CVE-2013-4867
Description
Python module hijacking in Karotz Smart Rabbit 12.07.19.00 allows arbitrary code execution via a malicious simplejson.py on a USB drive.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Python module hijacking in Karotz Smart Rabbit 12.07.19.00 allows arbitrary code execution via a malicious simplejson.py on a USB drive.
Vulnerability
The Karotz Smart Rabbit firmware version 12.07.19.00 contains a Python module hijacking vulnerability in the autorunwifi script, which is executed as root during the WiFi setup process. The script imports the simplejson module, and Python's module search order loads modules from the same directory as the invoking script before searching system paths. An attacker can place a malicious simplejson.py file on a USB flash drive or hard drive, which will be loaded instead of the legitimate module [1].
Exploitation
An attacker must have physical access to the Karotz device to insert a USB drive containing a crafted simplejson.py file. The autorunwifi script is automatically run when the user selects WiFi as the connection method during setup. No authentication or user interaction beyond initiating the setup is required. The malicious file is executed with root privileges [1].
Impact
Successful exploitation allows arbitrary code execution as the root user, leading to full compromise of the Karotz device. The attacker can execute commands, modify system files, or install persistent backdoors [1].
Mitigation
No official fix has been released by Electronic Arts. Users should avoid using the WiFi setup feature with untrusted USB drives. As a workaround, ensure that only trusted USB storage is used during initial configuration [1].
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2- Electronic Arts/Karotz Smart Rabbitdescription
- Range: =12.07.19.00
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Python's module search path prioritizes the script's own directory over system paths, allowing a malicious .py file on a USB drive to hijack an imported module."
Attack vector
An attacker must physically insert a USB flash drive containing a malicious Python file (e.g., "simplejson.py") into the Karotz unit, then power-cycle the device so the "autorunwifi" script runs as root during setup [ref_id=1]. Because Python loads modules from the same directory as the invoked script before searching system paths, the attacker's file is executed in place of the legitimate module, granting arbitrary code execution with root privileges [CWE-427] [ref_id=1].
Affected code
The vulnerability is in the Python module loading behavior during the execution of the "autorunwifi" script, which is placed in the root of a USB flash drive or hard drive. Python's import mechanism first attempts to load modules from the same directory as the invoked script, allowing a malicious "simplejson.py" file placed alongside the setup files to override the legitimate "simplejson" module [ref_id=1].
What the fix does
The advisory does not include a patch or vendor fix. It recommends that users ensure the Karotz is not left in a state where an attacker can physically insert a USB drive and reboot the device, and notes that the "autorunwifi.sig" signature file only protects the main script, not the Python module loading path [ref_id=1]. No official remediation from Electronic Arts is documented in the advisory.
Preconditions
- inputAttacker must have physical access to insert a USB flash drive into the Karotz unit.
- configThe Karotz must be powered off and then powered on to trigger the autorunwifi script execution.
Reproduction
Create a file named "simplejson.py" containing arbitrary Python commands (e.g., `import os; os.system("cp /karotz/etc/gpg/pubring.gpg /mnt/usbkey")`), place it on a USB flash drive alongside the Karotz setup files, insert the drive into the Karotz unit, and reboot the device [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2- www.exploit-db.com/exploits/27285mitrex_refsource_MISC
- exchange.xforce.ibmcloud.com/vulnerabilities/86222mitrex_refsource_MISC
News mentions
0No linked articles in our index yet.