Bugtraq mailing list archives

Re: 1+2=3, +++ATH0=Old school DoS

From: agonzale () NLAREDO GLOBALPC NET (Adrian Gonzalez)
Date: Mon, 28 Sep 1998 13:29:06 -0500


Hello

We're and ISP and have several dedicated customers over ISDN lines, using TA's
such as the Motorola Bitsurfr Pro and the 3com Impact IQ.

So far, I didn't find either of these ISDN modems to be vulnerable, but while
testing, I came up with the idea of using this 'feature' to 'patch' a
vulnerable modem:

ping -c 1 -p 2b2b2b415453323d32353526574f310d host

this sends a single packet with the string + + + ATS2=255&WO1  (No spaces, of
course) to the host, which changes the escape char remotely.  It also sends
the O1 command, which is supposed to bring the modem out of command mode and
maintain the connection, however, I found that most modems just hung up,
possibly because of the &w command.

Why is this useful?  Well I've used it to remotely patch the modems of several
customers which have dedicated analog lines with us.

6 of the 11 modems I tested were vulnerable, the patch worked on all 6, but
only 2 of them were able to maintain the connection after the &w.

I tested 2 Terminal adapters, neither were vulnerable.

-Adrian Gonzalez

Current thread:

Re: 1+2=3, +++ATH0=Old school DoS, (continued)
- - Re: 1+2=3, +++ATH0=Old school DoS kill9 (Sep 28)
    - Re: 1+2=3, +++ATH0=Old school DoS Kevin Day (Sep 28)
    - Re: 1+2=3, +++ATH0=Old school DoS Ross Wheeler (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS *unknown* (Sep 28)
  - Re: 1+2=3, +++ATH0=Old school DoS Jason (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Tudor Bosman (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Daniel Hauck (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS Pete Gonzalez (Sep 27)
  - Re: 1+2=3, +++ATH0=Old school DoS John M. Flinchbaugh (Sep 28)
    - SHADOW group research indicates distributed probes and attacks Patrick Oonk (Sep 28)
    - Re: 1+2=3, +++ATH0=Old school DoS Adrian Gonzalez (Sep 28)
    - Modem ATH0 thread route () RESENTMENT INFONEXUS COM (Sep 28)
    - IRIX 6.2 passwordless accounts exploit? Dan Stromberg (Sep 28)
    - Re: IRIX 6.2 passwordless accounts exploit? D.A. Harris (Sep 28)
    - Re: IRIX 6.2 passwordless accounts exploit? Eugene Bradley (Sep 28)
    - Re: Solaris non-root login (was: IRIX 6.2 pass...) Richard Yates SPG (Sep 29)
    - mountd- more info (sorry) John Caldwell (Sep 28)
    - Bay Accelar 1000 series Steven Hearon (Sep 28)
    - Re: mountd- more info (sorry) RHS Linux User (Sep 29)
    - rpc.mountd vulnerabilities tiago (Sep 29)
    - Re: rpc.mountd vulnerabilities morex .- (Sep 29)

(Thread continues...)