Submit Hint Search The Forums LinksStatsPollsHeadlinesRSS
14,000 hints and counting!

An AppleScript to help manage LittleSnitch via ssh Network
For those who don't know, LittleSnitch is a great application that lets you block outgoing network connections. It's very useful to stop apps (such as trojan horses) from "calling home." The problem is I often log into home via ssh, and want to use stuff like curl, for which I do not want to define a specific rule and would rather have LittleSnitch ask me every time.

Say I want to install something remotely using Fink; I can't, because there's no way to tell LittleSnitch to let curl connect to the mirror. So I came up with a little AppleScript UI script to fix this...

Here's the code:
tell application "System Events"
  tell process "KUC"
    tell window "Little Snitch"
      -- The few lines below are not mandatory
      -- It allows to set  "Allow Any network connection" (default is "Allow Same port")
      click pop up button of group 1
      delay 1
      keystroke "a"
      keystroke return
      -- End of the non mandatory section
      click button "Allow Until Quit"
    end tell
  end tell
end tell
Save the script, and then you can use something like this to allow the exception:
$ curl apple.com | osascript ~/Documents/Allow_Snitch.scpt
This method won't work for everything, though. Like with Fink, which triggers curl only a bit after you run the command, in which case you will need to have two ssh connections opened and guesstimate the appropriate time at which to run the script. It's definitely not a CLI tool for LittleSnitch, but it will do the job most of the time.

Note that I am nowhere near an AppleScript expert. I also believe this could be made better by triggering the AppleScript from a shell script, thus allowing for a few more options. Last but not least, a bit of warning about this: OBDev (the makers of Little Snitch) don't want to make a CLI tool for it, as it could be a security risk. This is probably true and also applies to this script, but that's fine by me.
    •    
  • Currently 2.80 / 5
  You rated: 4 / 5 (5 votes cast)
 
[19,172 views]  

An AppleScript to help manage LittleSnitch via ssh | 11 comments | Create New Account
Click here to return to the 'An AppleScript to help manage LittleSnitch via ssh' hint
The following comments are owned by whoever posted them. This site is not responsible for what they say.
LIFE - SAVE - ... ER
Authored by: fracai on Sep 30, '05 09:48:05AM

This is incredible.

I've been bugging ObDev to add a command line interface, but they seem to think it's a security hazard.

This should nicely fill the gap until they come around (hopefully).

Thanks

---
i am jack's amusing sig file



[ Reply to This | # ]
LIFE - SAVE - ... ER
Authored by: xSmurf on Sep 30, '05 10:45:28AM

Yes I've seen this in the mailing list archive while looking for a way to manage littlesnitch from the terminal. It's actually why I came up with this script :)

---
Free iPods, now in Canada to! Get yours : http://tinyurl.com/75yta

PM G4 DP 800 / 1.25gb / 120Gb+80Gb / CD/DVD±RW/RAM/DL
- The only APP Smurf



[ Reply to This | # ]
LIFE - SAVE - ... ER
Authored by: CoolerQ on Sep 30, '05 05:16:13PM

It's an obvious security hazard. Think about it!

If you can programatically allow Little Snitch connections (i.e. from the shell), so can malicious apps!

--Quentin



[ Reply to This | # ]
LIFE - SAVE - ... ER
Authored by: ratthing on Oct 02, '05 08:24:53AM

Which is why it would be better to use the built-in firewall and use the priviledge separation it provides, learning about that would take too much work. People use Little Snitch because it's "easy" and they don't understand that OS X already provides the same functionality.

Little Snitch is insecure were it to have a CLI because it runs as the user that is logged in and thus, requires no password to make configuration changes. If it ran as the priviledged user or another user, then you'd have to use sudo to change anything via the CLI.

Of course, in the "real world" you'd never be running your filewall from your workstation.

=RT=



[ Reply to This | # ]
LIFE - SAVE - ... ER
Authored by: xSmurf on Oct 02, '05 09:38:12AM

An update to this hint is coming up. I don't wanna say too much so far, but yes any app can just "programatically" add rules to LittleSnitch with little chances you know about it! Being easy to use is no excuse to a huge lack of security, actually I think it should be the opposite. If you don't know how to use ipfw and such, you probably don't realize how unsure LittleSnitch is, but it remains so!

---
Free iPods, now in Canada to! Get yours : http://tinyurl.com/75yta

PM G4 DP 800 / 1.25gb / 120Gb+80Gb / CD/DVD±RW/RAM/DL
- The only APP Smurf



[ Reply to This | # ]
An AppleScript to help manage LittleSnitch via ssh
Authored by: derekhed on Sep 30, '05 10:12:34AM

Correct me if I am wrong, but if you are logged out or simply at the login window, doesn't that keep LittleSnit from popping up?

I have never had this problem when I ssh to my home server and curl from there, probably because of this.



[ Reply to This | # ]
An AppleScript to help manage LittleSnitch via ssh
Authored by: xSmurf on Sep 30, '05 10:55:03AM

I've just tested this and you're right about it! Although I have no real treath from a "physical access" point of vue, so the workstation is always logged in. This just won't cut it for me.

---
Free iPods, now in Canada to! Get yours : http://tinyurl.com/75yta

PM G4 DP 800 / 1.25gb / 120Gb+80Gb / CD/DVD±RW/RAM/DL
- The only APP Smurf



[ Reply to This | # ]
An AppleScript to help manage LittleSnitch via ssh
Authored by: ynolo on Oct 02, '05 11:53:49AM

why not use ARD or Timbuktu or even a VNC app. I connect remotely to my machine via ssh and on a few ocations i've ran into this situation as well and to allow connections i've just connected via ARD. Works pretty good.

