This is an S/MIME signed message.

---------z25841_boundary_sign
Content-Type: multipart/alternative;
	boundary="=_alternative 004E3375C125709F_="

This is a multipart message in MIME format.
--=_alternative 004E3375C125709F_=
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable

Title:        Paros proxy 3.2.5 and below blank "sa" database password=20

Summary:=20

       Paros is an intercepting HTTP/HTTPS proxy for use in security=20
testing web applications.=20

       Paros version 3.2.5 and below  may contain a flaw where a remote=20
attacker can connect to a=20
       database port opened on the machine running Paros, without=20
supplying any credentials.=20

       The problem stems from use of a blank "sa" password on the=20
open-source database ("HSQLDB")=20
       which is integrated with Paros.=20

       The database server (which is written in Java) contains=20
functionality for executing arbitrary Java=20
       statements. This is how HSQLDB provides Stored Procedure=20
functionality.=20


Impact of successful exploitation:=20

       The issue may result in disclosure of confidential data, and=20
possible execution of commands on=20
       the victim machine.=20

       A remote attacker may find credentials for web applications, valid=20
session IDs, and confidential=20
       data downloaded from the website being tested with Paros. This=20
information is is present in the=20
       database.=20

       Additionally, the possibility of executing Java statements on the=20
database server may mean that=20
       an attacker can gain access to files or execute command at the OS=20
level (by performing the=20
       Java equivalent of a "system()" call). This has not been=20
investigated fully, but appears possible.


History:=20

       The overall time-to-correction was EXCEEDINGLY fast:

       October 3rd 2005:        Problem discovered / reported=20
       October 7th 2005:        Issue re-reported via sourceforge, as mail =

appeared lost in transit=20
       October 7th 2005:        Paros developer releases updated version=20
where DB listes on localhost only


Countermeasures:=20

       Upgrade to version 3.2.6.=20
       Firewall the host running Paros.=20


Demonstration:=20

To demonstrate this, first start Paros on the victim host (here,=20
192.168.0.1).

On the attacking host, ensure HSQLDB is installed, and add the following=20
lines to the file=20
$HOME/sqltool.rc on the attacking host:=20

       # connect to victimhost as sa, victimhost has IP 192.168.0.1=20
       urlid victimhost-sa=20
       url: jbdc:hsqldb:hsql://192.168.0.1=20
       username sa=20
       password  =20

To connect using the "victimhost-sa" block above run:=20
=20
       java -jar $HSQLDB=5FHOME/jsqldb.jar victimhost-sa=20

At this point, it is possible to pull data from the tables in the database =

(browsing state, history, credentials).=20

The page at http://hsqldb.org/doc/guide/ch09.html#call-section also states =

it is possible to execute Java statements=20
by writing them in the format "java.lang.Math.sqrt"(2.0).=20


Andrew Christensen
FortConsult ApS
Tranevej 16-18
2400 K=F8benhavn NV
tlf. (+45) 7020 7525
www.fortconsult.net=20

FortConsult er som de f=F8rste i Skandinavien blevet certificeret af VISA o=
g=20
MasterCard til at udf=F8re sikkerhedsgennemgange af virksomheders kritiske =

betalingssystemer.
FortConsult is the only Scandinavian firm certified by VISA to perform=20
security audits on critical card-payment systems.=20

--=_alternative 004E3375C125709F_=
Content-Type: text/html; charset="ISO-8859-1"
Content-Transfer-Encoding: quoted-printable


