Google ChromeOS MiniOS Privilege Escalation Vulnerability Allowing Root Code Execution

A privilege escalation vulnerability has been identified in MiniOS on enrolled devices running Google ChromeOS versions 16063.45.2 and potentially others. This vulnerability allows a local attacker to gain root access and execute code by exploiting a debug shell available through specific key combinations. The issue arises even when developer mode is blocked by device policy or Firmware Write Protect, as the debug shell can be activated during the recovery process.

Impact

Exploitation of this vulnerability leads to unauthorized root access and code execution within the MiniOS environment, which could potentially be used to manipulate the device's state or enrolled status.

Reproduction

To reproduce this vulnerability, enter developer mode on a managed Chromebook by pressing Esc, Refresh, and Power, followed by Ctrl+D. After reaching the developer mode block screen, press Esc, Refresh, and Power again, and select 'Recovery with Internet Connection' to enter MiniOS. Once MiniOS has loaded, press Ctrl+Alt+F3 to access a root shell where code can be executed.

Remediation

Google has released a patch for this vulnerability, which is included in the ChromeOS version 132 update. Instructions for updating to this version can be found on the official ChromeOS support page.