJhMF3u7+qVJydMmbcQvzXC+lPGw33kO50dyVHpL8eA0ttKgTxGp5AJ3W+D4Z Gzr4U6DOS/sLGYyOjT+KZmvgNrVHtWGWJriO0ExcrhBYs74AtxmMMjG8qBjnO7UJVnaiJB1SED6u JtNWbE/8ibk0OWdzFE2tSyUtIivtopYw6NRA64cNZiArkkaQtGtQ/3ETXfBrG7V0sIQSSyXrtfdz auRyAeVTfQjnLahCp5nLcJVeMcZZMBrMty6/fXWKn3SuJDbIZ0WmojRQ+mRGWSQhRXbOPTewpWo/ DAImCM2HQnVwlZ4VCyMcs7N6KUMEhNbqCdbnb+HmQlI0129qxth15I8bnMTiwADqQTrowr9xlUpk SROD4pHh3rGoLpR37WqTTHJertRgLqGmZDicZtMJl9DLdhgiUMwmTmeYEyrxpW3bPcr1LT2E8C2K oX5Q6VbPPuTuDVW8JlRlBR/STZNRUkqrPjWL+vTeF4rr+xE6SC45nU2PlnIwxv2KDsBead73fINx a5O9L80dOnCMaquR9Y1v6nZ0XDKApWNq6jiGa0b/lYM94bhmX60IcaXE8VcdToZyjlImM+sByseg /s/suGxfalhxIG/8VCIHbwwhTYWDZP9GboqIE3d7ia0D/sAXvJtjUUnH2XbLYWi4QuHDU4LM4DuX 46rg86rOhRNfgzVN9S91XWz64OoDANs1RDHlI66h6nqSv6EiKAmVLX5GpKfGA/2RUisc8z5WKrJH Q30xlsTO7RS4aH0yQEkAVfuHKp5wL09ASqs6lTNnBSRKGceGQWOvz3B+QP0a3ZPT5lni7xb682q4 a2Vdf6BaVshgmOXIhkC20/P3X2hTwhWQHyMSlMth4SZS90Oepqt+cJPSI/16iRUfGchxm/gypQtq ftK6dWrcPleuXPj7TzS93dPPPRp3dGsH5uWSWZXCTa0cFskBBnLIxOPKJuqr9rFN67aehS65/d6a 5lP/mhIJegfD3OJ7/th//WaSCdqtb8/kVSpATu6I6iJfokxY7vKVgpZzt3BCWAXBT2Bvztdw8vqA zR+xxEgLEV3R4LZ9/Q1lJKMK7EO2yJGHCwt/5ZOMAVwF8Y4gJALP0ohq5zkeNqJgSCfqBSWtuh3E Sv4I+4LhWoc+aw0p+pNpmxKSlmKYbtJl4pSWUZ6kXiZBzhhVqUGkTYqomjmO2hLhRiZtQrhtk2/d RFXSlAznKWFQ61hi5eaqv0CZiQmp9rJ0gnrRabnNq4Ij2IaeGzRT+fzM38TrW7dPXHOtghr9MNWl 755xuy5c1PO9OmkcJOXSnwYp7mbLyNPu4lPjKxraXYvDcMrnb9LQpieFp1j6a5hNgd1RsYD+Qd1f VQmZvv+L/ZE/tY3qhDLnljwJTOtXrEebY3xzJUdN6F4H3Fqijl+mLsUXdIRf8Bkk3e5bY8nGKlg7 hy5fk/BtRB/P80wa3o4DJ99riVo1mwFY4kmnvolazevjXr5EtRfnmSggRvaJ+WYpX7XSbso2Q2CQ 03unWVDzGvhrgpFnUq6f1PclfBj0mVAC8fQ/27mW3raNIHznr1j4kgRQnKaHooGDAJS0ttjIpEJS dnSLbNGxEEk0RNuB/n3nm9kXJbkteumh3Etai/uandfOfLP1kn3Cck9qQjZlSBwWilkQ3WeA009z SbwhMlTPIgA31aG1EqvaPB6oZ75E/H5qk2v7cYp3BvW6p7GWTQCfQPrAgkP5YrSF0jK3U/CK5/6b nc9shfd00dHeHTnAEkEr8tWraa3j8BrAGn2+WEjcAUxAx/29wucP95xBb20xAL2QXZNcXCSK2G2l J9DM+WO7a6scwLzFwE7Amq4CkSeEqI6nxkxQLWASN5Kcup2LdQ10MTn5NUkwUiQNK/RgiSTnxJU2 wGjSjzf14gBlwM7Lh1NGwrwIRQelLPpiWz0vOXsrRw5Qs3kHoYnM2b8ASRcfAF4sxIn+pe0V2Fs4 BgsPGJMs/BLKndbePCy3DFu3YaYGgmt6SHkEVoinPCrusKiIxVas4gVwxFM4BKWkOYgRGQLJzrUZ DEeF+CrijThCOuMn2jT0ov1i87S+qbYeH2rvxhzNuePb+t63BxcJUZUBoM5Y2hMobwC1tnaEk56/ xbHJthgNHzwPAqhth9qCxGyG0C6q3lrUQGsqe8Aepgd2iI6ww8HefUJDiLA7RoK9JNnOYVhq6+fb LribHl/NsZoMgS79cmqdR4tBDaSDfYUD/Alj4UT/hijUxuTvWhK851QLp3GOGCJWte1DZDD0cN/9 Tdq4hs4KuHxkqOb+hvJ7070kr2dcwlGvKwhZE7E9cEHGxiGeTZkGjBjTnWMYJHnE8gu/FkDGv9fz