<br><font size=3D2 face=3D"sans-serif">Title: &nbsp; &nbsp; &nbsp; &nbsp;Pa=
ros
proxy 3.2.5 and below blank &quot;sa&quot; database password <br>
<br>
Summary:</font><font size=3D3> </font><font size=3D2 face=3D"sans-serif"><b=
r>
<br>
 &nbsp; &nbsp; &nbsp; Paros is an intercepting HTTP/HTTPS proxy for use
in security testing web applications.</font><font size=3D3> </font><font si=
ze=3D2 face=3D"sans-serif"><br>
<br>
 &nbsp; &nbsp; &nbsp; Paros version 3.2.5 and below &nbsp;may contain a
flaw where a remote attacker can connect to a </font>
<br><font size=3D2 face=3D"sans-serif">&nbsp; &nbsp; &nbsp; &nbsp;database
port opened on the machine running Paros, without supplying any credentials=
.</font><font size=3D3>
</font><font size=3D2 face=3D"sans-serif"><br>
<br>
 &nbsp; &nbsp; &nbsp; The problem stems from use of a blank &quot;sa&quot;
password on the open-source database (&quot;HSQLDB&quot;)</font><font size=
=3D3>
</font><font size=3D2 face=3D"sans-serif"><br>
 &nbsp; &nbsp; &nbsp; which is integrated with Paros.</font><font size=3D3>
</font><font size=3D2 face=3D"sans-serif"><br>
<br>
 &nbsp; &nbsp; &nbsp; The database server (which is written in Java) contai=
ns
functionality for executing arbitrary Java </font>
<br><font size=3D2 face=3D"sans-serif">&nbsp; &nbsp; &nbsp; &nbsp;statement=
s.
This is how HSQLDB provides Stored Procedure functionality.</font><font siz=
e=3D3>
<br>
</font><font size=3D2 face=3D"sans-serif"><br>
<br>
Impact of successful exploitation:</font><font size=3D3> </font><font size=
=3D2 face=3D"sans-serif"><br>
<br>
 &nbsp; &nbsp; &nbsp; The issue may result in disclosure of confidential
data, and possible execution of commands on</font><font size=3D3> </font><f=
ont size=3D2 face=3D"sans-serif"><br>
 &nbsp; &nbsp; &nbsp; the victim machine.</font><font size=3D3> </font><fon=
t size=3D2 face=3D"sans-serif"><br>
<br>
 &nbsp; &nbsp; &nbsp; A remote attacker may find credentials for web applic=
ations,
valid session IDs, and confidential</font><font size=3D3> </font><font size=
=3D2 face=3D"sans-serif"><br>
 &nbsp; &nbsp; &nbsp; data downloaded from the website being tested with
Paros. This information is is present in the <br>
 &nbsp; &nbsp; &nbsp; database.</font><font size=3D3> </font><font size=3D2=
 face=3D"sans-serif"><br>
<br>
 &nbsp; &nbsp; &nbsp; Additionally, the possibility of executing Java state=
ments
on the database server may mean that</font><font size=3D3> </font><font siz=
e=3D2 face=3D"sans-serif"><br>
 &nbsp; &nbsp; &nbsp; an attacker can gain access to files or execute comma=
nd
at the OS level (by performing the <br>
 &nbsp; &nbsp; &nbsp; Java equivalent of a &quot;system()&quot; call).</fon=
t><font size=3D3>
This has not been investigated fully, but appears possible.<br>
</font><font size=3D2 face=3D"sans-serif"><br>
<br>
History: <br>
</font>
<br><font size=3D2 face=3D"sans-serif">&nbsp; &nbsp; &nbsp; &nbsp;The overa=
ll
time-to-correction was EXCEEDINGLY fast:</font>
