CVE-2024-45436 - How Ollama’s ZIP Extraction Bug Can Let Attackers Escape Directories
In June 2024, a serious vulnerability (CVE-2024-45436) was discovered in the popular open-source project Ollama. This bug, found in the extractFromZipFile function inside model.go, could let malicious ZIP files place files outside of their intended directory. That means attackers might overwrite important files or drop malware virtually anywhere on the server.
This post walks you through what went wrong, how the exploit works, and how you can protect your systems. Let’s dig in!
What is Ollama and Why Does This Matter?
Ollama is a tool for running large language models locally. It’s pretty popular with developers looking for local alternatives to OpenAI or Google. Like many AI tools today, Ollama has to deal with lots of model files, configs, and ZIP archives.
If the software you use to unpack ZIP files isn’t careful, it opens you up to a big risk: directory traversal. That’s when a ZIP file tries to escape the folder it should be stuck in and puts files where it shouldn’t.
The Core of the Problem: Vulnerable ZIP Extraction
Here’s what happened in Ollama before version .1.47. Inside the file model.go, the function extractFromZipFile pulls files out of a ZIP archive and puts them in a directory. But it didn’t always check the file paths in the ZIP. That meant filenames like ../../badfile.sh could break containment and go outside the intended root directory.
Simplified Example of the Vulnerable Code
// model.go (before .1.47)
for _, zipFile := range zipReader.File {
outPath := filepath.Join(destDir, zipFile.Name)
// ... extract file to outPath ...
}
If zipFile.Name is something like ../../etc/passwd, suddenly the process tries to write to /etc/passwd!
Let’s say an attacker crafts a ZIP like this
evil.zip
|
|-- ../../home/ollama/.ssh/authorized_keys
|-- model.bin
When this is extracted by the vulnerable extractFromZipFile, it overwrites authorized_keys in the home directory. Boom! Now the attacker can SSH into the box.
Or they could overwrite system files, plant scripts in cron directories, or do pretty much anything the user running Ollama can do.
Sample Exploit ZIP Creation (Python)
import zipfile
with zipfile.ZipFile("evil.zip", "w") as z:
# Escapes the output directory
z.writestr("../../tmp/pwned.txt", "You got hacked!")
z.writestr("model.bin", "Fake model data")
If Ollama gets this ZIP and unpacks it using the old code, /tmp/pwned.txt will appear on your server.
Real-World Impact
- Remote Code Execution (RCE): If the attacker can control what ZIP files Ollama fetches or loads, they might run code or overwrite keys.
Data Loss: Sensitive files might be replaced or deleted.
- Supply Chain Attacks: If models or plugins are shared as ZIPs, a compromised file can target downstream users.
How It Was Fixed
The Ollama team closed this hole in release .1.47. The fix checks that every file about to be extracted stays inside the intended root directory:
// Example fix: prevent path traversal
cleanPath := filepath.Clean(filepath.Join(destDir, zipFile.Name))
if !strings.HasPrefix(cleanPath, destDir) {
return errors.New("zip entry escapes extraction directory")
}
// ... safe extraction ...
So if a ZIP tries to escape with ../../, the code detects it and blocks the extraction.
Update Ollama:
Upgrade to .1.47 or newer.
Check Model Sources:
Only use ZIP files from sources you trust, especially if you’re running models as a privileged user.
References
- Ollama Security Advisory and Release
- CVE-2024-45436 Entry (NVD)
- Directory Traversal Attacks Explained
In Summary
CVE-2024-45436 was a classic but dangerous directory traversal in Ollama’s model ZIP handling. Now that you understand the risk, make sure to patch your Ollama installs and be careful with the ZIP files you trust.
Stay safe, keep things updated, and never underestimate what a little ../ in a ZIP file can do!
Timeline
Published on: 08/29/2024 03:15:05 UTC
Last modified on: 08/30/2024 16:08:54 UTC