CVE-2012-3993
published 2012-10-10CVE-2012-3993: The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x…
PriorityP263critical9.3CVSS 2.0
AVNACMAuNCCICAC
EXPLOIT
EPSS
42.61%
98.5th percentile
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 does not properly interact with failures of InstallTrigger methods, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site, related to an "XrayWrapper pollution" issue.
Affected
292 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | <= 15.0.1 | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
Detection & IOCsextracted from sources · hover to see the quote
commandp2.__exposedProps__={constructor:'rw',prototype:'rw',defineProperty:'rw',__exposedProps__:'rw'};↗
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt"; flow:established,to_client; file.data; content:"generateCRMFRequest"; nocase; fast_pattern; content:"InstallTrigger"; nocase; content:"__exposedProps__"; nocase; content:"__defineGetter__"; nocase; content:"getInstallForURL"; nocase; content:".install|28|"; nocase; content:"x-xpinstall"; nocase; reference:cve,CVE-2013-1710; reference:cve,CVE-2012-3993; classtype:attempted-user; sid:2021078; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_05_08, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_03_14;)
- →Detect HTTP responses containing all of the following strings simultaneously: 'generateCRMFRequest', 'InstallTrigger', '__exposedProps__', '__defineGetter__', 'getInstallForURL', and 'x-xpinstall' — this combination is the ET signature for the in-the-wild exploit.
- →Flag HTTP responses serving Content-Type 'application/x-xpinstall' to browser clients, especially when the XPI filename is 'addon.xpi', as the exploit silently installs a malicious plugin via AddonManager. ↗
- →The exploit targets Firefox versions 5.0 through 15.0.1 (User-Agent version between 5 and 15). Browser version enforcement in the Metasploit module uses ua_minver 5.0 and ua_maxver 15.0.1. ↗
- →The exploit uses crypto.generateCRMFRequest with hardcoded arguments ('CN=Me', 'foo', 'bar', null, ..., 384, null, 'rsa-ex') to peek into chrome-privileged scope; detecting this call pattern in JavaScript delivered to browsers is a strong indicator. ↗
- →The exploit sets __exposedProps__ on the exception prototype with 'rw' permissions for constructor, prototype, defineProperty, and __exposedProps__ — detecting this pattern in JavaScript content indicates active exploitation. ↗
- ·The Metasploit module uses two separate CVEs chained together: CVE-2012-3993 (InstallTrigger/__exposedProps__ XrayWrapper pollution to gain chrome defineProperty) and CVE-2013-1710 (crypto.generateCRMFRequest to peek into chrome scope). Detection rules covering both CVEs will fire on either exploit path. ↗
- ·The JavaScript injection path differs between Firefox 15 and earlier versions: FF15 uses 'Function.prototype.call.call(p.__defineGetter__,obj,key,runme)' while FF5–14 uses 'p2.constructor.defineProperty(obj,key,{get:runme})'. Detection logic should account for both variants. ↗
- ·The exploit JavaScript is obfuscated via js_obfuscate in the Metasploit module, meaning static string matching on the raw JS payload may not reliably detect it; the Snort/ET rule targets the decoded/rendered content layer (file.data). ↗
- ·In Thunderbird and SeaMonkey, the flaw generally cannot be exploited via email because scripting is disabled; the risk is limited to browser or browser-like contexts. ↗
CVSS provenance
nvdv2.09.3CRITICALAV:N/AC:M/Au:N/C:C/I:C/A:C
vendor_redhat9.3CRITICAL
vendor_ubuntu9.3CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2012-10-12·CVSS 9.3
CVE-2012-3982 [CRITICAL] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Henrik Skupin, Jesse Ruderman, Christian Holler, Soroush Dalili and others
discovered several memory corruption flaws in Thunderbird. If a user were
tricked into opening a malicious website and had JavaScript enabled, an
attacker could exploit these to execute arbitrary JavaScript code within
the context of another website or arbitrary code as the user invoking the
program. (CVE-2012-3982, CVE-2012-3983, CVE-2012-3988, CVE-2012-3989,
CVE-2012-4191)
David Bloom and Jordi Chancel discovered that Thunderbird did not always
properly handle the element. If a user were tricked into opening a
malicious website and had JavaScript enabled, a remote attacker could
exploit this to conduct URL spoofing an
Red Hat
Mozilla: Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties (MFSA 2012-83)
vendor_redhat·2012-10-09·CVSS 9.3
CVE-2012-3993 [CRITICAL] Mozilla: Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties (MFSA 2012-83)
Mozilla: Chrome Object Wrapper (COW) does not disallow acces to privileged functions or properties (MFSA 2012-83)
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 does not properly interact with failures of InstallTrigger methods, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site, related to an "XrayWrapper pollution" issue.
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2012-10-09·CVSS 9.3
CVE-2012-3983 [CRITICAL] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Multiple security issues were fixed in Firefox.
