PARTS:
Part 29
Part 30
Part 31
Part 32
Part 33
Part 34
Part 35
Part 36
Part 37
Part 38
Part 39
Part 40
Part 41
Part 42
Part 43
Part 44
Part 45
Part 46
Part 47
SEARCH
0-9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
Prev | Current Page 651 | Next

Shon Harris, Allen Harper, Chris Eagle, and Jonathan Ness

"Gray Hat Hacking, Second Edition"


When you install the Java runtime, the installer registers javaprxy.dll as aCOMobject.
Its developers intended it to be used only from within the Java runtime context to do
profiling. However, because it is a registered COM object, it could be instantiated any
wayCOMobjects can be instantiated, including via the tag in an HTML page.
Unfortunately, this COM object had a special initialization requirement. To set up and
use the object, the caller first needs to use the CreateInstance() method, a standard part
of initializing anyCOMobject. The second stepwas to call the object??™s custom initialization
method, which set variables to initial values and finished performing object setup.
The JVM environment knew how to do this and javaprxy.dll worked great in that environment.
Internet Explorer, unfortunately, knows nothing about custom COM objects.
IE knows only about the generic ActiveX interfaces that it tried to use after calling
CreateInstance(). So IE loaded the object but its variables and function table were not
initialized properly. In fact, it was using uninitialized memory. Unfortunately,
uninitialized memory in this context is attacker-controlled memory, due to portions of
the HTML page being the previous resident of this memory with no initialization having
been done between uses.


Pages:
639 640 641 642 643 644 645 646 647 648 649 650 651 652 653 654 655 656 657 658 659 660 661 662 663
The Art of Agile Development (page 1) Absalom's Hair (page 179) Absolute Surrender and Other Addresses (page 7)