Vigil@nce - Sybase ASE: bypassing the TDS authentication
August 2012 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can bypass the TDS authentication, in order to access
to Sybase ASE data.
Severity: 2/4
Creation date: 25/07/2012
IMPACTED PRODUCTS
– Sybase Adaptive Server Enterprise
DESCRIPTION OF THE VULNERABILITY
The TDS (Tabular Data Stream) protocol is used to transfer data
between Sybase ASE and a client.
This protocol uses packets, which depend on the message type:
– 1 : Query
– 2 : Login
– etc.
However, Login packets do no use randoms (challenge). An attacker
who captured a session can thus replay its Login packet.
An attacker can therefore bypass the TDS authentication, in order
to access to Sybase ASE data.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Sybase-ASE-bypassing-the-TDS-authentication-11797