Fun writeup, thanks. FYI to the author, on mobile there is a horizontal overflow due to one image being too wide (the dereference illustration). I really like the blog’s style otherwise.
There is one part I’m not clear about. Presumably the vector to exploit this is a malicious server, not a proxy. So if you control the server, why do you need to set two Content-Link headers to trick the parser into thinking it’s empty? Could you use a legit file and a fake content header with extra (empty) bytes? Or does that have too many side effects due to the client actually parsing the file rather than ignoring it?
The idea is that you don't want to fill the memory chunk with real data from the server but keep the contents that happen to be in there from previous allocations. Then when the proxy later retrieves the contents of the memory chunk they get essentially a random block of old heap contents. Thats valuable because those will contain (vtable) pointers that reveal where in memory the game was loaded - most executables nowadays use ASLR so a prerequisite to an exploit is having some sort of information leak like this that can tell you the base address.
There is one part I’m not clear about. Presumably the vector to exploit this is a malicious server, not a proxy. So if you control the server, why do you need to set two Content-Link headers to trick the parser into thinking it’s empty? Could you use a legit file and a fake content header with extra (empty) bytes? Or does that have too many side effects due to the client actually parsing the file rather than ignoring it?