Vulnerability & Exploit Database

Back to search

Firefox 5.0 - 15.0.1 __exposedProps__ XCS Code Execution

On versions of Firefox from 5.0 to 15.0.1, the InstallTrigger global, when given invalid input, would throw an exception that did not have an __exposedProps__ property set. By re-setting this property on the exception object's prototype, the chrome-based defineProperty method is made available. With the defineProperty method, functions belonging to window and document can be overridden with a function that gets called from chrome-privileged context. From here, another vulnerability in the crypto.generateCRMFRequest function is used to "peek" into the context's private scope. Since the window does not have a chrome:// URL, the insecure parts of Components.classes are not available, so instead the AddonManager API is invoked to silently install a malicious plugin.

Free Metasploit Download

Get your copy of the world's leading penetration testing tool

 Download Now

Module Name



  • Mariusz Mlynski
  • moz_bug_r_a4
  • joev <joev [at]>



  • Universal (Javascript XPCOM Shell)
  • Native Payload


  • java
  • linux
  • osx
  • solaris
  • windows
  • firefox


  • firefox
  • x86, x86_64, x64, mips, mipsle, mipsbe, mips64, mips64le, ppc, ppce500v2, ppc64, ppc64le, cbea, cbea64, sparc, sparc64, armle, armbe, aarch64, cmd, php, tty, java, ruby, dalvik, python, nodejs, firefox, zarch, r



Module Options

To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced':

msf > use exploit/multi/browser/firefox_proto_crmfrequest msf exploit(firefox_proto_crmfrequest) > show targets ...targets... msf exploit(firefox_proto_crmfrequest) > set TARGET <target-id> msf exploit(firefox_proto_crmfrequest) > show options and set options... msf exploit(firefox_proto_crmfrequest) > exploit

Related Vulnerabilities

Related Modules