cbcvebase.
CVE-2012-3993
published 2012-10-10

CVE-2012-3993: The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x…

PriorityP263critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
42.61%
98.5th percentile
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 does not properly interact with failures of InstallTrigger methods, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site, related to an "XrayWrapper pollution" issue.

Affected

292 ranges· showing 25
VendorProductVersion rangeFixed in
mozillafirefox<= 15.0.1
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox

Detection & IOCsextracted from sources · hover to see the quote

otherapplication/x-xpinstall
filenameaddon.xpi
commandwindow.crypto.generateCRMFRequest("CN=Me", "foo", "bar", null, s, 384, null, "rsa-ex")
commandtry{InstallTrigger.install(0)}catch(e){p=e;};
commandp2.__exposedProps__={constructor:'rw',prototype:'rw',defineProperty:'rw',__exposedProps__:'rw'};
commandwindow.AddonManager.getInstallForURL(..., 'application/x-xpinstall')
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt"; flow:established,to_client; file.data; content:"generateCRMFRequest"; nocase; fast_pattern; content:"InstallTrigger"; nocase; content:"__exposedProps__"; nocase; content:"__defineGetter__"; nocase; content:"getInstallForURL"; nocase; content:".install|28|"; nocase; content:"x-xpinstall"; nocase; reference:cve,CVE-2013-1710; reference:cve,CVE-2012-3993; classtype:attempted-user; sid:2021078; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_05_08, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_03_14;)
  • Detect HTTP responses containing all of the following strings simultaneously: 'generateCRMFRequest', 'InstallTrigger', '__exposedProps__', '__defineGetter__', 'getInstallForURL', and 'x-xpinstall' — this combination is the ET signature for the in-the-wild exploit.
  • Flag HTTP responses serving Content-Type 'application/x-xpinstall' to browser clients, especially when the XPI filename is 'addon.xpi', as the exploit silently installs a malicious plugin via AddonManager.
  • The exploit targets Firefox versions 5.0 through 15.0.1 (User-Agent version between 5 and 15). Browser version enforcement in the Metasploit module uses ua_minver 5.0 and ua_maxver 15.0.1.
  • The exploit uses crypto.generateCRMFRequest with hardcoded arguments ('CN=Me', 'foo', 'bar', null, ..., 384, null, 'rsa-ex') to peek into chrome-privileged scope; detecting this call pattern in JavaScript delivered to browsers is a strong indicator.
  • The exploit sets __exposedProps__ on the exception prototype with 'rw' permissions for constructor, prototype, defineProperty, and __exposedProps__ — detecting this pattern in JavaScript content indicates active exploitation.
  • ·The Metasploit module uses two separate CVEs chained together: CVE-2012-3993 (InstallTrigger/__exposedProps__ XrayWrapper pollution to gain chrome defineProperty) and CVE-2013-1710 (crypto.generateCRMFRequest to peek into chrome scope). Detection rules covering both CVEs will fire on either exploit path.
  • ·The JavaScript injection path differs between Firefox 15 and earlier versions: FF15 uses 'Function.prototype.call.call(p.__defineGetter__,obj,key,runme)' while FF5–14 uses 'p2.constructor.defineProperty(obj,key,{get:runme})'. Detection logic should account for both variants.
  • ·The exploit JavaScript is obfuscated via js_obfuscate in the Metasploit module, meaning static string matching on the raw JS payload may not reliably detect it; the Snort/ET rule targets the decoded/rendered content layer (file.data).
  • ·In Thunderbird and SeaMonkey, the flaw generally cannot be exploited via email because scripting is disabled; the risk is limited to browser or browser-like contexts.

CVSS provenance

nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
vendor_ubuntu9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.