Henrik Skupin, Jesse Ruderman, Christian Holler, Soroush Dalili and others
discovered several memory corruption flaws in Firefox. If a user were
tricked into opening a specially crafted web page, a remote attacker could
cause Firefox to crash or potentially execute arbitrary code as the user
invoking the program. (CVE-2012-3982, CVE-2012-3983, CVE-2012-3988,
CVE-2012-3989)
David Bloom and Jordi Chancel discovered that Firefox did not always
properly handle the element. A remote attacker could exploit this
to conduct URL spoofing and clickjacking attacks. (CVE-2012-3984)
Collin Jackson discovered that Firefox did not properly follow the HTML5
specification for document.domain behavior. A remote attac
GHSA
GHSA-3587-g6j7-969g: The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16
ghsa_unreviewed·2022-05-13
CVE-2012-3993 [HIGH] CWE-269 GHSA-3587-g6j7-969g: The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 16.0, Firefox ESR 10.x before 10.0.8, Thunderbird before 16.0, Thunderbird ESR 10.x before 10.0.8, and SeaMonkey before 2.13 does not properly interact with failures of InstallTrigger methods, which allows remote attackers to execute arbitrary JavaScript code with chrome privileges via a crafted web site, related to an "XrayWrapper pollution" issue.
Suricata
ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt
suricata·2015-05-08·CVSS 9.3
CVE-2013-1710 [CRITICAL] ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt
ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt"; flow:established,to_client; file.data; content:"generateCRMFRequest"; nocase; fast_pattern; content:"InstallTrigger"; nocase; content:"__exposedProps__"; nocase; content:"__defineGetter__"; nocase; content:"getInstallForURL"; nocase; content:".install|28|"; nocase; content:"x-xpinstall"; nocase; reference:cve,CVE-2013-1710; reference:cve,CVE-2012-3993; classtype:attempted-user; sid:2021078; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_05_08, deployment Perimeter, confidence Medium, signature_sever
Exploit-DB
Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)
exploitdb·2013-08-06·CVSS 9.3
CVE-2012-3993 [CRITICAL] Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)
Mozilla Firefox 5.0 HttpClients::FF,
:ua_minver => "5.0",
:ua_maxver => "15.0.1",
:javascript => true,
:rank => NormalRanking
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution',
'Description' => %q{
On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given
invalid input, would throw an exception that did not have an __exposedProps__
property set. By re-setting this property on the exception object's prototype,
the chrome-based defineProperty method is made available.
With the defineProperty method, functions belonging to window and document can be
overriden with a function that gets called from chrome-privileged context. From here,
another vulnerability in the crypto.generateCRMFRequest function
Metasploit
Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution
metasploit
Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution
Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution
On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given invalid input, would throw an exception that did not have an __exposedProps__ property set. By re-setting this property on the exception object's prototype, the chrome-based defineProperty method is made available. With the defineProperty method, functions belonging to window and document can be overridden with a function that gets called from chrome-privileged context. From here, another vulnerability in the crypto.generateCRMFRequest function is used to "peek" into the context's private scope. Since the window does not have a chrome:// URL, the insecure parts of Components.classes are not available, so instead the AddonManager API is invoked to silent
http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00010.htmlhttp://osvdb.org/86111http://rhn.redhat.com/errata/RHSA-2012-1351.htmlhttp://secunia.com/advisories/50856http://secunia.com/advisories/50892http://secunia.com/advisories/50904http://secunia.com/advisories/50935http://secunia.com/advisories/50936http://secunia.com/advisories/50984http://secunia.com/advisories/55318http://www.mandriva.com/security/advisories?name=MDVSA-2012:163http://www.mozilla.org/security/announce/2012/mfsa2012-83.htmlhttp://www.securityfocus.com/bid/56119http://www.ubuntu.com/usn/USN-1611-1https://bugzilla.mozilla.org/show_bug.cgi?id=768101https://exchange.xforce.ibmcloud.com/vulnerabilities/79153https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16718http://lists.opensuse.org/opensuse-security-announce/2012-10/msg00010.htmlhttp://osvdb.org/86111http://rhn.redhat.com/errata/RHSA-2012-1351.htmlhttp://secunia.com/advisories/50856http://secunia.com/advisories/50892http://secunia.com/advisories/50904http://secunia.com/advisories/50935http://secunia.com/advisories/50936http://secunia.com/advisories/50984http://secunia.com/advisories/55318http://www.mandriva.com/security/advisories?name=MDVSA-2012:163http://www.mozilla.org/security/announce/2012/mfsa2012-83.htmlhttp://www.securityfocus.com/bid/56119http://www.ubuntu.com/usn/USN-1611-1https://bugzilla.mozilla.org/show_bug.cgi?id=768101https://exchange.xforce.ibmcloud.com/vulnerabilities/79153https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A16718
2012-10-10
Published