A new exploit developed by security researchers from the Mercury Workshop Team allows users to unenroll an enterprise-managed Chromebook device. When one of these devices is enrolled with an enterprise, they are managed by policies established by the enterprise’s administrators, allowing them to apply updates and restrict how the device is used. Typically, it is near impossible to unenroll the device without administrator assistance. However, this new exploit, named “Shady Hacking 1nstrument Makes Machine Enrollment Retreat” (Sh1mmer), allows for a user to bypass the need for administrator assistance.
The exploit makes use of publicly leaked RMA shims – disk images stored on USBs that contain a combination of the ChromeOS factory bundle components and manufacturer tools used to perform repair and diagnostics. To use the exploit, a user must download the RMA shim that corresponds to their Chromebook board, use the researcher’s online builder to inject it with the Sh1mmer exploit, and then run the Chrome recovery utility.
On top of allowing a user to unenroll their device, this exploit also comes equipped with the following features:
- Device re-enrollment
- USB Boot Enablement
- Google binary block flag wiping
- rootFS verification disablement
- block_devmode disablement
- Bash terminal
Google has stated that they are aware of the exploit and are working to address it.
As Sh1mmer requires a USB in order to function, it is unlikely that an attacker is going to add this exploit to their toolkit. However, it is possible that an attacker may socially engineer a user into performing this exploit on their own device. From an organizational standpoint, however, the biggest risk comes from users unenrolling their devices on their own to bypass security restrictions, which would then leave their device vulnerable to further compromise. The best way to protect against this exploit being used in the environment would be to monitor for managed Chromebook devices going inactive unexpectedly and then investigating the devices. Additionally, one could monitor for connections to the Sh1mmer site or monitor process creations tied to the Chrome recovery utility.