Add README.md
Browse files
README.md
ADDED
|
@@ -0,0 +1,61 @@
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| 1 |
+
# PoC: Caffe PythonLayer Arbitrary Code Execution (CWE-94)
|
| 2 |
+
|
| 3 |
+
## Vulnerability
|
| 4 |
+
|
| 5 |
+
BVLC/caffe's `GetPythonLayer()` in `layer_factory.cpp:295` calls `bp::import()` with an attacker-controlled module name read from a `.prototxt` model file. When a victim loads a crafted `.prototxt`, Python's import mechanism executes all top-level code in the specified module, achieving arbitrary code execution.
|
| 6 |
+
|
| 7 |
+
```cpp
|
| 8 |
+
// layer_factory.cpp:295 — no sanitization, no allowlist
|
| 9 |
+
bp::object module = bp::import(param.python_param().module().c_str());
|
| 10 |
+
bp::object layer = module.attr(param.python_param().layer().c_str())(param);
|
| 11 |
+
```
|
| 12 |
+
|
| 13 |
+
- **CWE-94:** Improper Control of Generation of Code (Code Injection)
|
| 14 |
+
- **CVSS:** 8.8 (High)
|
| 15 |
+
- **Condition:** Requires `WITH_PYTHON_LAYER=1` compile flag (commonly enabled for custom layers)
|
| 16 |
+
- **Repository:** https://github.com/BVLC/caffe (archived, last commit 2020)
|
| 17 |
+
|
| 18 |
+
## Files
|
| 19 |
+
|
| 20 |
+
| File | Description |
|
| 21 |
+
|------|-------------|
|
| 22 |
+
| `evil_layer.py` | Malicious Python module — top-level code executes on import |
|
| 23 |
+
| `poc_rce.prototxt` | Caffe model config that references the malicious module |
|
| 24 |
+
|
| 25 |
+
## Reproduction
|
| 26 |
+
|
| 27 |
+
```bash
|
| 28 |
+
# Requires Caffe built with WITH_PYTHON_LAYER=1
|
| 29 |
+
cd /path/to/this/directory
|
| 30 |
+
caffe test -model poc_rce.prototxt -iterations 1 2>/dev/null
|
| 31 |
+
cat /tmp/caffe_rce_proof.txt
|
| 32 |
+
```
|
| 33 |
+
|
| 34 |
+
Or via Python:
|
| 35 |
+
|
| 36 |
+
```python
|
| 37 |
+
import caffe
|
| 38 |
+
net = caffe.Net('poc_rce.prototxt', caffe.TEST)
|
| 39 |
+
# → evil_layer.py top-level code executes immediately
|
| 40 |
+
```
|
| 41 |
+
|
| 42 |
+
## Attack Scenario
|
| 43 |
+
|
| 44 |
+
1. Attacker distributes a model package (`.prototxt` + `.py` module)
|
| 45 |
+
2. The `.prototxt` contains a Python layer referencing the included module
|
| 46 |
+
3. Victim loads the model for inference
|
| 47 |
+
4. `bp::import()` triggers Python import → all top-level code in the module executes
|
| 48 |
+
5. Full RCE with the victim's privileges
|
| 49 |
+
|
| 50 |
+
## Root Cause
|
| 51 |
+
|
| 52 |
+
The `PythonParameter` protobuf message allows arbitrary module and layer names:
|
| 53 |
+
|
| 54 |
+
```protobuf
|
| 55 |
+
message PythonParameter {
|
| 56 |
+
optional string module = 1; // → bp::import(module)
|
| 57 |
+
optional string layer = 2; // → module.attr(layer)(param)
|
| 58 |
+
}
|
| 59 |
+
```
|
| 60 |
+
|
| 61 |
+
No validation, no allowlist, no sandboxing is applied before the import.
|