From: Valentin Klinduh <valik>
Message-Id: <199809282059.XAA02324@burka.carrier.kiev.ua>
Subject: Re: 1+2=3, +++ATH0=Old school DoS (fwd)
To: staff
Date: Mon, 28 Sep 1998 23:59:23 +0300 (EEST)
X-Mailer: ELM [version 2.4ME+ PL38 (25)]
MIME-Version: 1.0
Content-Type: text/plain; charset=KOI8-R
Content-Transfer-Encoding: 8bit
Status: RO
Content-Length: 1198
Lines: 40
òÁÚ×ÌÅËÁÀÔÓÑ.....
------------
Hello
We're and ISP and have several dedicated customers over ISDN lines, using TA's
such as the Motorola Bitsurfr Pro and the 3com Impact IQ.
So far, I didn't find either of these ISDN modems to be vulnerable, but while
testing, I came up with the idea of using this 'feature' to 'patch' a
vulnerable modem:
ping -c 1 -p 2b2b2b415453323d32353526574f310d host
this sends a single packet with the string + + + ATS2=255&WO1 (No spaces, of
course) to the host, which changes the escape char remotely. It also sends
the O1 command, which is supposed to bring the modem out of command mode and
maintain the connection, however, I found that most modems just hung up,
possibly because of the &w command.
Why is this useful? Well I've used it to remotely patch the modems of several
customers which have dedicated analog lines with us.
6 of the 11 modems I tested were vulnerable, the patch worked on all 6, but
only 2 of them were able to maintain the connection after the &w.
I tested 2 Terminal adapters, neither were vulnerable.
-Adrian Gonzalez
----- End of forwarded message from Adrian Gonzalez -----
--Éú×ÉîÉôå Úá îÅòÏ÷îÙÊ ðÏÞåòË! (c) æÒÉÐÐÉ
----- End forwarded message -----
--Keep Talking!...
WBR, Serge Trylis