Re: 1+2=3, +++ATH0=Old school DoS

agonzaleNLAREDO.GLOBALPC.NET

• Messages sorted by: [ date ][ thread ][ subject ][ author ]
• Next message: routeRESENTMENT.INFONEXUS.COM: "Modem ATH0 thread"
• Previous message: John M. Flinchbaugh: "Re: 1+2=3, +++ATH0=Old school DoS"
• In reply to: John M. Flinchbaugh: "Re: 1+2=3, +++ATH0=Old school DoS"
• Next in thread: *unknown*: "Re: 1+2=3, +++ATH0=Old school DoS"

Hello

We're and ISP and have several dedicated customers over ISDN lines, using TA's
such as the Motorola Bitsurfr Pro and the 3com Impact IQ.

So far, I didn't find either of these ISDN modems to be vulnerable, but while
testing, I came up with the idea of using this 'feature' to 'patch' a
vulnerable modem:

ping -c 1 -p 2b2b2b415453323d32353526574f310d host

this sends a single packet with the string + + + ATS2=255&WO1  (No spaces, of
course) to the host, which changes the escape char remotely.  It also sends
the O1 command, which is supposed to bring the modem out of command mode and
maintain the connection, however, I found that most modems just hung up,
possibly because of the &w command.

Why is this useful?  Well I've used it to remotely patch the modems of several
customers which have dedicated analog lines with us.

6 of the 11 modems I tested were vulnerable, the patch worked on all 6, but
only 2 of them were able to maintain the connection after the &w.

I tested 2 Terminal adapters, neither were vulnerable.

-Adrian Gonzalez

• Next message: routeRESENTMENT.INFONEXUS.COM: "Modem ATH0 thread"
• Previous message: John M. Flinchbaugh: "Re: 1+2=3, +++ATH0=Old school DoS"
• In reply to: John M. Flinchbaugh: "Re: 1+2=3, +++ATH0=Old school DoS"
• Next in thread: *unknown*: "Re: 1+2=3, +++ATH0=Old school DoS"