<br><font size=3D2 face=3D"sans-serif"><br>
 &nbsp; &nbsp; &nbsp; October 3rd 2005: &nbsp; &nbsp; &nbsp; &nbsp;Problem
discovered / reported <br>
 &nbsp; &nbsp; &nbsp; October 7th 2005: &nbsp; &nbsp; &nbsp; &nbsp;Issue
re-reported via sourceforge, as mail appeared lost in transit</font><font s=
ize=3D3>
</font><font size=3D2 face=3D"sans-serif"><br>
 &nbsp; &nbsp; &nbsp; October 7th 2005: &nbsp; &nbsp; &nbsp; &nbsp;Paros
developer releases updated version</font><font size=3D3> where DB listes
on localhost only</font>
<br><font size=3D2 face=3D"sans-serif"><br>
<br>
Countermeasures:</font><font size=3D3> </font><font size=3D2 face=3D"sans-s=
erif"><br>
<br>
 &nbsp; &nbsp; &nbsp; Upgrade to version 3.2.6. <br>
 &nbsp; &nbsp; &nbsp; Firewall the host running Paros.</font><font size=3D3>
<br>
</font><font size=3D2 face=3D"sans-serif"><br>
<br>
Demonstration:</font><font size=3D3> </font><font size=3D2 face=3D"sans-ser=
if"><br>
<br>
To demonstrate this, first start Paros on the victim host (here, 192.168.0.=
1).</font>
<br>
<br><font size=3D2 face=3D"sans-serif">On the attacking host, ensure HSQLDB
is installed, and add the following lines to the file </font>
<br><font size=3D2 face=3D"sans-serif">$HOME/sqltool.rc on the attacking ho=
st:</font><font size=3D3>
</font><font size=3D2 face=3D"sans-serif"><br>
<br>
 &nbsp; &nbsp; &nbsp; # connect to victimhost as sa, victimhost has IP
192.168.0.1 <br>
 &nbsp; &nbsp; &nbsp; urlid victimhost-sa <br>
 &nbsp; &nbsp; &nbsp; url: jbdc:hsqldb:hsql://192.168.0.1 <br>
 &nbsp; &nbsp; &nbsp; username sa <br>
 &nbsp; &nbsp; &nbsp; password &nbsp;</font><font size=3D3> </font><font si=
ze=3D2 face=3D"sans-serif"><br>
<br>
To connect using the &quot;victimhost-sa&quot; block above run:</font><font=
 size=3D3>
<br>
 </font><font size=3D2 face=3D"sans-serif"><br>
 &nbsp; &nbsp; &nbsp; java -jar $HSQLDB=5FHOME/jsqldb.jar victimhost-sa <br>
<br>
At this point, it is possible to pull data from the tables in the database
(browsing state, history, credentials).</font><font size=3D3> </font><font =
size=3D2 face=3D"sans-serif"><br>
<br>
The page at http://hsqldb.org/doc/guide/ch09.html#call-section also states
it is possible to execute Java statements <br>
by writing them in the format &quot;java.lang.Math.sqrt&quot;(2.0).</font><=
font size=3D3>
<br>
</font>
<br><font size=3D2 face=3D"sans-serif"><br>
Andrew Christensen<br>
FortConsult ApS<br>
Tranevej 16-18<br>
2400 K=F8benhavn NV<br>
tlf. (+45) 7020 7525<br>
www.fortconsult.net</font><font size=3D3> </font><font size=3D2 face=3D"san=
s-serif"><br>
<br>
FortConsult er som de f=F8rste i Skandinavien blevet certificeret af VISA
og MasterCard til at udf=F8re sikkerhedsgennemgange af virksomheders kritis=
ke
betalingssystemer.<br>
FortConsult is the only Scandinavian firm certified by VISA to perform
security audits on critical card-payment systems.</font><font size=3D3> </f=
ont><font size=3D2 face=3D"sans-serif"><br>
</font>
--=_alternative 004E3375C125709F_=--