FUs3y9722bKduAWkcp4Ezkv9fRCA/2QrfFp1MzJSva7dnR2VP4JtWJCCMWbEdfku+mS186VOaaau 4zyP03LG5//+VPX1IJ4WWpUjrSZ5dpHHlyopLCp2qM5zrVV2rgajOL/QPXyXa3wRjgWMbDAAfZXx /+uvpU5LNdH5ZVKWNFp/puLJhAbHExRqHF8TNfXXgZ6U6nqk0yjD8NcJracoY3RIUnWdJ2WSXvCA AOLmycWoVKNsPNQ5o3Xf0ezcUU3ivEx0EdE6rpJhe1MncUHLPlHXSTnKpqVbPDYXpzP1OUmHPaUT Hkh/neS6oP1HNHZySSvW9GOSDsbTIQOB+zRCmpVEJ9oZrbPMmDT2Wzs6LYbGjy51TvRLy7ifjBOa Esjh86RMaQrGF8ey8sF0HNMmpvkkKzTiNyAhDUIEz5Pis4qLyBD2yzR2AxF1aYzLOB3wQe0dJLar ZtkUVoP2PR7ig8h+AEJpNdTnelAmV3S89CVNU0wvtaF3UTKBxmOV6gGtN85nqtD5VTIAHaJcT+KE yA+MdJ5jlCwV3fLrKQ6PuERfgQem6Ri7zfWXKe3nCCdgjPiCuA3EDM49uk5ocpzQ/uH3uAv94A9/ RmyUqct4JsDsmWEPWqZDbre5gpjCc2fcz0CDPq0n4WXRQkAQHNEwvowvdNGLHBPw1AZM3lPFRA8S /Af9TqxHZz0WqpAUfZniFOkPZhAV03Fia+BDc2SQQfBaanmE5t6Xy9d+7j3+A1+MswLMRpOUseIV 0799ja9znRK9WJziwWCak2jhC/Sg1RRTErYk5UOJsF+W5iQfWnliOqvzOBlP8wMeo5kzIiGGZF5z B2KZrHjTYx5QyTlNNRiZ01MtqZ2pER1FX9Nn8fAqgeaReSKShSIxNMnMCIaOrNi4+pT2x98fAfAD +49PRgKTivk2KhHWku0//XEGhZuSs2OsXAMONpZxQYZ1VT+QcTbekMdRBvVtBqVnjOV3rv9oHiP3 Ss5T4+yPXO3MjRtXBgQTOCZ9jyuGOD2Cc2cbtHyM2rZAbKAr2AEwqRXcDEpBXbLYhg9tRZwNyT4+ zk3KybtGDsxrPUcJQxBF+CrUzO+wNazY9V7bjxnfxzkm/GJyLMgMumJRqUARzCA5CM/VzuSsyHlv jJvmwcYM4cFQPEZzz4EUduxstp99+BPnDpzgUTsTtlIPNd+AGIrDSD7e6JMkHbi6EXadiGRAkB9B T+5vEQMBAV6Rs4YMlQx9Q3ePO0Umfy5gojlzAaPCP/FY7frqj0AifKIZeAhYfXZ6Psm8fC8NCoha 533mqhtbpyzery8OEwTl43G457FKY4/Mblp+o0Prvewo+UIKqSy3k4x9MoxHed1GSb859J9PjxMg TMWaa9g9UD2Phs7W6SKxouOUR6VwobHGHUrIGvgzV4FhUoUc3l0xYtBCOsnRxhD7dpqI+w/MdFEx n0SuwOiFixwfFVfx4p7VmK0jsB7ytQdStHAiLw9s4BFBGtPT8gz3WeL1v3KBuf9+mX/v3xf0RxGq EjlGEIJEEEcTFczYAqmzhLtcAau2rTe0IykIJO9f8QMmHPhs4TVa+NSe1Y+2rGQOQm4dpJcfwuRg NsMf6TvWTo3UVLSQriRClcFTXWzIxX4W394y+G8fenvyDHFWbVk+6H1LdwlTQRr3i2xMvsd4FvrN Z8wThh0UHkxU37h29eerUy8W+/rA2x42BtUK84Cue+qBRzCVVC56ZC9kZ+F0t6/ChZwKcOV+94Br Hme5PObbro/X4Hob/rV1t63aktYt8sXqs+yOEysmF+Ln48RxgxjnDuENZNw4H0y3NI4vBKVPR5dm KpkkTs/yf1NF65qGfHtLK/jBYY11tXkiglXr5u1baHK+SjdPS8nruop/U0NiNsvQPBQj8ycVaZR6 R91e27p3B0Y2vdfV9o2SSu5t1OACv5JMx0bw7Eg1o4zOh+Z8Ac6Jr1Ox/sfyLtqgUL6Res2RwanP gaJ4WJHRYAwV9wGbSrXFrN7Vi92msjIOm3izcxMJOsgvgCUEHopRwWZyGuhbwOevkB5jxCBJYyMF vY0yOBXAYJo3LqRGk/2B1ajR/PZHtWUV+FGAJCj9Ji4pdyRp9eZTT70nX227XPHTJHBa5Ice3uto lrbC64o4yMR1X1C7Lspi8kY+wgH+Cc+XYxtRUAfrnhxwSbZtqIrmSNFua2SooWz4YQkXooksOpzr M6H2xVZx8lFWgrcisYZwxiCu3jhUSmQGtyEkUQo/LUjUFnUvyKGz9TNH3rqIjr91cRja/K+ftula 17rWta51rWtd61rXuta1rnWta13rWte61rWude1/2/4E14/z5QB4AAA=