PoC: Caffe PythonLayer Arbitrary Code Execution (CWE-94)
Vulnerability
BVLC/caffe's GetPythonLayer() in layer_factory.cpp:295 calls bp::import() with an attacker-controlled module name read from a .prototxt model file. When a victim loads a crafted .prototxt, Python's import mechanism executes all top-level code in the specified module, achieving arbitrary code execution.
// layer_factory.cpp:295 — no sanitization, no allowlist
bp::object module = bp::import(param.python_param().module().c_str());
bp::object layer = module.attr(param.python_param().layer().c_str())(param);
- CWE-94: Improper Control of Generation of Code (Code Injection)
- CVSS: 8.8 (High)
- Condition: Requires
WITH_PYTHON_LAYER=1compile flag (commonly enabled for custom layers) - Repository: https://github.com/BVLC/caffe (archived, last commit 2020)
Files
| File | Description |
|---|---|
evil_layer.py |
Malicious Python module — top-level code executes on import |
poc_rce.prototxt |
Caffe model config that references the malicious module |
Reproduction
# Requires Caffe built with WITH_PYTHON_LAYER=1
cd /path/to/this/directory
caffe test -model poc_rce.prototxt -iterations 1 2>/dev/null
cat /tmp/caffe_rce_proof.txt
Or via Python:
import caffe
net = caffe.Net('poc_rce.prototxt', caffe.TEST)
# → evil_layer.py top-level code executes immediately
Attack Scenario
- Attacker distributes a model package (
.prototxt+.pymodule) - The
.prototxtcontains a Python layer referencing the included module - Victim loads the model for inference
bp::import()triggers Python import → all top-level code in the module executes- Full RCE with the victim's privileges
Root Cause
The PythonParameter protobuf message allows arbitrary module and layer names:
message PythonParameter {
optional string module = 1; // → bp::import(module)
optional string layer = 2; // → module.attr(layer)(param)
}
No validation, no allowlist, no sandboxing is applied before the import.