---------z25841_boundary_sign
Content-Type: application/x-pkcs7-signature; name="smime.p7s"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="smime.p7s"
Content-Description: S/MIME Cryptographic Signature

MIAGCSqGSIb3DQEHAqCAMIIWSwIBATELMAkGBSsOAwIaBQAwCwYJKoZIhvcNAQcBoIIUojCCBRkw
ggQBoAMCAQICBD5IvcQwDQYJKoZIhvcNAQEFBQAwMTELMAkGA1UEBhMCREsxDDAKBgNVBAoTA1RE
QzEUMBIGA1UEAxMLVERDIE9DRVMgQ0EwHhcNMDMwMjExMDgzOTMwWhcNMzcwMjExMDkwOTMwWjAx
MQswCQYDVQQGEwJESzEMMAoGA1UEChMDVERDMRQwEgYDVQQDEwtUREMgT0NFUyBDQTCCASIwDQYJ
KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKxi9mEgss/AxoXX43nmzO3yOZKkly5ko4Rbh5xM/aTz
xF8hvVYQ69suYeyTaeOjzL2ZwwX8BrjKNhz+kI5JTMRWmi9WvM97DPFvR6YNQ03i6R05NM2NLNkS
mPnj4cFKfIY4xKnEYYjSXq8aJk3V5KAiR4TZZLcZlvzsGeSylyZOSkzLjySLVBgcSGF71Yho2l21
6s0aMMGAg3ZQqk/R1N048O8W9OEMUAa/6vt6SaEoKxz2/BUyo3Rqj6nDYilxMeU7pGAXXnTm2hPt
6R8fG9GyaHPGEDR1RhAQ45AAdkDLi7dDCSH/q06TxljppYLbd8Q6mbFylUkE8Lcr+ntZjt0CAwEA
AaOCAjcwggIzMA8GA1UdEwEB/wQFMAMBAf8wDgYDVR0PAQH/BAQDAgEGMIHsBgNVHSAEgeQwgeEw
gd4GCCqBUIEpAQEBMIHRMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LmNlcnRpZmlrYXQuZGsvcmVw
b3NpdG9yeTCBnQYIKwYBBQUHAgIwgZAwChYDVERDMAMCAQEagYFDZXJ0aWZpa2F0ZXIgZnJhIGRl
bm5lIENBIHVkc3RlZGVzIHVuZGVyIE9JRCAxLjIuMjA4LjE2OS4xLjEuMS4gQ2VydGlmaWNhdGVz
IGZyb20gdGhpcyBDQSBhcmUgaXNzdWVkIHVuZGVyIE9JRCAxLjIuMjA4LjE2OS4xLjEuMS4wEQYJ
YIZIAYb4QgEBBAQDAgAHMIGBBgNVHR8EejB4MEigRqBEpEIwQDELMAkGA1UEBhMCREsxDDAKBgNV
BAoTA1REQzEUMBIGA1UEAxMLVERDIE9DRVMgQ0ExDTALBgNVBAMTBENSTDEwLKAqoCiGJmh0dHA6
Ly9jcmwub2Nlcy5jZXJ0aWZpa2F0LmRrL29jZXMuY3JsMCsGA1UdEAQkMCKADzIwMDMwMjExMDgz
OTMwWoEPMjAzNzAyMTEwOTA5MzBaMB8GA1UdIwQYMBaAFGC1hexWZH4SGSdnHVAVS3OuO/kSMB0G
A1UdDgQWBBRgtYXsVmR+EhknZx1QFUtzrjv5EjAdBgkqhkiG9n0HQQAEEDAOGwhWNi4wOjQuMAMC
BJAwDQYJKoZIhvcNAQEFBQADggEBAAq6JiZG03OoCfNrCzCZ/YrhV3oR07iU1wkQbqOxOAPRtvJD
QSlip3LY+3wF5jFwJ1QYTop8TuXRyox4iM8b05CL5iP4Cw4zQ32c4goZj8kBPnRddMmLHAPlGMgB
TD/LlwVdmHGmmG+2fL03f77hkyVtb/AKrRcY4QO8BynIrSbo+GHw/SEJfpqOqWh9SGJyvQDqAZm4
BoJRgU7x9bSRVLkjegCan12N4DxkuRoSkirHgkRyOdziPMbYVfUVTsgFDtvG0GKm7BW0tQKC26yM
