Tugger the SLUGger!SLUG Mailing List Archives

Re: [SLUG] x-Fnord


On Sun, Sep 16, 2001 at 09:44:15PM +1000, getadog wrote:
> On Sun, Sep 16, 2001 at 06:10:09PM +1000, Doug Stalker wrote:
> > This used to work many years ago in the days of dialup BBSes.  I suspect
> > that it won't do anything at all now, as the modem will only accept the
> > escape sequence from the local side to avoid a potential DOS attack.
> 
> You're right, but there are two modems in a dialup link.
> 
> [PC]-DTE---[Modem1]---Line---[Modem2]---DTE-[Router]--(internet)
> 
> (The DTE is the local side)
> 
> If someone from the internet sends the PC the magic + + + sequence,
> (in the right to left direction) Modem1 won't act on it because it 
> receives it from the line (as stated above), but Modem2 receives it 
> from the DTE (the local side), so it can potentially act on it. 
> (assuming Modem2 is a standalone modem that hasn't been configured 
> properly and without the guard time)

Which there are very (very) few of. Very few ISPs still use standalone
modems, and even for those that do they are generally using better
quality modems which do support the "guard time" and thus are not
vulnerable to this problem, and/or they are running their modems in
"dumb" mode where they do not accept +++ or AT commands anyway.

> I've been told I'm wrong because the + + + wasn't issued locally
> (what ever that means). Am I wrong? Please educate me.

You're only wrong in the sense that the chances of the above being a
problem is next to zero.  The normal way that this problem is exploited
is using a ping packet TO the host with the faulty modem. The ping
packet goes from right to left in your diagram, and is received by your
PC, which then sends a return ping packet back containing the data sent
to it in the original ping packet!  ie, if someone sends you a ping with
the relevant text in it, then you will send the exact same text back to
them. As the text is now going left to right in your diagram, your modem
will hangup if it's vulnerable.

  Scott