Ars Technica reports the serious vulnerability was demonstrated by researchers from the University of California at Riverside and the US Army Research Laboratory at the 25th Usenix Security Symposium on Wednesday. In a presentation, the team successfully injected malicious JavaScript code into an otherwise legitimate page on the USA Today website.
The issue is caused by flaws in the design and implementation of RFC 5961, a new Internet standard that supposedly makes it harder to execute certain kinds of hack. A major weakness has simplified the exploitation of on-pass attacks though, allowing outsiders to detect when any two machines are communicating over the Internet.
A traditional man-in-the-middle attack, where a hacker intercepts network traffic on the way to its destination, is no longer required. Instead, the intruder can spectate from the sidelines, allowing them to intercept traffic by sending packets from anywhere on the Internet. In practice, hackers are able to remotely detect when a computer is connecting to a web server. They can then intercept or terminate the connection, hijack the transmitted data and replace it with their own packets.
The scope of the attack is limited if the target connection is encrypted with the HTTPS protocol. The hackers can terminate it but are unable to tamper with its contents. If no encryption is present, there’s a lot more scope to exploit. The attacker can send their own data over the network, transmitting a compromised file or injecting malicious code into a requested webpage.
While the flaw was demonstrated on the USA Today website, there are thousands of other unencrypted sites that could be hijacked in the same way. Hackers could compromise users’ computers by injecting malicious code into the world’s most popular websites, gaining control of the operating system by exploiting zero-day vulnerabilities in web browsers.
Because the issue lies in a standard defining how clients connect to servers, it theoretically affects Windows and Mac OS X as well as Linux. However, RFC 5961 is so new that only Linux currently supports it. By the time Microsoft and Apple get round to implementing it, the specification may be refined to iron out the issue.
When asked by Ars Technica, security researcher Zhiyun Qian said the RFC specification and Linux’s implementation should be held jointly responsible for the vulnerability. Qian suggested that issues could arise when implementations follow the specification as it’s currently written, hinting at problematic wording in its definition.
“It is a subtle problem,” said Qian. “I want to say that the RFC is written in a way that if OSes implement it straightforwardly, it is going to be problematic. So I think we should probably split the responsibility between the RFC and implementation.”
There are some limitations to the issue. To be successfully exploited, the connection between client and server must be open for a sustained period of at least a minute. This means not every website can be hijacked. Modern sites such as USA Today keep their connections open for much longer though, dynamically loading additional content as the user scrolls down the page. This is the most vulnerable kind of site.
The Linux kernel has already received a patch that fixes the flaw but the updated version is yet to be incorporated into mainstream desktop and server OS distributions. Users won’t be secure until both their own PC and the web servers they connect to have the patch installed. Exploitation can be achieved with access to only one end of the TCP link, making this a particularly nasty attack. Many web servers are infrequently updated, leaving them open to TCP hijacking.