ooHwm5kx9SAgqIhhCgeflPzQ1xvMLhfzBCd2Z+tUg/2kkH4GPQSjQy3a/Ati6i9fYlMwggUZMIIE
AaADAgECAgQ+SL3EMA0GCSqGSIb3DQEBBQUAMDExCzAJBgNVBAYTAkRLMQwwCgYDVQQKEwNUREMx
FDASBgNVBAMTC1REQyBPQ0VTIENBMB4XDTAzMDIxMTA4MzkzMFoXDTM3MDIxMTA5MDkzMFowMTEL
MAkGA1UEBhMCREsxDDAKBgNVBAoTA1REQzEUMBIGA1UEAxMLVERDIE9DRVMgQ0EwggEiMA0GCSqG
SIb3DQEBAQUAA4IBDwAwggEKAoIBAQCsYvZhILLPwMaF1+N55szt8jmSpJcuZKOEW4ecTP2k88Rf
Ib1WEOvbLmHsk2njo8y9mcMF/Aa4yjYc/pCOSUzEVpovVrzPewzxb0emDUNN4ukdOTTNjSzZEpj5
4+HBSnyGOMSpxGGI0l6vGiZN1eSgIkeE2WS3GZb87BnkspcmTkpMy48ki1QYHEhhe9WIaNpdterN
GjDBgIN2UKpP0dTdOPDvFvThDFAGv+r7ekmhKCsc9vwVMqN0ao+pw2IpcTHlO6RgF1505toT7ekf
HxvRsmhzxhA0dUYQEOOQAHZAy4u3Qwkh/6tOk8ZY6aWC23fEOpmxcpVJBPC3K/p7WY7dAgMBAAGj
ggI3MIICMzAPBgNVHRMBAf8EBTADAQH/MA4GA1UdDwEB/wQEAwIBBjCB7AYDVR0gBIHkMIHhMIHe
BggqgVCBKQEBATCB0TAvBggrBgEFBQcCARYjaHR0cDovL3d3dy5jZXJ0aWZpa2F0LmRrL3JlcG9z
aXRvcnkwgZ0GCCsGAQUFBwICMIGQMAoWA1REQzADAgEBGoGBQ2VydGlmaWthdGVyIGZyYSBkZW5u
ZSBDQSB1ZHN0ZWRlcyB1bmRlciBPSUQgMS4yLjIwOC4xNjkuMS4xLjEuIENlcnRpZmljYXRlcyBm
cm9tIHRoaXMgQ0EgYXJlIGlzc3VlZCB1bmRlciBPSUQgMS4yLjIwOC4xNjkuMS4xLjEuMBEGCWCG
SAGG+EIBAQQEAwIABzCBgQYDVR0fBHoweDBIoEagRKRCMEAxCzAJBgNVBAYTAkRLMQwwCgYDVQQK
EwNUREMxFDASBgNVBAMTC1REQyBPQ0VTIENBMQ0wCwYDVQQDEwRDUkwxMCygKqAohiZodHRwOi8v
Y3JsLm9jZXMuY2VydGlmaWthdC5kay9vY2VzLmNybDArBgNVHRAEJDAigA8yMDAzMDIxMTA4Mzkz
MFqBDzIwMzcwMjExMDkwOTMwWjAfBgNVHSMEGDAWgBRgtYXsVmR+EhknZx1QFUtzrjv5EjAdBgNV
HQ4EFgQUYLWF7FZkfhIZJ2cdUBVLc647+RIwHQYJKoZIhvZ9B0EABBAwDhsIVjYuMDo0LjADAgSQ
MA0GCSqGSIb3DQEBBQUAA4IBAQAKuiYmRtNzqAnzawswmf2K4Vd6EdO4lNcJEG6jsTgD0bbyQ0Ep
Yqdy2Pt8BeYxcCdUGE6KfE7l0cqMeIjPG9OQi+Yj+AsOM0N9nOIKGY/JAT50XXTJixwD5RjIAUw/
y5cFXZhxpphvtny9N3++4ZMlbW/wCq0XGOEDvAcpyK0m6Phh8P0hCX6ajqlofUhicr0A6gGZuAaC
UYFO8fW0kVS5I3oAmp9djeA8ZLkaEpIqx4JEcjnc4jzG2FX1FU7IBQ7bxtBipuwVtLUCgtusjKKB
8JuZMfUgIKiIYQoHn5T80NcbzC4X8wQndmfrVIP9pJB+Bj0Eo0Mt2vwLYuovX2JTMIIFMDCCBBig
AwIBAgIEP9JA9zANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQGEwJESzEMMAoGA1UEChMDVERDMRQw
EgYDVQQDEwtUREMgT0NFUyBDQTAeFw0wNTEwMDcwNzMyMjhaFw0wNzEwMDcwODAyMjhaMHsxCzAJ
