E-C-H-E-L-O-N  M-A-G-A-Z-I-N-E
--------------------------------------------------------------------
Variations on the ATH Modem DoS Attack.
-- NeonBunny
--------------------------------------------------------------------

Things called AT commands control modem settings and functions, you 
only need to look in a modem manual and you'll see page after page of 
commands. These do everything from ring a number using pulse dialling 
to reading and setting S registers (Similar to a numbered ini file 
stored in the modem's memory). Once the connection has been made using 
these AT commands the flow of data to and from your modem stops being 
commands and is instead your Internet data. If you need to send your 
modem back into command mode you send three pluses as your Internet 
data followed by your AT command.

ATH is the AT command to disconnect a modem. Other AT commands can be 
used to similar effect to the ATH, the modem reset (ATZ0) will 
disconnect the modem too. It is possible to locally disconnect your 
modem by sending a text containing three plus signs directly followed 
by ATH via email, FTP upload or another way that causes it to flow as 
plain text.

If you're not looking to disconnect the modem but to instead hang the 
modem you may be able to use three plus signs followed by ATG. There 
is no such command as ATG so the modem is confused and becomes locked 
into command mode.The problem with this attack is that it only 
disconnects the modem that the line comes from and will not transmit 
this command line onto other modems since the connection is broken 
before the data is passed on. The problem stands in trying to send the 
line, to be transmitted by another modem, without it disconnecting the 
attacker's modem. Encoding the line can do this, so that the plain text
version isn't sent, this can be done in various ways such as encryption
or compression. If this method is used the line will travel encoded and
have no effect; this is where such systems as anonymous remailers come 
in. Some anon-remailers use public/private keys to decrypt your 
encrypted mail before sending it on, their software will "decode" the 
line and send it on as plain text, disconnecting the first vulnerable 
modem the line comes into contact with.

This exploit doesn't end here, it can be used to take down a LAN 
proxy's modem as it only affects modems and not network cards. The line
will happily flow over the network but will disconnect the modem when 
the proxy tries to send the line out as Internet data. A bit of social 
engineering means that you could send the line to the target as a 
compressed file for them to decompress it, claiming you don't have the 
software to do it for your self. As they try and send the file back 
they will be disconnected. A bit of stenography would make the file 
even less suspicious but still have the same end result. The line (or 
more correctly the 6+ characters) can be amongst any type of data such 
as video, sound or images and the attack will still work. This problem 
is by no means a new one and has been around since modems used the 
Hayes command set, it is however a problem still applicable to today's 
modems. To fix the problem we have to set an S register so that the 
character which the modem looks for before entering into command mode 
is different than the three + signs. S2 holds the decimal value of the 
ASCII character used as the escape character. The default value is 43 
and corresponds to an ASCII '+' but a value over 127 disables the 
escape process, i.e., no escape character will be recognised. Load up 
a program capable of talking direct to the COM port that your modem is 
on (e.g. HyperTerminal or MiniCom) and send the line:

ATS2=128

Which will disable the triple plus "escape code", replacing it with a 
triple ASCII 128 escape code (never used). To check that this command 
has worked (You should get an ERROR message if it hasn't) issue the 
command:

AT&V

Which will display all of the modem's settings, if S2 is still at 43 
then you're doing something wrong. Otherwise you're now safe from this 
problem until Windows issues an ATZ0 and resets the modem to it's 
original settings. I recommend placing the command ATS2=128 in your 
modem's initialisation string to set the register every time you 
connect to your ISP. To do this in Windows - right click your ISP's 
entry in Dial Up Networking and choose Properties. Choose the Configure
button at the bottom of the General tab and then highlight the 
Connection tab. From here choose Advanced and place the line ATS2=128 
in the Extra Settings field.

NOTE: Playing with the S registers of a modem is similar to playing 
with the BIOS of your motherboard, only do it if you feel confident and
have the correct documentation should anything go wrong. Most of this 
text is based on theory and may not work in practise.

NeonBunny
the_neon_bunny@hotmail.com
http://www.lab6.com/~bunnybox

