cbcvebase.
CVE-2013-1710
published 2013-08-07

CVE-2013-1710: The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before…

PriorityP273critical10CVSS 2.0
AVNACLAuNCCICAC
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
40.12%
98.5th percentile
The crypto.generateCRMFRequest function in Mozilla Firefox before 23.0, Firefox ESR 17.x before 17.0.8, Thunderbird before 17.0.8, Thunderbird ESR 17.x before 17.0.8, and SeaMonkey before 2.20 allows remote attackers to execute arbitrary JavaScript code or conduct cross-site scripting (XSS) attacks via vectors related to Certificate Request Message Format (CRMF) request generation.

Affected

84 ranges· showing 25
VendorProductVersion rangeFixed in
mozillafirefox<= 22.0
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillafirefox
mozillaseamonkey<= 2.20
mozillaseamonkey
mozillaseamonkey
mozillaseamonkey
mozillaseamonkey
mozillaseamonkey
mozillaseamonkey
mozillaseamonkey
mozillaseamonkey
mozillaseamonkey

Detection & IOCsextracted from sources · hover to see the quote

commandcrypto.generateCRMFRequest("CN=Me", "foo", "bar", null, s, 384, null, "rsa-ex")
commandcrypto.generateCRMFRequest("CN=Me", ..., null, key, 1024, null, "rsa-ex")
otherContent-Type: application/x-xpinstall
filenameaddon.xpi
snort
alert http $EXTERNAL_NET any -> $HOME_NET any (msg:"ET WEB_CLIENT Possible CVE-2013-1710/CVE-2012-3993 Firefox Exploit Attempt"; flow:established,to_client; file.data; content:"generateCRMFRequest"; nocase; fast_pattern; content:"InstallTrigger"; nocase; content:"__exposedProps__"; nocase; content:"__defineGetter__"; nocase; content:"getInstallForURL"; nocase; content:".install|28|"; nocase; content:"x-xpinstall"; nocase; reference:cve,CVE-2013-1710; reference:cve,CVE-2012-3993; classtype:attempted-user; sid:2021078; rev:4; metadata:affected_product Web_Browsers, affected_product Web_Browser_Plugins, attack_target Client_Endpoint, created_at 2015_05_08, deployment Perimeter, confidence Medium, signature_severity Major, tag Web_Client_Attacks, updated_at 2024_03_14;)
  • Detect HTTP responses containing all of: 'generateCRMFRequest', 'InstallTrigger', '__exposedProps__', '__defineGetter__', 'getInstallForURL', and 'x-xpinstall' — the combination is the ET signature for this exploit chain.
  • The exploit abuses crypto.generateCRMFRequest called from an overridden toString/console.time code path to inject JavaScript into a chrome:// privileged context; monitor for calls to this API from non-chrome origins.
  • The exploit targets Firefox user-agent versions 15.0–22.0 (toString/console.time vector) and 5.0–15.0.1 (__exposedProps__ vector); restrict or alert on these UA version ranges in web proxy logs.
  • Delivery of a .xpi file (malicious Firefox add-on) via application/x-xpinstall MIME type is a key indicator of the __exposedProps__ exploit variant; alert on this content-type served from non-Mozilla origins.
  • The __exposedProps__ exploit silently installs a malicious add-on via AddonManager.getInstallForURL; monitor browser extension install events triggered from web content context.
  • ·The ET Snort rule (sid:2021078) covers the combined CVE-2013-1710 + CVE-2012-3993 exploit chain; it will NOT fire on the simpler toString/console.time variant (CVE-2013-1710 + CVE-2013-1670) which does not use InstallTrigger/__exposedProps__/getInstallForURL.
  • ·The Metasploit modules use JSObfu to obfuscate the JavaScript payload; static string-matching on JS variable names will be bypassed. Detection should focus on the stable API call patterns (generateCRMFRequest, InstallTrigger, x-xpinstall) rather than variable names.

CVSS provenance

nvdv2.010.0CRITICALAV:N/AC:L/Au:N/C:C/I:C/A:C
vulncheck10.0CRITICAL
vendor_redhat10.0CRITICAL
vendor_ubuntu10.0CRITICAL
CVEs like this are exactly what “Exploited This Week” covers.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.