New issue
Advanced search Search tips
Note: Color blocks (like or ) mean that a user may not be available. Tooltip shows the reason.

Issue 606813 link

Starred by 3 users

Issue metadata

Status: WontFix
Owner:
Last visit > 30 days ago
Closed: Apr 2016
Cc:
Components:
EstimatedDays: ----
NextAction: ----
OS: Chrome
Pri: 2
Type: Bug-Security



Sign in to add a comment

Security: Bypass dev mode and force re-enrollment restrictions

Reported by thomas.p...@nbexcellence.org, Apr 26 2016

Issue description

VULNERABILITY DETAILS
Following these simple directions allow users to bypass "Never allow use of built-in developer tools" (Dev Mode) and "Force device to re-enroll into this domain after wiping" forced Google Admin settings.

VERSION
Chrome Version: 49.0.2623.112 (64-bit) Stable
Operating System: ChromeOS 
Platform: 7834.70.0 (Official Build) stable-channel candy
Firmware: Google_Candy.5216.310.1
Chromebook Model: Dell Chromebook 11

REPRODUCTION CASE
Take off the back cover.
Disconnect the battery cable.
Hit the power button to remove and remaining power.
Connect AC power while the back cover is off and the battery is disconnected.
Attempt to boot into Dev mode.
If you get a message that Dev mode is blocked (The device owner has disabled Developer Mode for this device) - quickly unplug the power cord, turn the device back on, and try Dev mode again.
Once in Dev mode, plug the battery in and put the back plate back on. Enterprise enrollment is no longer forced and the user now has unrestricted access to the device.

FOR CRASHES, PLEASE INCLUDE THE FOLLOWING ADDITIONAL INFORMATION
N/A
 

Comment 1 by rsesek@chromium.org, Apr 26 2016

Components: OS>Firmware>EC
Labels: Security_Severity-Low Security_Impact-Stable OS-Chrome Pri-2
Owner: rspangler@chromium.org
Status: Assigned (was: Unconfirmed)
rspangler: Can you take a look at this? Thanks!
This happens because the block_devmode flag is stored in NVRAM in R49.  Removing the battery clears the flag, allowing a temporary window where devmode can be enabled.

This is fixed by chrome-os-partner:50142.  That backs up the flag in SPI flash, so it persists even when the battery is removed.  It's already merged into R50.

Comment 3 by rsesek@chromium.org, Apr 27 2016

Status: WontFix (was: Assigned)
Thanks! I'm going to WontFix this then (but keep it view restricted).

Comment 4 by rsesek@chromium.org, Apr 27 2016

(And bug link for the partner issue: https://code.google.com/p/chrome-os-partner/issues/detail?id=50142)
Thanks for update
Project Member

Comment 6 by sheriffbot@chromium.org, Aug 4 2016

Labels: -Restrict-View-SecurityTeam
This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 7 by sheriffbot@chromium.org, Oct 1 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Project Member

Comment 8 by sheriffbot@chromium.org, Oct 2 2016

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot
Labels: allpublic

Sign in to add a comment