A recently discovered vulnerability in Ubuntu 22.04’s printing subsystem, specifically within the “ippusbxd” package, could have allowed attackers to execute arbitrary code on locked laptops.
However, modern compiler features stepped in to mitigate the risk, preventing exploitation beyond a system crash.
The vulnerability was identified during a code audit of the macOS printing subsystem, which shares a common foundation with the open-source CUPS package.
Talos Researchers turned their attention to the IPP-USB protocol, which enables network printing via the Internet Printing Protocol (IPP) for printers connected via USB. The “ippusbxd” package, responsible for handling IPP-USB functionality in Ubuntu 22.04, became the focal point of the investigation.
Upon examining the code, a compiler warning triggered by the “-Wstringop-overflow” flag signaled a potential buffer overflow vulnerability within the get_format_paper function.
This function parses paper dimension information reported by the printer during initialization. The vulnerability stemmed from the use of strncpy with a length argument derived from the source operand’s length rather than the destination buffer’s size.
Ubuntu Printing Vulnerability
An attacker could exploit this by connecting a malicious printer that reports excessively large media sizes, leading to a buffer overflow.
Aleksandar Nikolich of Talos Intelligence confirmed the vulnerability by analyzing the code context, revealing that a specially crafted “media-size-supported” payload could overwrite the stack buffer.
Exploiting this vulnerability on a locked laptop could grant attackers arbitrary code execution with elevated privileges.
A proof-of-concept (PoC) exploit was developed to demonstrate the vulnerability’s potential using a Raspberry Pi Zero emulating a USB printer.
The Linux USB Gadget API facilitated the creation of a custom software-defined USB device. By modifying the PAPPL printer gadget, the emulated printer was configured to report malicious media dimensions using an environment variable called “EXPLOIT_STRING”.
Upon connecting the Raspberry Pi Zero to the target Ubuntu machine, the ippusbxd daemon crashed with a segmentation fault, confirming the vulnerability’s trigger.
However, a deeper analysis of the crash revealed that the intended memory corruption and potential code execution were prevented by a compiler feature called “FORTIFY_SOURCE.”
This feature automatically replaces potentially unsafe functions with safer alternatives, detecting the buffer overflow condition before it could occur. The vulnerability’s impact is limited to causing a system crash due to the program’s explicit termination upon detecting the overflow.
Researchers emphasize that this incident highlights the importance of modern compiler features like static analysis and strong mitigation techniques like “FORTIFY_SOURCE.”
When enabled by default, these features can effectively prevent the exploitation of vulnerabilities. Moreover, the incident underscores the value of actively addressing compiler warnings during development.
In this particular case, the vulnerability’s potential impact was further diminished by the fact that the “ippusbxd” package has been superseded by the “ipp-usb” package.
The newer package is implemented in a memory-safe language, eliminating the risk of buffer overflows. While Ubuntu 22.04, as a long-term support release, remains an exception, newer versions have transitioned to using “ipp-usb.”
Recommendations for Users
- Ubuntu 22.04 LTS Users: Ensure
ipp-usbis installed and removeippusbxdif present. - All Systems: Apply updates via
sudo apt update && sudo apt upgradeand restart printing services. - Physical Security: Restrict USB device access to prevent unauthorized hardware connections.