BgNVBAYTAkRLMSgwJgYDVQQKEx9GT1JUQ09OU1VMVCBBcFMgLy8gQ1ZSOjI2MzczNTQ5MUIwGQYD
VQQDExJBbmRyZXcgQ2hyaXN0ZW5zZW4wJQYDVQQFEx5DVlI6MjYzNzM1NDktUklEOjExMjg0OTk0
OTI2OTkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJgniAQNYj+nuTJ6yGpx2gGb5HiFOtZB
o0emuB8QdxDGdI3uWvKyRTiczO06VzaodQsMjqQc85qgUfeU2PJ3B2Fh5nWustWyOW/iEUqZMVc4
KWOluEm8vcRGEDCkW2e5ojuX5OmkmAfTAK8edfPcCMP49rFTBTocyt5Kmtrkb0MfAgMBAAGjggKI
MIIChDAOBgNVHQ8BAf8EBAMCA/gwKwYDVR0QBCQwIoAPMjAwNTEwMDcwNzMyMjhagQ8yMDA3MTAw
NzA4MDIyOFowggE3BgNVHSAEggEuMIIBKjCCASYGCiqBUIEpAQEBAgMwggEWMC8GCCsGAQUFBwIB
FiNodHRwOi8vd3d3LmNlcnRpZmlrYXQuZGsvcmVwb3NpdG9yeTCB4gYIKwYBBQUHAgIwgdUwChYD
VERDMAMCAQEagcZGb3IgYW52ZW5kZWxzZSBhZiBjZXJ0aWZpa2F0ZXQgZ+ZsZGVyIE9DRVMgdmls
a+VyLCBDUFMgb2cgT0NFUyBDUCwgZGVyIGthbiBoZW50ZXMgZnJhIHd3dy5jZXJ0aWZpa2F0LmRr
L3JlcG9zaXRvcnkuIEJlbeZyaywgYXQgVERDIGVmdGVyIHZpbGvlcmVuZSBoYXIgZXQgYmVncuZu
c2V0IGFuc3ZhciBpZnQuIHByb2Zlc3Npb25lbGxlIHBhcnRlci4wHgYDVR0RBBcwFYETYW5jQGZv
cnRjb25zdWx0Lm5ldDCBgwYDVR0fBHwwejBKoEigRqREMEIxCzAJBgNVBAYTAkRLMQwwCgYDVQQK
EwNUREMxFDASBgNVBAMTC1REQyBPQ0VTIENBMQ8wDQYDVQQDEwZDUkw4NjIwLKAqoCiGJmh0dHA6
Ly9jcmwub2Nlcy5jZXJ0aWZpa2F0LmRrL29jZXMuY3JsMB8GA1UdIwQYMBaAFGC1hexWZH4SGSdn
HVAVS3OuO/kSMB0GA1UdDgQWBBRjdh/xaJnfa5lRyX8b4vSVuJ7YFjAJBgNVHRMEAjAAMBkGCSqG
SIb2fQdBAAQMMAobBFY3LjEDAgOoMA0GCSqGSIb3DQEBBQUAA4IBAQAsLvdEtsRAK4NZmo1LjpZk
VHQWe0H2XaL+pp9tfdhvgzukvdJsFgEwiXa+tLTuJYIgCQlqsPY4zfosI0pLhggW8fc/7LQM4hVZ
W4nU0v9nwZx6wIxw1ASMpZj4wOrq/uAwk9m8dSKPFZxQsNUrkxqYMNDl074uSR6a9k61v0ni6alz
4t+KXAbuwGX5ifMpWQ0NT/tbfhP1Z7q+LasttOaqqKwC2b+0Gkm3b7Po4h/Mo/Dxlv6OS4uBdpZ0
D6y7BViv3E7smCDRmFvONbACKecOO/RoufDFG6s4jdzSw704+3WUh4JZXIqpybzDPETIEtXxi5rr
QDjSJsGzPMTis8yfMIIFMDCCBBigAwIBAgIEP9JA9zANBgkqhkiG9w0BAQUFADAxMQswCQYDVQQG
EwJESzEMMAoGA1UEChMDVERDMRQwEgYDVQQDEwtUREMgT0NFUyBDQTAeFw0wNTEwMDcwNzMyMjha
Fw0wNzEwMDcwODAyMjhaMHsxCzAJBgNVBAYTAkRLMSgwJgYDVQQKEx9GT1JUQ09OU1VMVCBBcFMg
Ly8gQ1ZSOjI2MzczNTQ5MUIwGQYDVQQDExJBbmRyZXcgQ2hyaXN0ZW5zZW4wJQYDVQQFEx5DVlI6
MjYzNzM1NDktUklEOjExMjg0OTk0OTI2OTkwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAJgn
