CVE-2013-1710
published 2013-08-07CVE-2013-1710: The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before…
PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.12%
98.5th percentile
The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation.
Affected
84 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| mozilla | firefox | <= 22.0 | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | firefox | — | — |
| mozilla | seamonkey | <= 2.20 | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
| mozilla | seamonkey | — | — |
Detection & IOCsextracted from sources · hover to see the quote
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt"; flow:established,to_client; file.data; content:"generateCRMFRequest"; nocase; fast_pattern; content:"InstallTrigger"; nocase; content:"__exposedProps__"; nocase; content:"__defineGetter__"; nocase; content:"getInstallForURL"; nocase; content:".install|28|"; nocase; content:"x-xpinstall"; nocase; reference:cve,CVE-2013-1710; reference:cve,CVE-2012-3993; classtype:attempted-user; sid:2021078; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_05_08, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_03_14;)
- →Detect HTTP responses containing all of: 'generateCRMFRequest', 'InstallTrigger', '__exposedProps__', '__defineGetter__', 'getInstallForURL', and 'x-xpinstall' — the combination is the ET signature for this exploit chain.
- →The exploit abuses crypto.generateCRMFRequest called from an overridden toString/console.time code path to inject JavaScript into a chrome:// privileged context; monitor for calls to this API from non-chrome origins. ↗
- →The exploit targets Firefox user-agent versions 15.0–22.0 (toString/console.time vector) and 5.0–15.0.1 (__exposedProps__ vector); restrict or alert on these UA version ranges in web proxy logs. ↗
- →Delivery of a .xpi file (malicious Firefox add-on) via application/x-xpinstall MIME type is a key indicator of the __exposedProps__ exploit variant; alert on this content-type served from non-Mozilla origins. ↗
- →The __exposedProps__ exploit silently installs a malicious add-on via AddonManager.getInstallForURL; monitor browser extension install events triggered from web content context. ↗
- ·The ET Snort rule (sid:2021078) covers the combined CVE-2013-1710 + CVE-2012-3993 exploit chain; it will NOT fire on the simpler toString/console.time variant (CVE-2013-1710 + CVE-2013-1670) which does not use InstallTrigger/__exposedProps__/getInstallForURL.
- ·The Metasploit modules use JSObfu to obfuscate the JavaScript payload; static string-matching on JS variable names will be bypassed. Detection should focus on the stable API call patterns (generateCRMFRequest, InstallTrigger, x-xpinstall) rather than variable names. ↗
CVSS provenance
nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
Ubuntu
Thunderbird vulnerabilities
vendor_ubuntu·2013-08-07·CVSS 10.0
CVE-2013-1701 [CRITICAL] Thunderbird vulnerabilities
Title: Thunderbird vulnerabilities
Summary: Several security issues were fixed in Thunderbird.
Jeff Gilbert and Henrik Skupin discovered multiple memory safety issues
in Thunderbird. If the user were tricked in to opening a specially crafted
message with scripting enabled, an attacker could possibly exploit these
to cause a denial of service via application crash, or potentially execute
arbitrary code with the privileges of the user invoking Thunderbird.
(CVE-2013-1701)
It was discovered that a document's URI could be set to the URI of
a different document. If a user had scripting enabled, an attacker
could potentially exploit this to conduct cross-site scripting (XSS)
attacks. (CVE-2013-1709)
A flaw was discovered when generating a CRMF request in certain
circumstances. If a user had
Red Hat
Mozilla: CRMF requests allow for code execution and XSS attacks (MFSA 2013-69)
vendor_redhat·2013-08-07·CVSS 10.0
CVE-2013-1710 [CRITICAL] CWE-79 Mozilla: CRMF requests allow for code execution and XSS attacks (MFSA 2013-69)
Mozilla: CRMF requests allow for code execution and XSS attacks (MFSA 2013-69)
The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation.
Package: thunderbird (Red Hat Enterprise Linux 5) - Affected
Ubuntu
Firefox vulnerabilities
vendor_ubuntu·2013-08-06·CVSS 10.0
CVE-2013-1701 [CRITICAL] Firefox vulnerabilities
Title: Firefox vulnerabilities
Summary: Firefox could be made to crash or run programs as your login if it
opened a malicious website.
