Keypoints
- Ollama prior to v0.1.29 is vulnerable to DNS rebinding, enabling remote attackers to access its local API without authentication.
- An attacker-controlled webpage can force a victim’s browser to interact with the Ollama service on localhost via DNS rebinding in as little as 3 seconds.
- The PoC uses a JavaScript payload that calls Ollama’s /api/create and /api/push endpoints to load a local file into a model and then push model artifacts to an attacker registry.
- Exfiltration is achieved by setting the model name to an attacker URL (e.g., http://attacker.com/…) and using the ADAPTER instruction to load local file content (e.g., /tmp/test.txt) into the model artifacts.
- A simple Go-based rogue registry implements enough of the registry API to accept uploads and print exfiltrated data, while faking possession of large LLM blobs to save bandwidth.
- Mitigations include updating to v0.1.29 or later, enforcing TLS and authentication on local services, and strict Host header validation to block rebinding attempts.
MITRE Techniques
- [T1189] Drive-by Compromise – Attackers lure users to a malicious website that performs DNS rebinding to trick browsers into interacting with the local Ollama API (‘Attackers must direct Ollama users running Ollama on their computers to connect to a malicious web server…’).
- [T1059.007] Command and Scripting Interpreter: JavaScript – A JavaScript payload is executed in the victim’s browser to call Ollama endpoints and orchestrate the exfiltration (‘A proof-of-concept payload, written in JavaScript is provided below.’).
- [T1005] Data from Local System – The Ollama APIs are sequenced to read arbitrary files accessible to the Ollama process, e.g., ‘/tmp/test.txt’ (‘sequence these APIs to read arbitrary file data accessible by the process under which Ollama runs, and exfiltrate this data’).
- [T1567] Exfiltration Over Web Service – Model artifacts (including exfiltrated files) are uploaded to an attacker-controlled registry URL using the /api/push call with the model name set to an attacker host (‘we can specify a URL instead e.g. http://attacker.com/myrepo/mymaliciousmodel … allows attackers to exfiltrate data to another (attacker-controlled) registry’).
- [T1105] Ingress Tool Transfer (Rogue Registry Artifact Acceptance) – The attacker implements a lightweight registry server that accepts uploads and returns Docker-Upload-Location headers to receive model blobs and dump exfiltrated contents (‘we wrote a proof-of-concept web server … to receive the exfiltrated data and dump it in the terminal’).
Indicators of Compromise
- [Domain] attacker-controlled registry used in PoC – http://attacker.com/myrepo/mymaliciousmodel (example), and attacker.com (example host).
- [File path] exfiltrated local file example – /tmp/test.txt (used in PoC to be loaded via ADAPTER).
- [API endpoints] Ollama API calls used by payload – /api/create, /api/push (invoked by JavaScript payload to create and push models).
- [SHA256 hashes] registry blob hashes used by rogue registry to fake possession – c70fa74a8e81c3bd041cc2c30152fe6e251fdc915a3792147147a5c06bc4b309, 8934d96d3f08982e95922b2b7a2c626a1fe873d7c3b06e8e56d7bc0a1fef9246.
- [Version/CVE] affected versions and identifier – Ollama versions prior to v0.1.29; CVE-2024-28224.
To exploit the vulnerability an attacker hosts a malicious webpage (or headless browser client) that triggers DNS rebinding, causing the victim’s browser to treat the attacker-controlled domain as if it were localhost. After the rebind, a JavaScript payload calls Ollama’s /api/create with a modelfile instruction using ADAPTER to point at a local file (for example “/tmp/test.txt”) so that Ollama loads that file into the newly created model artifacts.
Next, the payload calls /api/push with the model name set to an attacker-controlled URL (e.g., http://attacker.com/myrepo/mymaliciousmodel) and “insecure”: true to avoid TLS, causing Ollama to upload the model artifacts — including the extracted file contents — to the rogue registry. The attacker’s registry implements just enough of the Docker/registry API (responding to HEAD/POST/PATCH and returning Docker-Upload-Location headers) to accept blobs and print or store the exfiltrated data, and can lie about having known LLM blobs by hash to reduce uploaded payload size.
Proof-of-concept components used by NCC Group include the Singularity of Origin DNS rebinding tool to perform the rebind, a JavaScript payload that sequences /api/create and /api/push calls (embedding ADAPTER and the attacker URL), and a small Go server implementing the registry endpoints to capture blobs. Defenses are to update to v0.1.29+, require authentication/TLS on services (including localhost when possible), and strictly validate Host headers to only allow authorized loopback values.