StaticUsers.net – Modem Security Flaws
A lot of this information was gathered from other sources on the Internet. This flaw is old. Just not well publicized. Now that it is, we can cover it a little more and explain why it happens, and what damage it can cause. This is a Denial of Service attack in most cases. There are a lot of scripts out there to execute this DoS attack. So watch out.
A excellent source for more information is the Macintouch ModemSecurity Page.
This effects more than Macintosh Modems. Linux dialup users have seen this as a problem for a long time. And a lot of Windows modems are effected by this DoS as well.
The Security Flaw – Or Problem
Below is a explanation of the problem, well explained. This originally was sent in from Robert Wong to Macintouch.com
Subject: modem guard problem
Date: Thu, 24 Jun 1999 10:35:53 -0700
A long time ago, I used to administer the ZyXEL modem FAQ. One of the questions was about how the ZyXEL modems dealt with the modem guard sequence. If you read onwards, you will notice an excerpt from BoardWatch mag. This exerpt describes how ZyXEL got around the Hayes patent. RWW.
Subject: T.6 How do ZyXEL modems deal with escape sequences?
Byte Magazine, V18, N8, July 1993, pg 184 has a good background article about escape sequences. The information below is a less technical explanation of escape sequences.
An escape sequence switches a modem from transmission mode to command mode.
Sometimes, an AT command needs to be issued to the modem when it is on-line and connected with another modem. Since the modem is on-line, typing an AT command would send the AT command down the connection to the other modem. Thus the local modem never receives and acts on the AT command. An escape sequence is needed to bring the local modem into command mode (without dropping the connection to the other modem).
One escape sequence is to drop the DTR (Data Terminal Ready) signal on one of the wires in the serial cable. This is a reliable escape sequence. Some hardware platforms do not have a wire for the DTR signal and therefore cannot perform this escape sequence. Another type of escape sequence is needed.
An alternate escape sequence is a pause, followed by three escape characters, and then another pause. This escape sequence then puts the modem into command mode, allowing entry of AT commands. (The pauses prevent the modem from mistaking escape characters in the data stream for “true” escape characters in an escape sequence.)
Hayes has a patent on the pause, escape characters, and pause technique. Other modem manufacturers are required to pay royalties to Hayes for use of its patent. Some modem makers are not using the Hayes patent or any other method of distinguishing real escape characters. This causes factory configured modems from these modem manufacturers to inadvertently go into command mode when the Hayes test file is transmitted.
Taken from Byte Magazine, V18, N8, July 1993, pg 184 without permission: “Zyxel [sic] has its own algorithm, for which it claims compatibility with existing code. Since the Zyxel [sic] algorithm is proprietary, we can’t comment on its strength or weakness. However, it caused no problem in our testing.”
Taken from BoardWatch Magazine, V6, N9, November 1992 without permission: “To illustrate the technical elegance of this [ZyXEL] modem, recall our article on the Hayes brouhaha over their fixed guard time escape sequence under the Heatherington 302 patent. Hayes has licensed numerous modem manufacturers to use this escape sequence. A few have not licensed it and often, their modems will escape to command mode while transmitting files containing +++ escape sequences. Hayes caused something of a furor in July by releasing a text file that if transmitted by many modems that don’t use the guard time escape sequence technique, would abort the transfer and improperly escape to command mode. Multitech’s modems fail the test rather awkwardly. The ZyXEL modem does NOT license the Hayes escape sequence.
According to Gordon Yang, they use a proprietary variable sampling algorithm that does the job at least as well. We tried the ZyXEL on the Hayes test file – and sure enough, it worked like a champ. ZyXEL appears to have engineered a way around the escape sequence controversy. Yang indicates that they could conceivably publish the algorithm. If they did, this would take some serious steam out of the Hayes licensing program.”
Date: Wed, 23 Jun 1999 18:07:13 -0500
Subject: Modem Flaw
Well it appears the flaw is not limited to just GV modems. I have a BestData 56k Speakerphone modem connected to a SuperMac S900, and emailed myself the + + + A T H command in the subject and the body and was kicked offline immediately.
“Widespread problem” could be an understatement with something so simple able to kick so many people.
Many thanks to MacInTouch for making us aware of this and providing workarounds for it.
John Gibbs tried sending email to himself with “+++” “ATH” (without the quotes) to himself and said he got hung up on. If you are downloading a lot of mail, and you hit a email like this it will cause you to disconnect, and when you reconnect and check your mail via pop3 you will have to start the download over in most cases. Fixing this would involve trying to check your email web-based. Or have your system administrator delete it manually.
Fixing the problem?
On IRC, you can send a /ctcp nickname +++ “ATH” (without the quotes) and disconnect a user. Of course those IRC kiddies have made mass scripts to join channels and send the CTCP command to everyone and disconnect in mass. I suggest checking out a freeware program called HipScript, or some other CTCP flood protection scripts out there.
As far as everyone else, you will want to modify your modem script, use a text editor and look for S2= change the value to 127. So it will be S2=127. This will fix most modems.
I do not rate this highly. Its not one of the best attacks, But you should get yourself familiar with it!