I would like to preface with the fact that I did not create SKIOVOX, however, I am developing a proof of concept chrome extension to show how this could be abused in chromeOS and other standardized testing environments
SKIOVOX allows for an unblocked browser running as root in a
seperate partition of the drive while in any kiosk app. Each
app having its own partition. Along with being able to be
used for playing games, it can also access the internet
during any kiosk based standerdized test, which for us,
would be both the AP Exam and the MCAS.
Extra details. Not a necessary read:
This exploit is extrememly powerful for many
reasons, but lets start with a little bit about chromeOS,
and why this works. ChromeOS in of itself is based on linux,
thats something that you always need to remember, no matter
how neatly you wrap up the package, how much write
protection you add and how much spyware looks through your
webcam, its still built on linux.
Just like the
home directory in linux has users in it, the
chromeOS equivalent is chronos every user
inside of chronos has a UUID, and if actually
look at the file structure (i.e. go to a
file:// url) you can see what
the basic structure looks like. Every single user, can only
read and write inside of its own UUID's directory. Kiosk
apps work slightly differently, their home directory is in
root or / (not a \ in
chromeOS) chromeOS calls on chronos to see which user is
logged in, but because the user can only read and write in
its own directory (excluding vmc in
crosh), it is unable to retrieve the user. As
such it reports nothing. No user, with no password. Which
breaks a lot of things.
@kiosk-app.localhost.app.
As you can see, it's added a local account (kind of),
and its "connected to drive", however it thinks that
works. As you can see, without further testing, its hard
to make a clearcut desition on how it works and why it
works that way.
Going to
chrome://os-settings will give you a taste of
how many things this broke you can see no account, no
profile picture etc., because it retreives no user
information, it also retrieves no password, thus leaving the
value blank. You are unable to change any settings that are
password protected, because the
chrome://os-settings frontend requires
something in the password box.
Everything in settings, that would normally be controlled by
enrollment is still there.
Because enrollment on
all chromeOS devices is controlled by a phyisical
enrollment chip and physiscal removal of this
chip will turn it into a personal device. But for all
intensive purposes of this writeup, lets say that you can
not make any physical modifications to the chromebook.
The chromebook may inherit enrollment, and, as a byproduct
will inherit all device wide
OU's wide policies.
A simple way to
make all of skiovox useless, is to add all websites (except
for the kiosk app urls) to a device wide policy
disallowlist. This will apply to every enrolled chromebook,
regardless of user, thus including the kiosk user. You can
then simply add things to an allowlist on a per account or
email address basis.
If this option is not opted
for, then all user wide policies are bypassed, including
forced installed extensions. The next logical step would be
to use any non-network-blocked proxy service, so probably
UV or Dynamic.
OU, this
OU should have every single email address
that is assigned to a chromebook inside out of it.
OU, then overtime (or if you
already have a DB in place) add urls to the blocklist to
slowly re-add page blocking.
uv/service,
service/uv, service/route.
This will block most forks/copy-pastes of common open
source proxy solutions UltraViolet and
Dynamic. While it is easy change the link
to anything else, most people don't bother touching the
config file. Make sure to also block most major proxy
solutions with their own proprietary softwares such as
Croxy, 12ft.io,
proxy.io etc.
chrome://* and
chrome-untrusted://* urls to your
disallowlist. In the case of the former, make sure to
add all critical system urls are allowlisted such as
chrome://settings,
chrome://file-manager, etc.
Before you start, you must be properly connected to a WiFi network that has automaticly connect enabled.
First, sign out or restart your Chromebook to get to the login
screen. Then, turn off your Wi-Fi using the control panel in the
bottom right (can be opened using alt + shift + s,
important later). Don’t forget or disconnect from any networks,
just turn it off completely. This may not work if the policy
dictates forced conenction to any given network, so you may need
to force a disconnect via other means.
If prompted to enter a password (which will happen on certain older models of chromebooks), enter one. If having no internet breaks this, powerwash, then do not login initially.
Click on one of the apps in the “apps” section.
alt + shift + s
If you did it fast enough, the quick settings should appear. If it didn’t, logout or restart your chromebook. If done correctly, you have partially loaded elements of standard ChromeOS into a kiosk environment.
Wait until you get a “network unavailable” screen.
