Hugging Face's logo

0xiviel
/
poc-caffe-pythonlayer-rce

Model card Files
xet
 Community
poc-caffe-pythonlayer-rce
File size: 2,116 Bytes
5052e5e
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# PoC: Caffe PythonLayer Arbitrary Code Execution (CWE-94)

## Vulnerability

BVLC/caffe's `GetPythonLayer()` in `layer_factory.cpp:295` calls `bp::import()` with an attacker-controlled module name read from a `.prototxt` model file. When a victim loads a crafted `.prototxt`, Python's import mechanism executes all top-level code in the specified module, achieving arbitrary code execution.

```cpp
// layer_factory.cpp:295 — no sanitization, no allowlist
bp::object module = bp::import(param.python_param().module().c_str());
bp::object layer = module.attr(param.python_param().layer().c_str())(param);
```

- **CWE-94:** Improper Control of Generation of Code (Code Injection)
- **CVSS:** 8.8 (High)
- **Condition:** Requires `WITH_PYTHON_LAYER=1` compile flag (commonly enabled for custom layers)
- **Repository:** https://github.com/BVLC/caffe (archived, last commit 2020)

## Files

| File | Description |
|------|-------------|
| `evil_layer.py` | Malicious Python module — top-level code executes on import |
| `poc_rce.prototxt` | Caffe model config that references the malicious module |

## Reproduction

```bash
# Requires Caffe built with WITH_PYTHON_LAYER=1
cd /path/to/this/directory
caffe test -model poc_rce.prototxt -iterations 1 2>/dev/null
cat /tmp/caffe_rce_proof.txt
```

Or via Python:

```python
import caffe
net = caffe.Net('poc_rce.prototxt', caffe.TEST)
# → evil_layer.py top-level code executes immediately
```

## Attack Scenario

1. Attacker distributes a model package (`.prototxt` + `.py` module)
2. The `.prototxt` contains a Python layer referencing the included module
3. Victim loads the model for inference
4. `bp::import()` triggers Python import → all top-level code in the module executes
5. Full RCE with the victim's privileges

## Root Cause

The `PythonParameter` protobuf message allows arbitrary module and layer names:

```protobuf
message PythonParameter {
  optional string module = 1;   // → bp::import(module)
  optional string layer = 2;    // → module.attr(layer)(param)
}
```

No validation, no allowlist, no sandboxing is applied before the import.