From c200fcc4163c129e30f0c25102e6e97fadbcd462 Mon Sep 17 00:00:00 2001
From: "ori.agmon" <ori.agmon@aquasec.com>
Date: Sun, 7 Oct 2018 17:16:07 +0300
Subject: [PATCH] Improved unauthorized access false positive on edge case
 (where user is running using https & 127.0.0.1 & needed certificates)

---
 src/modules/hunting/etcd.py | 16 +++++++++++++---
 1 file changed, 13 insertions(+), 3 deletions(-)

diff --git a/src/modules/hunting/etcd.py b/src/modules/hunting/etcd.py
index cf3d957..774524b 100644
--- a/src/modules/hunting/etcd.py
+++ b/src/modules/hunting/etcd.py
@@ -125,8 +125,18 @@ class etcdRemoteAccess(Hunter):
             return True
         return False
 
+    def unauthorized_access(self):
+        logging.debug(self.event.host)
+        logging.debug("Passive hunter is attempting to access etcd without authorization")
+        r_not_secure = "http://{host}:{port}/version".format(host=self.event.host, port=2379)
+        res = helperFuncDo2Requests(r_not_secure, r_not_secure)# We dont have to do 2 requests this time
+        if res:
+            self.publish_event(etcdAccessEnabledWithoutAuthEvent(res.content))
+            return True
+        return False
+
     def execute(self):
-        if (self.version_disclosure()):
-            self.publish_event(etcdAccessEnabledWithoutAuthEvent(self.no_auth_evidence))  # if version is accessible we can publish "no auth event".
+        if self.version_disclosure():
+            self.unauthorized_access()
             self.db_keys_disclosure()
-            self.db_keys_write_access()
\ No newline at end of file
+            self.db_keys_write_access()