Loom is a web service and a desktop application for uploading and sharing screen recording videos.
Loom Desktop for Mac versions 0.15.1 and 0.16.0 (and possibly earlier) are vulnerable to unauthenticated remote code execution while the user is recording a video.
If you use Loom Desktop, please update to at least version 0.17.3. See Loom's blog post.
Separately, Loom can be crashed by sending a WebSocket message containing malformed JSON. This happens regardless of whether the user is recording a video at the time.
Issue 1: Client authentication
The app components communicate by sending JSON-formatted messages to each other. By appearances, the WebSocket client component authenticates to the server with a randomised secret before sending other messages. This is not adequately enforced. The server will accept an
hls-part-written message from a new unauthenticated connection, provided the user is recording video at the time. At other times it is ignored.
Issue 2: Shell injection
hls-part-written message includes a payload containing a file path. This path is used as an argument in a shell command. The input is assumed to be trusted and malicious commands can be injected, subject to minor transformation/filtering.
Issue 3: Listening on all interfaces
The Loom WebSocket server binds to and accepts connections from all interfaces. This permits exploitation from malicious hosts on the same LAN.
Issue 4: Fragile parsing
Messages received by the WebSocket server are assumed to be valid JSON. If they are not, the app terminates.
- 9 July 2019 – Emailed report & PoC to a contact at Loom, and separately to the Loom support address.
- 11 July 2019 – Followed up via Twitter DM to
@useloomto confirm report received.
- 12 July 2019 – Received messages confirming the issue and that a fix is in progress.
- 12 July 2019 – Loom updated from 0.15.1 to 0.16.0, which remains vulnerable.
- 26 July 2019 – Loom updated to 0.17.2. This version fixes the RCE and does not crash on malformed input.
- 26 July 2019 – Confirmed the fix with Loom and coordinated disclosure.
- 30 July 2019 – Assigned CVE-2019-14432.
- 30 July 2019 – Loom updated to 0.17.3. This version binds to 127.0.0.1 only.
- 6 August 2019 – Loom published a blog post.
- 7 August 2019 – This disclosure was published.
Loom offered, and I accepted, a compensation for reporting this vulnerability.