iAQNYj+nuTJ6yGpx2gGb5HiFOtZBo0emuB8QdxDGdI3uWvKyRTiczO06VzaodQsMjqQc85qgUfeU
2PJ3B2Fh5nWustWyOW/iEUqZMVc4KWOluEm8vcRGEDCkW2e5ojuX5OmkmAfTAK8edfPcCMP49rFT
BTocyt5Kmtrkb0MfAgMBAAGjggKIMIIChDAOBgNVHQ8BAf8EBAMCA/gwKwYDVR0QBCQwIoAPMjAw
NTEwMDcwNzMyMjhagQ8yMDA3MTAwNzA4MDIyOFowggE3BgNVHSAEggEuMIIBKjCCASYGCiqBUIEp
AQEBAgMwggEWMC8GCCsGAQUFBwIBFiNodHRwOi8vd3d3LmNlcnRpZmlrYXQuZGsvcmVwb3NpdG9y
eTCB4gYIKwYBBQUHAgIwgdUwChYDVERDMAMCAQEagcZGb3IgYW52ZW5kZWxzZSBhZiBjZXJ0aWZp
a2F0ZXQgZ+ZsZGVyIE9DRVMgdmlsa+VyLCBDUFMgb2cgT0NFUyBDUCwgZGVyIGthbiBoZW50ZXMg
ZnJhIHd3dy5jZXJ0aWZpa2F0LmRrL3JlcG9zaXRvcnkuIEJlbeZyaywgYXQgVERDIGVmdGVyIHZp
bGvlcmVuZSBoYXIgZXQgYmVncuZuc2V0IGFuc3ZhciBpZnQuIHByb2Zlc3Npb25lbGxlIHBhcnRl
ci4wHgYDVR0RBBcwFYETYW5jQGZvcnRjb25zdWx0Lm5ldDCBgwYDVR0fBHwwejBKoEigRqREMEIx
CzAJBgNVBAYTAkRLMQwwCgYDVQQKEwNUREMxFDASBgNVBAMTC1REQyBPQ0VTIENBMQ8wDQYDVQQD
EwZDUkw4NjIwLKAqoCiGJmh0dHA6Ly9jcmwub2Nlcy5jZXJ0aWZpa2F0LmRrL29jZXMuY3JsMB8G
A1UdIwQYMBaAFGC1hexWZH4SGSdnHVAVS3OuO/kSMB0GA1UdDgQWBBRjdh/xaJnfa5lRyX8b4vSV
uJ7YFjAJBgNVHRMEAjAAMBkGCSqGSIb2fQdBAAQMMAobBFY3LjEDAgOoMA0GCSqGSIb3DQEBBQUA
A4IBAQAsLvdEtsRAK4NZmo1LjpZkVHQWe0H2XaL+pp9tfdhvgzukvdJsFgEwiXa+tLTuJYIgCQlq
sPY4zfosI0pLhggW8fc/7LQM4hVZW4nU0v9nwZx6wIxw1ASMpZj4wOrq/uAwk9m8dSKPFZxQsNUr
kxqYMNDl074uSR6a9k61v0ni6alz4t+KXAbuwGX5ifMpWQ0NT/tbfhP1Z7q+LasttOaqqKwC2b+0
Gkm3b7Po4h/Mo/Dxlv6OS4uBdpZ0D6y7BViv3E7smCDRmFvONbACKecOO/RoufDFG6s4jdzSw704
+3WUh4JZXIqpybzDPETIEtXxi5rrQDjSJsGzPMTis8yfMYIBhDCCAYACAQEwOTAxMQswCQYDVQQG
EwJESzEMMAoGA1UEChMDVERDMRQwEgYDVQQDEwtUREMgT0NFUyBDQQIEP9JA9zAJBgUrDgMCGgUA
oIGiMBgGCSqGSIb3DQEJAzELBgkqhkiG9w0BBwEwHAYJKoZIhvcNAQkFMQ8XDTA1MTAxOTE0MTQw
OVowIwYJKoZIhvcNAQkEMRYEFFseWP0W1qZiuU4yJL2jrM++teULMEMGCSqGSIb3DQEJDzE2MDQw
BwYFKw4DAh0wDgYIKoZIhvcNAwICAgCAMAoGCCqGSIb3DQMHMA0GCCqGSIb3DQMCAgEoMA0GCSqG
SIb3DQEBAQUABIGAfyfAymIgLdU9B/Q8mAiHCUCBwG/E0nW80acJHySygDiGixeuNTRXjriJldi8
YE5QiJjz/IkxLbQZZ8tqKe4ltcaPJIT1gPdZBWVU1eo7rxxyOpCjv1qQT6GK6qrk1DoD9Mq8vhEX
lIZs1nhc2bdAMqQ11vjdeWXeTmz0F9JkvkEAAAAA

---------z25841_boundary_sign--