Go to listing page

New Sh1mmer Exploit Allows Root Level Access for ChromeOS

New Sh1mmer Exploit Allows Root Level Access for ChromeOS
Enterprise- or school-managed Chromebooks are enrolled through policies established by the organization’s administrators. This allows admins to install browser extensions, and applications apart from restricting privileged access to devices. This indicates that the enrolled devices cannot be unenrolled without the permission of administrators.  

However, researchers from the Mercury Workshop Team have developed a new exploit, called Sh1mmer, that lets users unenroll their Chromebooks from enterprise management.

Diving into details

According to researchers, Sh1mmer or Shady Hacking 1nstrument Makes Machine Enrollment Retreat allows users to bypass the administrator restrictions and manage the devices on their own.
  • The exploit uses publicly leaked Return Merchandise Authorization (RMA) shims to modify the management of enrollment of devices.
  • These RMA shims are disk images stored on USB devices that contain a combination of the ChromeOS factory bundle components used to reinstall the operating system and tools for performing repair and diagnostics.

What does this mean for attackers?

By leveraging the Sh1mmer exploit, the attackers can unenroll devices by wiping the compliance policies. They can further enable USB boot, open a bash shell, and even gain root-level access to the ChromeOS operating system.

Conclusion

Google acknowledged that it is aware of the exploit affecting a number of ChromeOS device RMA shims. The tech giant further added that it is working with hardware partners to address it. Meanwhile, a member of the k12sysadmin Reddit group has suggested a workaround to check the usage of the exploit against devices.
Cyware Publisher

Publisher

Cyware