[Marking this as OS=Chrome to get it into the ChromeOS Security sheriff queue and CCing the CrOS sheriff.]

I reproduced this through step 8 on Chrome 61.0.3163.113 on an enterprise enrolled Chromebook.

Reporter: Is this the same issue as crbug.com/795477 ?

+cthomp@chromium.org No. That one is focused on the incognito window (which is a step in this bug) and was apparently a duplicate and this one is based on gaining unauthorized root access via the same exploit, but in a different way.

 Issue 796184  has been merged into this issue.

cthomp@chromium.org do you need anything (logs, screenshots, etc)?

Jorge, want to take a shot or re-assign as appropriate? Am I correct in setting sev-critical?  Thanks.

jeremyebaum: What do you mean by "9) If you sideload something like crosh", specifically, what do you mean by "sideloading"?

I'm going to tentatively assign this to Xiaoyong, the current sheriff, and add myself to CC.

@jorgelo@chroium.org On a Chromebook, crosh is loaded as an extension. However, in one of these windows, crosh does not work as extensions don't work. The chrome web store does also not recognize this window as being a chrome window. However, if you download a .crx for crosh manually and apply it to this window, this crosh window has root priviledge, as this window has no policy, restrictions, etc. 

Thanks! Two more questions:

-By "applying to this window", do you mean going to chrome:extensions and installing from there?
-When you say "root privilege", do you mean that if you open crosh you have root access to the underlying system, or something else?

jorgelo@chromium.org 1) Yes, I don't think there is another way. 2) Yes, I can edit files in the root directory, and I could hypothetically install crouton or something like that I believe

I can reproduce this till step 8. Step 9 does not work probably because of corp restrictions that disabled side loading apps. I tried a couple of other methods to install the crosh crx file and get rejected with error message: this can only be added from Chrome Web Store". 

jeremyebaum, could you share more details on how you installed crosh in from chrome://extensions? If you have screen shots, that will be great.

I appreciate your help.

Change to severity high, because it requires user interaction.

jeremyebaum, I also have some question about root access, do you mean you can access the file in /root directory? Can you also share some screenshots on this as well?

Thanks.

So I can’t actually reproduce it without a flash drive with a crosh extension file. I can’t do that right now as I’m out and about but I can try later if you’d like. 
And yes, you can access the root directory using cd and ls. At least when I originally did it, that’s what worked. However I don’t know if I can reproduce it again as the policy Chromebook I have has extensions blocked in general now. If you could link me the .crx file, that’d be super helpful. Thanks. 

Alright, so I tried again... It won't let me sideload the extension. If the extension is sideloaded, I can guarantee that root would work.
The reason I can't sideload it is because the file browser won't open to select the extension.  
I'm bummed - this originally worked and didn't work. I was hoping I'd be able to help more... 

When I produced the bug originally, I could open a crosh tab and then open shell (no sideloading needed). Second time, I needed to sideload. Today, it doesn't work, I assume from new policy restrictions.

Hi,  jeremyebaum, thanks a lot for the quick replies. 

The /root directly is readable and executable by default. However, it is only writable by root. Next time, if you successfully run crosh, could you please try to write to that folder, for example, create a new file and write something to it.

On Chrome OS, we never run any extensions as root. I will very surprised if crosh run as root.

Thanks again.

I was able to access the root file along with read them. However, I’ll try again when I get a little bit of time. Thanks. 

Change to medium because lack of evidence showing root privilege is compromised. 

I think it may have been patched. I can’t achieve root access anymore. This specific way most likely isn’t possible anymore, although I don’t doubt that there are other ways.
Thanks for your time guys. 

jeremyebaum@, thanks a lot for your time reporting this issue and your help debugging this issue.

Closing the bug for now because unable to reproduce.

This bug has been closed for more than 14 weeks. Removing security view restrictions.

For more details visit https://www.chromium.org/issue-tracking/autotriage - Your friendly Sheriffbot