Techly NewsGet the app

Get the latest tech news

Heap-overflowing Llama.cpp to RCE


Retr0's Threat Research

Despite the fact that we still hold no libc/ ggml-base base addresses, we are able to partial write other buffer->iface member that have entirely controllable first-parameter register and receivable return, essential factors that make leaking possible, theoretically. If you wonder why we need to leak another library, the answer is in order for us to receive a reverse shell via the heap-overflow, where we don't have direct control over a rwx segment as we do in stack-overflows, the best way is to execute commands via system() and pass in command-stored address as an argument. Converting the theoretical exploitation into reality needs an extra bit of consideration and tricks; To begin with, we do not replace the original buffer structure yet, since we still depends on the buffer->iface pointer manipulations to redirect the execution-flow.

Get the Android app

Or read this on Hacker News

Read more on:

Photo of RCE

RCE

Photo of llama.cpp

llama.cpp

Photo of heap

heap

Related news:

News photo

Infoseccers criticize Veeam over critical RCE vulnerability and a failing blacklist

News photo

Over 12,000 KerioControl firewalls exposed to exploited RCE flaw

News photo

Llama.cpp supports Vulkan. why doesn't Ollama?

« How a Cup of Tea Laid the Foundations for Modern Statistical Analysis
Trump blames ‘employee’ for Signalgate — and ‘billionaires on the left’ for arson at Tesla dealerships (without offering any evidence for the claim whatsoever) »