The quick settings should still be open. Click accessibility, then click the question mark. The toolbar will now close. If you couldn’t do this step, try again with another app.
If you see a “back” button on the network error page:
Otherwise:
They have different steps!
You should have already typed in your password (step 1.2) by the time you’re here. Remember that the steps in stage 2A are only for users who see a back button on the network error page.
Click “add other WiFi network”. Don’t type anything in. Instead, immediately:
These steps must be done within ~4 seconds after pressing the “add network” button.
You may see a screen saying “multiple sign-in is disabled.” If you get this, simply press the escape key on your keyboard to close this menu, nice job google.
There may be an open window belonging to your school profile. This window will have your filter extensions installed. Close this window if you like. There should be another one behind it.
You should be able to see a window with no managed extensions installed. This window is slightly bugged. To fix this, click the three dots in the upper right corner of Chrome and select “new window”. Use this window instead.
Press the “diagnose” button. The diagnostics window will now open, although you shouldn’t be able to see it.
Click “add other WiFi network” to turn your WiFi back on. Don’t type anything in, just wait until the diagnostics page shows up.
This is known to be inconsistent; try a few times with a few apps or try 2C.
Click WiFi, then click the settings hyper link. Settings should now open.
A settings window will appear with a chrome window behind it.
Policies still apply to settings, but setting the behind window
to floating will hide the settings window from view. Dont know
why either, but I like to keep it open. While attempting other
nested exploits, I've noticed that the settings window is
not considered a window, but a popup. Most likely created with
some kind of window.create(). Thats only my best
guess though. The behind window shouldn’t have any district’s
extensions installed. Openning terminal will fail to load
because it cant load any environment. I already tried using
crostini and linux. Sadly to no avail. However, you can make
empty virtual containers with alotted sizes via vmc in crosh. In
other partitions of the drive, all of the activity will be
listed under system, which is pretty funny.
Openning crosh and running any kind of command, i.e. top, will
reveal that you are running as root. And that no process is
running under chronos. Which is the chromeOS user profile. I
dont know how accurate this is, but trying to find out you
account will reveal that you are localhost. Attempting to change
that password or even find the current one has also not been
acheived. I have tried the basics, i.e. test0000, root, etc. I
think that the account has no password, but you cant do form
submissions with no information in the
chrome://os-settings frontend.
Click “add other WiFi network” to turn your WiFi back on. Don’t type anything in, just wait until the kiosk app loads.
Press ctrl + alt + z to open text-to-speech. This
may be blocked for you. Note that a noise will likely be made
when you run this shortcut.
Hold the search key. Press the O key, then the T key (Not simultaniosly). A tutorial window should appear for chromeVox.
Click “resources”. Three links will show up; you can click any of them. Your browser should now open.
Once your browser is open, you can turn off chromeVox spoken
feedback by running ctrl + alt + z again.
The current maintainer of the exploit made the Skiovox Helper extension, which restores most of this functionality: https://github.com/bypassiwastaken/skiovox-helper
The main difference between the stages is:
If your screen keeps falling asleep after five seconds, try using another kiosk app. Every app has its own extensions, history, settings, etc. This is part of how kiosks in chrome work. All different aspects are different layered windows. For example, college board has 4 windows open. The main college board window is basically just a webview, and the block screen is just an html button that when clicked puts the main window into focus. Its considered an app by chromeOS, and in order to have permission to move windows and change focus, it also has an extension installed with all permissions. Pretty interesting.
If you only want to edit network settings, try
chrome://network#select.
Again, device settings are mostly useless. But might be useful if you accidentily close or break a window. Might also become relevant when developing an extension.
chrome://os-settingsStart by power washing and staying far away (physically) from any known (enterprise) networks.
Now, do skiovox, when it prompts for WiFi login (2B), put in a hotspot. When the diagnostic screen pops up, disable your hotspot as soon as possible.
Then, either using a removable media device to drag and drop a file into downloads, or by pressing the three dots on Chrome and saving any page.
Open that file, in the url, you will see
/home/chronos/u-{user id}/doesn't matter.
What matters, is u-{user id}.
Open up crosh (still disconnected from the internet) with
chrome-untrusted://crosh. Run the following
command:
vmc create-extra-disk —size 1 /home/chronos/u-{user id}/Extensions/{extension id you want to remove}
Run the command, and pray.