With DingleBerry now available to gain root access to the BlackBerry PlayBook, we're quickly learning more about how the exploit works. We have a more in-depth post coming up soon, but a big part of that answer was just tweeted out by DingleBerry creator Chris Wade. See the tweet above for explanation.
What's really surprising, funny, interesting, sad and disturbing here is that CRACKBERRY.com actually warned Research In Motion about this exploit back in April, 2011, shortly after the BlackBerry PlayBook was released:
From: Shao @ CrackBerry
Sent: Friday, April 29, 2011 4:49 PM
To: Research In Motion (names removed)
Subject: PlayBook exploits
I apologize for directing this your way right now, just didn't know who to send it to. And I'm sure you are aware of some if not all of these issues already. But I thought just to be safe I'd pass them along.
Obviously it's out in the wild about the backup files. Aside from the obvious application structure there seems to be some other potential vulnerabilities such as unencrypted passwords. Also I haven't had a chance to test this yet but thought it was worth mentioning it seems that it might be possible to exploit samba using the config files in the backup. From the looks of it mounting other folders beyond the certificates and media folders should be possible among other things. Once someone has access to that, well you know the rest...
Anyways just thought Id pass that along incase there were parts not known.
On this issue our forums moderator Shao128 went straight to the appropriate RIM contacts with an email on this (vs. posting publicly about it) so that they would forward onto RIM security to address the issue, and indeed Shao128 did receive a reply to say they were discussing it internally and would follow up. So it was acknowledged. There's more to making this exploit work than just what was stated above, but this is a big part of what enabled it (backup causes a reboot, and files like smb.conf are restored from stock at boot time - so there's some other * dark magic* exploiting that process).
But as G.I. Joe would say, knowing is half the battle. And in this case, RIM knew, and chose not to do anything about it.