Jeff Gilbert, Henrik Skupin, Ben Turner, Christian Holler,
Andrew McCreight, Gary Kwong, Jan Varga and Jesse Ruderman discovered
multiple memory safety issues in Firefox. If the user were tricked in to
opening a specially crafted page, an attacker could possibly exploit these
to cause a denial of service via application crash, or potentially execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2013-1701, CVE-2013-1702)
A use-after-free bug was discovered when the DOM is modified during a
SetBody mutation event. If the user were tricked in to opening a specially
crafted page, an attacker could potentially exploit this to execute
a
Ubuntu
Ubufox and Unity Firefox Extension update
vendor_ubuntu·2013-08-06·CVSS 10.0
[CRITICAL] Ubufox and Unity Firefox Extension update
Title: Ubufox and Unity Firefox Extension update
Summary: This update provides compatible packages for Firefox 23.
USN-1924-1 fixed vulnerabilities in Firefox. This update provides the
corresponding updates for Ubufox and Unity Firefox Extension.
Original advisory details:
Jeff Gilbert, Henrik Skupin, Ben Turner, Christian Holler,
Andrew McCreight, Gary Kwong, Jan Varga and Jesse Ruderman discovered
multiple memory safety issues in Firefox. If the user were tricked in to
opening a specially crafted page, an attacker could possibly exploit these
to cause a denial of service via application crash, or potentially execute
arbitrary code with the privileges of the user invoking Firefox.
(CVE-2013-1701, CVE-2013-1702)
A use-after-free bug was discovered when the DOM is modified during a
Set
GHSA
GHSA-q7cm-8gjh-863h: The crypto
ghsa_unreviewed·2022-05-17
CVE-2013-1710 [HIGH] CWE-20 GHSA-q7cm-8gjh-863h: The crypto
The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation.
VulnCheck
Mozilla seamonkey Improper Input Validation
vulncheck·2013·CVSS 10.0
CVE-2013-1710 [CRITICAL] Mozilla seamonkey Improper Input Validation
Mozilla seamonkey Improper Input Validation
The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation.
Affected: Mozilla seamonkey
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/terror-exploit-kit-more-like-error-exploit-kit/
Suricata
ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt
suricata·2015-05-08·CVSS 9.3
CVE-2013-1710 [CRITICAL] ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt
ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt
Rule: alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt"; flow:established,to_client; file.data; content:"generateCRMFRequest"; nocase; fast_pattern; content:"InstallTrigger"; nocase; content:"__exposedProps__"; nocase; content:"__defineGetter__"; nocase; content:"getInstallForURL"; nocase; content:".install|28|"; nocase; content:"x-xpinstall"; nocase; reference:cve,CVE-2013-1710; reference:cve,CVE-2012-3993; classtype:attempted-user; sid:2021078; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_05_08, deployment Perimeter, confidence Medium, signature_sever
Exploit-DB
Mozilla Firefox - toString console.time Privileged JavaScript Injection (Metasploit)
exploitdb·2014-08-19·CVSS 4.3
CVE-2013-1670 [MEDIUM] Mozilla Firefox - toString console.time Privileged JavaScript Injection (Metasploit)
Mozilla Firefox - toString console.time Privileged JavaScript Injection (Metasploit)
---
##
# This module requires Metasploit: http//metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'msf/core'
require 'rex/exploitation/jsobfu'
class Metasploit3 HttpClients::FF,
:ua_minver => "15.0",
:ua_maxver => "22.0",
:javascript => true,
:rank => ExcellentRanking
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Firefox toString console.time Privileged Javascript Injection',
'Description' => %q{
This exploit gains remote code execution on Firefox 15-22 by abusing two separate
Javascript-related vulnerabilities to ultimately inject malicious Javascript code
into a context running with chrome:// privileges.
},
'License' => MSF_LICENSE,
Exploit-DB
Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)
exploitdb·2013-08-06·CVSS 9.3
CVE-2012-3993 [CRITICAL] Mozilla Firefox 5.0 < 15.0.1 - __exposedProps__ XCS Code Execution (Metasploit)
Mozilla Firefox 5.0 HttpClients::FF,
:ua_minver => "5.0",
:ua_maxver => "15.0.1",
:javascript => true,
:rank => NormalRanking
})
def initialize(info = {})
super(update_info(info,
'Name' => 'Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution',
'Description' => %q{
On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given
invalid input, would throw an exception that did not have an __exposedProps__
property set. By re-setting this property on the exception object's prototype,
the chrome-based defineProperty method is made available.
