lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: cstone at pobox.com (cstone)
Subject: Ancient Trivia: +++ath0

On Wed, Mar 17, 2004 at 08:42:55PM -0500, Luke Scharf wrote:
> As the old BBS'ers and even older folks know, the string "+++ath0" will
> disconnect a modem.  Once upon a time, I had this string in my e-mail
> signature.  Some folks using Windows and a dialup line couldn't respond
> to my e-mail, even though the e-mail was being sent via PPP and all that
> good stuff.  Everyone could receive the mail, though, so I'm assuming
> that the ISP was was running a decent implementation of PPP -- although
> since I haven't used modems in years, I can't rule out that the ISP was
> using some sort of non-Hayes modem.

> Does anyone know what versions of windows had this particular bug in the
> PPP implementation?  Were any other systems affected?

This wasn't a Windows bug; instead, it was a flaw in most
non-Hayes* modems.  These commands (the +++ escape and ATH0) are only
meaningful when they're sent outbound through the modem; this is why
everyone was able to read your message, but were unable to reply--
their replies entailed sending the message, +++(command) included,
over the wire.  

If TCP/IP over PPP is involved, there's a chance that the +++ may be 
split into different packets -- in this case, the data would
go through just fine -- but it's more likely that it all gets sent
right next to each other when it actually goes through the modem.

This has made the rounds of bugtraq and other security forums a few
times, usually with mentions of "exploits" involving ICMP echo
and/or IRC.  (For an example of this, see
http://www.geocrawler.com/archives/3/91/1998/9/0/198214/)

* = Hayes has a patent on a scheme to protect against unintentional
triggering of the escape sequence; on their modems, you have to
wait a specific amount of time before and after the +++ before
issuing a command.  
 


Powered by blists - more mailing lists