|
|
|
|
|
|
by moyix
635 days ago
|
|
|
nmap can't really tell the difference between an open or a firewalled UDP port. For this specific vuln you can send it a packet like: echo "0 3 http://myserver:PORT/printers/foo" | nc -u target 631 And if the target is running CUPS on that port it will reach out to `myserver:PORT` and POST some data. The downside is you need to have a server running that can accept inbound requests to see if it connects back. |
|
|
Which can be ambiguous if the port is open or firewalled.
However, if the nmap reports that port is "closed," it most likely is:
I'd add that GP specifically requested an nmap command.All that said, you're absolutely correct and if nmap returns something like this:
then further poking could be required, as you suggest.I would point out that cups-browsed isn't really necessary unless you desire to have printers automatically added without any user interaction. Which is poor opsec in any situation.
If we're talking about a corporate environment, adding printers can be automated without cups-browsed, and at home or in the wild (cafes, public wifi, etc.) that's an unacceptable (at least from my perspective) risk and printers (if needed in such an unsecured environment) should be explicitly added by the user, with manual checks to ensure it's the correct device.
As such, rather than checking to see if cups-browsed is running unsecured, simply check to see if it's installed:
Debian and variants:
RedHat/Fedora and variants: And if it is, remove it.Edit: fixed typo.