CVE-2019-14432: Loom Desktop 0.16.0 RCE Vulnerability

Loom is a web service and a desktop application for uploading and sharing screen recording videos.

Loom Desktop for Mac versions 0.15.1 and 0.16.0 (and possibly earlier) are vulnerable to unauthenticated remote code execution while the user is recording a video.

If you use Loom Desktop, please update to at least version 0.17.3. See Loom's blog post.

The Loom app contains separate components which communicate via an HTTP/WebSocket server on an ephemeral port. An attacker can connect and craft a message that will cause Loom to execute a chosen shell command. Attacks can originate from malicious JavaScript in websites that the user is visiting or from hosts on LAN. Exploitability has been confirmed using both methods.

Separately, Loom can be crashed by sending a WebSocket message containing malformed JSON. This happens regardless of whether the user is recording a video at the time.

Technical Details

Issue 1: Client authentication

The app components communicate by sending JSON-formatted messages to each other. By appearances, the WebSocket client component authenticates to the server with a randomised secret before sending other messages. This is not adequately enforced. The server will accept an hls-part-written message from a new unauthenticated connection, provided the user is recording video at the time. At other times it is ignored.

Issue 2: Shell injection

The hls-part-written message includes a payload containing a file path. This path is used as an argument in a shell command. The input is assumed to be trusted and malicious commands can be injected, subject to minor transformation/filtering.

Issue 3: Listening on all interfaces

The Loom WebSocket server binds to and accepts connections from all interfaces. This permits exploitation from malicious hosts on the same LAN.

Issue 4: Fragile parsing

Messages received by the WebSocket server are assumed to be valid JSON. If they are not, the app terminates.

Timeline (AEST)

  • 9 July 2019 – Emailed report & PoC to a contact at Loom, and separately to the Loom support address.
  • 11 July 2019 – Followed up via Twitter DM to @useloom to confirm report received.
  • 12 July 2019 – Received messages confirming the issue and that a fix is in progress.
  • 12 July 2019 – Loom updated from 0.15.1 to 0.16.0, which remains vulnerable.
  • 26 July 2019 – Loom updated to 0.17.2. This version fixes the RCE and does not crash on malformed input.
  • 26 July 2019 – Confirmed the fix with Loom and coordinated disclosure.
  • 30 July 2019 – Assigned CVE-2019-14432.
  • 30 July 2019 – Loom updated to 0.17.3. This version binds to 127.0.0.1 only.
  • 6 August 2019 – Loom published a blog post.
  • 7 August 2019 – This disclosure was published.

Loom offered, and I accepted, a compensation for reporting this vulnerability.