Bugtraq mailing list archives
Re: 1+2=3, +++ATH0=Old school DoS
From: agonzale () NLAREDO GLOBALPC NET (Adrian Gonzalez)
Date: Mon, 28 Sep 1998 13:29:06 -0500
Hello We're and ISP and have several dedicated customers over ISDN lines, using TA's such as the Motorola Bitsurfr Pro and the 3com Impact IQ. So far, I didn't find either of these ISDN modems to be vulnerable, but while testing, I came up with the idea of using this 'feature' to 'patch' a vulnerable modem: ping -c 1 -p 2b2b2b415453323d32353526574f310d host this sends a single packet with the string + + + ATS2=255&WO1 (No spaces, of course) to the host, which changes the escape char remotely. It also sends the O1 command, which is supposed to bring the modem out of command mode and maintain the connection, however, I found that most modems just hung up, possibly because of the &w command. Why is this useful? Well I've used it to remotely patch the modems of several customers which have dedicated analog lines with us. 6 of the 11 modems I tested were vulnerable, the patch worked on all 6, but only 2 of them were able to maintain the connection after the &w. I tested 2 Terminal adapters, neither were vulnerable. -Adrian Gonzalez
Current thread:
- Re: 1+2=3, +++ATH0=Old school DoS, (continued)
- Re: 1+2=3, +++ATH0=Old school DoS kill9 (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Kevin Day (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Ross Wheeler (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS kill9 (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS *unknown* (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Jason (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Tudor Bosman (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Daniel Hauck (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS Pete Gonzalez (Sep 27)
- Re: 1+2=3, +++ATH0=Old school DoS John M. Flinchbaugh (Sep 28)
- SHADOW group research indicates distributed probes and attacks Patrick Oonk (Sep 28)
- Re: 1+2=3, +++ATH0=Old school DoS Adrian Gonzalez (Sep 28)
- Modem ATH0 thread route () RESENTMENT INFONEXUS COM (Sep 28)
- IRIX 6.2 passwordless accounts exploit? Dan Stromberg (Sep 28)
- Re: IRIX 6.2 passwordless accounts exploit? D.A. Harris (Sep 28)
- Re: IRIX 6.2 passwordless accounts exploit? Eugene Bradley (Sep 28)
- Re: Solaris non-root login (was: IRIX 6.2 pass...) Richard Yates SPG (Sep 29)
- mountd- more info (sorry) John Caldwell (Sep 28)
- Bay Accelar 1000 series Steven Hearon (Sep 28)
- Re: mountd- more info (sorry) RHS Linux User (Sep 29)
- rpc.mountd vulnerabilities tiago (Sep 29)
- Re: rpc.mountd vulnerabilities morex .- (Sep 29)
- Re: 1+2=3, +++ATH0=Old school DoS John M. Flinchbaugh (Sep 28)