With the defineProperty method, functions belonging to window and document can be
overriden with a function that gets called from chrome-privileged context. From here,
another vulnerability in the crypto.generateCRMFRequest function
Metasploit
Firefox toString console.time Privileged Javascript Injection
metasploit
Firefox toString console.time Privileged Javascript Injection
Firefox toString console.time Privileged Javascript Injection
This exploit gains remote code execution on Firefox 15-22 by abusing two separate Javascript-related vulnerabilities to ultimately inject malicious Javascript code into a context running with chrome:// privileges.
Metasploit
Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution
metasploit
Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution
Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution
On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given invalid input, would throw an exception that did not have an __exposedProps__ property set. By re-setting this property on the exception object's prototype, the chrome-based defineProperty method is made available. With the defineProperty method, functions belonging to window and document can be overridden with a function that gets called from chrome-privileged context. From here, another vulnerability in the crypto.generateCRMFRequest function is used to "peek" into the context's private scope. Since the window does not have a chrome:// URL, the insecure parts of Components.classes are not available, so instead the AddonManager API is invoked to silent
Bugzilla
CVE-2013-1710 Mozilla: CRMF requests allow for code execution and XSS attacks (MFSA 2013-69)
bugzilla·2013-08-06·CVSS 10.0
CVE-2013-1710 [CRITICAL] CVE-2013-1710 Mozilla: CRMF requests allow for code execution and XSS attacks (MFSA 2013-69)
CVE-2013-1710 Mozilla: CRMF requests allow for code execution and XSS attacks (MFSA 2013-69)
Mozilla security researcher moz_bug_r_a4 reported a mechanism to execute arbitrary code or a cross-site scripting (XSS) attack when Certificate Request Message Format (CRMF) request is generated in certain circumstances.
In general these flaws cannot be exploited through email in the Thunderbird and SeaMonkey products because scripting is disabled, but are potentially a risk in browser or browser-like contexts in those products.
External Reference:
http://www.mozilla.org/security/announce/2013/mfsa2013-69.html
Acknowledgements:
Red Hat would like to thank the Mozilla project for reporting this issue. Upstream acknowledges moz_bug_r_a4 as the original reporter.
Discussion:
This issue has b
Bugzilla
CVE-2013-2209 ReviewBoard: Stored XSS due improper sanitization of user's full name in the reviews dropdown
bugzilla·2013-06-24·CVSS 4.3
CVE-2013-2209 [MEDIUM] CVE-2013-2209 ReviewBoard: Stored XSS due improper sanitization of user's full name in the reviews dropdown
CVE-2013-2209 ReviewBoard: Stored XSS due improper sanitization of user's full name in the reviews dropdown
A persistent / stored cross-site scripting (XSS) flaw was found in the way reviews dropdown of Review Board, a web-based code review tool, performed sanitization of certain user information (full name). A remote attacker could provide a specially-crafted URL that, when visited would lead to arbitrary HTML or web script execution in the context of Review Board user's session.
References:
[1] http://www.reviewboard.org/docs/releasenotes/reviewboard/1.7.10/
[2] http://www.reviewboard.org/docs/releasenotes/reviewboard/1.6.17/
[3] http://www.reviewboard.org/news/2013/06/22/review-board-1617-and-1710-released/
Discussion:
Upstream patch:
[4] https://github.com/reviewboard/reviewboard/c
http://www.debian.org/security/2013/dsa-2735http://www.debian.org/security/2013/dsa-2746http://www.mozilla.org/security/announce/2013/mfsa2013-69.htmlhttp://www.securityfocus.com/bid/61900https://bugzilla.mozilla.org/show_bug.cgi?id=871368https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18773http://www.debian.org/security/2013/dsa-2735http://www.debian.org/security/2013/dsa-2746http://www.mozilla.org/security/announce/2013/mfsa2013-69.htmlhttp://www.securityfocus.com/bid/61900https://bugzilla.mozilla.org/show_bug.cgi?id=871368https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A18773
2013-08-07
Published
Exploited in the wild