Re: Ancient Trivia: +++ath0

[cstone <cstone () pobox com>]

On Wed, Mar 17, 2004 at 08:42:55PM -0500, Luke Scharf wrote:
> As the old BBS'ers and even older folks know, the string "+++ath0" will
> disconnect a modem.  Once upon a time, I had this string in my e-mail
> signature.  Some folks using Windows and a dialup line couldn't respond
> to my e-mail, even though the e-mail was being sent via PPP and all that
> good stuff.  Everyone could receive the mail, though, so I'm assuming
> that the ISP was was running a decent implementation of PPP -- although
> since I haven't used modems in years, I can't rule out that the ISP was
> using some sort of non-Hayes modem.

> Does anyone know what versions of windows had this particular bug in the
> PPP implementation?  Were any other systems affected?

This wasn't a Windows bug; instead, it was a flaw in most
non-Hayes* modems.  These commands (the +++ escape and ATH0) are only
meaningful when they're sent outbound through the modem; this is why
everyone was able to read your message, but were unable to reply--
their replies entailed sending the message, +++(command) included,
over the wire.  

If TCP/IP over PPP is involved, there's a chance that the +++ may be 
split into different packets -- in this case, the data would
go through just fine -- but it's more likely that it all gets sent
right next to each other when it actually goes through the modem.

This has made the rounds of bugtraq and other security forums a few
times, usually with mentions of "exploits" involving ICMP echo
and/or IRC.  (For an example of this, see
http://www.geocrawler.com/archives/3/91/1998/9/0/198214/)

* = Hayes has a patent on a scheme to protect against unintentional
triggering of the escape sequence; on their modems, you have to
wait a specific amount of time before and after the +++ before
issuing a command.  
 

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html