2025-10-24 –, Europe
AI and LLMs are everywhere, but how are they actually implemented? In this session, we will take a detailed look at Ollama, a popular tool to run LLMs locally. In the context of Pwn2Own, we will learn about Ollama's architecture and the GGUF file format for storing large language models. We will then explore a few memory corruption bugs in the handling of these files and dive deep into the exploitation of one of them. The presentation ends with a live exploit demo, notes on disclosure, and lessons learned.
With the rise of AI, a new target category was introduced at Pwn2Own Berlin 2025 covering software that powers AI and machine learning applications. One of the targets was Ollama, a widely used tool for running LLMs like Llama and DeepSeek-R1 on your local machine.
This talk tells the story of my attempt to exploit Ollama for Pwn2Own, how I failed, and how I still eventually succeeded. If you ever wondered about LLM implementations and their attack surface, this talk is for you! We will discover how models are serialized to files and how the handling of the GGUF file format can lead to several types of vulnerabilities. We will then turn one of these bugs with an interesting bit-flipping primitive into a full exploit that executes arbitrary code on a vulnerable Ollama instance.
Paul Gerste (@pspaul95, @pspaul@infosec.exchange, @pspaul95.bsky.social) is a vulnerability researcher at Sonar. He has a proven talent for finding security issues, demonstrated by his two successful Pwn2Own participations and discoveries in popular applications like Proton Mail, Visual Studio Code, and Grafana. When Paul is not at work, he enjoys playing CTFs with team FluxFingers and organizing Hack.lu CTF.