Instructor After signing up for Loom or after signing in with a Loom account that was created for you by your organization, you'll need to install the Loom Desktop App on your computer. Loom currently runs on Windows, Macs and iOS devices. There's also an extension you can add to the Google Chrome web browser. The desktop app that runs on Windows and Macs is going to give you the most. Zoom application permissions. Due to increased security and permissions with Mac OS 10.14 Mojave and 10.15 Catalina, you will be prompted to authorize the Zoom Desktop Client to use the microphone, camera, and on Mac OS 10.15 Catalina, screen recording. The permissions are set within System Preferences of the device.
Loom is a web service and a desktop application for uploading and sharing screen recording videos.
Loom Desktop for Mac versions 0.15.1 and 0.16.0 (and possibly earlier) are vulnerable to unauthenticated remote code execution while the user is recording a video. https://everfind.weebly.com/blog/remove-photo-app-mac.
If you use Loom Desktop, please update to at least version 0.17.3. https://everfind.weebly.com/blog/mac-quick-app-switcher. See Loom's blog post.
The Loom app contains separate components which communicate via an HTTP/WebSocket server on an ephemeral port. An attacker can connect and craft a message that will cause Loom to execute a chosen shell command. Attacks can originate from malicious JavaScript in websites that the user is visiting or from hosts on LAN. Exploitability has been confirmed using both methods.
Loom Free App To Download
Separately, Loom can be crashed by sending a WebSocket message containing malformed JSON. This happens regardless of whether the user is recording a video at the time.
Technical Details
Issue 1: Client authentication
The app components communicate by sending JSON-formatted messages to each other. By appearances, the WebSocket client component authenticates to the server with a randomised secret before sending other messages. This is not adequately enforced. The server will accept an
hls-part-written
message from a new unauthenticated connection, provided the user is recording video at the time. At other times it is ignored.Issue 2: Shell injection
The
hls-part-written
message includes a payload containing a file path. Ibotta app for mac. This path is used as an argument in a shell command. The input is assumed to be trusted and malicious commands can be injected, subject to minor transformation/filtering.Issue 3: Listening on all interfaces
![Desktop Desktop](/uploads/1/3/3/9/133913018/588594023.png)
The Loom WebSocket server binds to and accepts connections from all interfaces. This permits exploitation from malicious hosts on the same LAN.
Issue 4: Fragile parsing
Loom Desktop App Mac
Messages received by the WebSocket server are assumed to be valid JSON. If they are not, the app terminates.
Timeline (AEST)
- 9 July 2019 – Emailed report & PoC to a contact at Loom, and separately to the Loom support address.
- 11 July 2019 – Followed up via Twitter DM to
@useloom
to confirm report received. - 12 July 2019 – Received messages confirming the issue and that a fix is in progress.
- 12 July 2019 – Loom updated from 0.15.1 to 0.16.0, which remains vulnerable.
- 26 July 2019 – Loom updated to 0.17.2. This version fixes the RCE and does not crash on malformed input.
- 26 July 2019 – Confirmed the fix with Loom and coordinated disclosure.
- 30 July 2019 – Assigned CVE-2019-14432.
- 30 July 2019 – Loom updated to 0.17.3. This version binds to 127.0.0.1 only.
- 6 August 2019 – Loom published a blog post.
- 7 August 2019 – This disclosure was published.
Loom Desktop App Record Dual Monitors
Loom offered, and I accepted, a compensation for reporting this vulnerability.