11. Karotz
Smart
Rabbit
Python
Module
Hijacking
• Python
Module
Hijacking
is
insecure
library
loading
o Similar
to
LD_PRELOAD
and
DLL
hijacking
• Python
loads
modules
from
the
dir
of
script
first
• Karotz
autorunwifi
script
uses
simplejson
module
o Put
code
to
execute
in
simplejson.py
in
the
same
directory
as
autorunwifi
• Defeats
code
signing
12. Karotz
Smart
Rabbit
An
aIacker
could:
• MITM
insecure
connecFon
to
Karotz
server
• Replace
user's
download
with
malicious
version
• Use
vuln
to
make
Karotz
run
their
own
code!
• ...Bunny
bot
net?