cbcvebase.
CVE-2013-1670
published 2013-05-16

CVE-2013-1670: The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR…

PriorityP270medium4.3CVSS 2.0
AVNACMAuNCNIPAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
10.89%
95.3th percentile
The Chrome Object Wrapper (COW) implementation in Mozilla Firefox before 21.0, Firefox ESR 17.x before 17.0.6, Thunderbird before 17.0.6, and Thunderbird ESR 17.x before 17.0.6 does not prevent acquisition of chrome privileges during calls to content level constructors, which allows remote attackers to bypass certain read-only restrictions and conduct cross-site scripting (XSS) attacks via a crafted web site.

Affected

23 ranges
VendorProductVersion rangeFixed in
mozillafirefox<= 20.0.1
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillathunderbird<= 17.0.5
mozillathunderbird
mozillathunderbird
mozillathunderbird
mozillathunderbird
mozillathunderbird
mozillathunderbird_esr
mozillathunderbird_esr
mozillathunderbird_esr
mozillathunderbird_esr
mozillathunderbird_esr
mozillathunderbird_esr

Detection & IOCsextracted from sources · hover to see the quote

commandcrypto.generateCRMFRequest("CN=Me", ..., null, key, 1024, null, "rsa-ex")
commandy.constructor.prototype.toString=function() { ... }; console.time(y);
  • Look for JavaScript calls to `console.time()` with a non-string/object argument (e.g., a plain object `y`) combined with overriding `constructor.prototype.toString` — this is the exploit trigger pattern for CVE-2013-1670.
  • Detect calls to `crypto.generateCRMFRequest` from web content context (non-chrome origin), especially with 'rsa-ex' as the key type argument — this indicates privilege escalation via the COW bypass.
  • Target Firefox versions 15–22 (User-Agent screening); the Metasploit module explicitly restricts to ua_minver 15.0 and ua_maxver 22.0.
  • The exploit abuses content-level constructors to gain chrome-privileged write access via Chrome Object Wrapper (COW); monitor for write operations on chrome-privileged objects originating from content-level JavaScript.
  • ·Thunderbird is not exploitable via email because scripting is disabled in that context; the vulnerability is only a risk in browser or browser-like contexts.

CVSS provenance

nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:N/I:P/A:N
vulncheck4.3MEDIUM
vendor_ubuntu10.0CRITICAL
vendor_redhat4.3MEDIUM
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.