Exception While Parsing Little Snitch Entry

[moloch--]

The entry doesn't appear to be odd in any way that I can tell from the GUI, but LockSmtih crashes while parsing it.

=================================
      Keychain Entry 447
=================================
Account:       Little Snitch
Label:         Little Snitch Encryption Key
Service:       Little Snitch Encryption Key
Creation Date: 2022-01-27 21:00:29
Modify Date:   2022-01-27 21:00:29
Class:         genp
2022-10-08 17:44:00.106 exe[54632:1051589] -[NSNull UTF8String]: unrecognized selector sent to instance 0x213294340
2022-10-08 17:44:00.107 exe[54632:1051589] *** Terminating app due to uncaught exception 'NSInvalidArgumentException', reason: '-[NSNull UTF8String]: unrecognized selector sent to instance 0x213294340'
*** First throw call stack:
(
	0   CoreFoundation                      0x00000001b9d55148 __exceptionPreprocess + 240
	1   libobjc.A.dylib                     0x00000001b9a9fe04 objc_exception_throw + 60
	2   CoreFoundation                      0x00000001b9de8ef8 -[NSObject(NSObject) __retain_OA] + 0
	3   CoreFoundation                      0x00000001b9cb4494 ___forwarding___ + 1764
	4   CoreFoundation                      0x00000001b9cb3cf0 _CF_forwarding_prep_0 + 96
	5   exe                                 0x000000010299df88 printItem + 1496
	6   exe                                 0x00000001029a0fbc GetAllAttrbituesOfKey + 908
	7   exe                                 0x00000001029a1924 main + 1228
	8   dyld                                0x0000000102c9d08c start + 520
)
libc++abi: terminating with uncaught exception of type NSException
Abort trap: 6

[its-a-feature]

hm... it appears to be trying to convert a NULL into a string somewhere in the printItem function. On that computer, can you run security find-generic-password -A "Little Snitch" and share the output? It won't include the sensitive password, but will give me insight into which fields exist and which ones don't so I can track down which specific entry is causing the NULL. Similarly, if you are doing it from the same host with XCode, if you can run it through there and let me know which line causes the crash, it should be a super easy fix.

[moloch--]

version: 512
class: "genp"
attributes:
    0x00000007 <blob>="Little Snitch database encryption password"
    0x00000008 <blob>=<NULL>
    "acct"<blob>="Little Snitch"
    "cdat"<timedate>=0x32303139303930333233303530305A00  "20190903230500Z\000"
    "crtr"<uint32>="aapl"
    "cusi"<sint32>=<NULL>
    "desc"<blob>=<NULL>
    "gena"<blob>=<NULL>
    "icmt"<blob>="Little Snitch stores data such as connection statistics on disk, encrypted with this password. Encryption prevents other applications from reading this data. Do not revoke access for Little Snitch Helper, otherwise Little Snitch cannot permanently store some information on disk."
    "invi"<sint32>=<NULL>
    "mdat"<timedate>=0x32303139303930333233303530305A00  "20190903230500Z\000"
    "nega"<sint32>=<NULL>
    "prot"<blob>=<NULL>
    "scrp"<sint32>=<NULL>
    "svce"<blob>="Little Snitch database encryption password"
    "type"<uint32>=<NULL>

[moloch--]

[moloch--]

Looks like i missing null check on the icmt value, which is odd because it doesn't appear to be null in the dump.

[its-a-feature]

That's super weird 🤔 your output shows:

"icmt"<blob>="Little Snitch stores data such as connection statistics on disk, encrypted with this password. Encryption prevents other applications from reading this data. Do not revoke access for Little Snitch Helper, otherwise Little Snitch cannot permanently store some information on disk."

so it's not NULL, but at the same time, it's null.

[its-a-feature]

If i check a fresh install of Little Snitch, I see the following:

version: 256
class: "genp"
attributes:
    0x00000007 <blob>="Little Snitch Encryption Key"
    0x00000008 <blob>=<NULL>
    "acct"<blob>="Little Snitch"
    "cdat"<timedate>=0x32303232313030393037303030375A00  "20221009070007Z\000"
    "crtr"<uint32>="aapl"
    "cusi"<sint32>=<NULL>
    "desc"<blob>=<NULL>
    "gena"<blob>=<NULL>
    "icmt"<blob>=0x0000000000000000FB07746368207573657320746869732070617373776F726420746F20656E63727970742064617461207768656E2073746F72696E67206F6E206469736B2E20456E6372797074696F6E2070726576656E7473206F74686572206170706C69636174696F6E732066726F6D2072656164696E67207468697320646174612E20446F206E6F74207265766F6B652061636365737320666F72204C6974746C6520536E697463682C206F7468657277697365204C6974746C6520536E69746368206C6F73657320616C6C206461746120616E642073657474696E677320616674657220726573746172742E  "\000\000\000\000\000\000\000\000\373\007tch uses this password to encrypt data when storing on disk. Encryption prevents other applications from reading this data. Do not revoke access for Little Snitch, otherwise Little Snitch loses all data and settings after restart."
    "invi"<sint32>=<NULL>
    "mdat"<timedate>=0x32303232313030393037303030375A00  "20221009070007Z\000"
    "nega"<sint32>=<NULL>
    "prot"<blob>=<NULL>
    "scrp"<sint32>=<NULL>
    "svce"<blob>="Little Snitch Encryption Key"
    "type"<uint32>=<NULL>
    ```
which also causes issues and appears as NULL* when debugging, but the entire comment seems bugged too

[its-a-feature]

I just made a push that'll at least do that additional check and not segfault. I need to figure out what's causing the internal NSDictionary parsing to believe that value is a string, but then also determine it's a null string based on all the leading null bytes.