---
i don\'t have one



[ Reply to This | # ]
An AppleScript to help manage LittleSnitch via ssh
Authored by: xSmurf on Oct 02, '05 01:12:24PM

Sometimes you just can't. Say I'm at school, the ssh connections is extremely unreliable (passes through the https proxy), creating a tunnel is almost impossible. Plus it's a whole lot easier for the teacher to see I'm messing around if he sees a mac desktop than just random text in a console when we're using the console all the time during class ;)

---
Free iPods, now in Canada to! Get yours : http://tinyurl.com/75yta

PM G4 DP 800 / 1.25gb / 120Gb+80Gb / CD/DVD±RW/RAM/DL
- The only APP Smurf



[ Reply to This | # ]
SnitchCTL - Command line tool and security holes
Authored by: xSmurf on Oct 04, '05 08:57:39AM
This was originaly posted as a hint a few days ago but never got published so I'm putting it up here. I believe it is important that the LittleSnitch users be warned about this.

I decided my original technic was not enough and came up with a php shell script to manage the LittleSnitch daemon via the terminal. This is how SnitchCTL was born. It allows to start, stop and restart the daemon as well as use the UI Script to allow or deny a connection. It also allows to add basic allow/deny all rules to the configuration. The script is available here. I have also set up a page for the script. The source is available from the site.

Disclaimer :
This script has been tested with Mac OS 10.4.2 and LittleSnitch builds 212 (1.2b3), 218 (1.2b5), 226 (1.2). Tests have shown that running this script under 10.3.9 is bad idea! Running this script poses a potential security risk! This script is provided "as is", I am not responsible of any damages that could occur from using it. If you use it, you assume what you do it with and what ever happens to you!


SnitchCTL build 006: A CLI interface to LittleSnitch.
    This script must be run as root or using sudo!
    Usage: ./snitchctl [option1] [[option2] [option3]] {delay}
-------------------------------------------------------------
Options:
    start       Starts LittleSnitch daemon
    stop        Stops LittleSnitch daemon
    restart     Restarts LittleSnitch daemon
    status      Shows LittleSnitch's status
    addrule     Allows to add a rule to the LittleSnitch configuration
                    This only works to allow or deny all connections
                    usage: ./snitchctl addrule [deny/allow] [path to application]
    allow       Allow via the GUI until the application quits on same port
    allowa      Allow via the GUI until the application quits for any connection
    deny        Denies via the GUI until the application quits on any connection
    delay       Used only with the three options above, allows to set a delay, in seconds, 
                before the LittleSnitch alert window is dismissed (see below for usage)
                delay is optional
-------------------------------------------------------------
There are two methods for using the allow, allowa and deny options:
First is to use a second terminal window or ssh session, the second is by doing something like
  $ curl apple.com & ./snitchctl allow 5

While creating this script I discovered that LittleSnitch was really not as secured as it should/appears to be. Fracai has posted a great warning call on the LittleSnitch mailinglist. Here's a snippet:

LittleSnitch is not currently secure. "killall LittleSnitchDaemon" will allow any app to "phone home" without being detected by LittleSnitch Properly securing LittleSnitch would involve running the daemon and all LittleSnitch components as the root user or as an independent LittleSnitch user. [...] The main point to take away from this is that as it is currently implemented, LittleSnitch is not secure. A malicious app need not sneak new rules in to the configuration when the communication block is not effective.

The mailinglist post is available here.

Yes you've read that properly. The LittleSnitch daemon runs in user space! This means any malicious application can stop the daemon, sent the data and then start the daemon back up with very little change that the user ever knows about it! LittleSnitch doesn't output to the system/console log so there is no logs of what's been going on.

I suggest you read the site I've put up and the mailing list post by Fracai if you want to know more about this issue. I have also created a thread in the forums if you have any questions or comments.

---
SnitchCTL : Flawed security makes it fun! http://snitchctl.smurfturf.net/

PM G4 DP 800 / 1.25gb / 120Gb+80Gb / CD/DVD±RW/RAM/DL
- The only APP Smurf

[ Reply to This | # ]

Extra Extra: the threat is real! A virus takes avantage of this security hole!
Authored by: xSmurf on Oct 05, '05 10:59:38AM

*** The security hole in LittleSnitch is not pure speculation. A virus already has taken advantage of it! ***

I was looking to see what the web had to say about LittleSnitch's security (googling with the terms "LittleSnitch Security") and something very interesting came up from Symantec's virus description page (http://securityresponse.symantec.com/avcenter/venc/data/sh.renepo.b.html)

"SH.Renepo.B is a data-collecting script virus that only runs on Mac OS X systems.
[...] When the virus is executed, it does the following: [...]
15. Looks for LittleSnitch software (a shareware Firewall program with application control) and tries to terminate the process, when LittleSnitch attempts to perform network access."

So I decided to search around a bit more to see what I could find. These are my findings. They are not exactly structured, but a lot of information can be found on these sites.

This information is well documented on many sites such as:

*** Objective Development has been aware of this for over a year but seamed to have decided not to act! ***
http://www.mail-archive.com/littlesnitch-talk@obdev.at/msg00132.html
(Note that they never mention in the mailinglist post that the opener kills the LittleSnitch daemon!)

The opener was featured on: More information about the SH.Renepo.B virus : Current Aliases used for this Virus:
  • SH.Renepo (CA)
  • SH.Renepo.B (Symantec)
  • SH/Renepo-A (Sophos)
  • SH/Renepo.A (Panda)
  • Worm.MacOS.Opener.a (Kaspersky)
  • MacOS.Renepo.A
  • MacOS.Renepo.B
  • MAC_RENEPO.B
  • Unix/Opener.worm
I have posted this information on LittleSnitch's mailing list. You can view this post here

---
SnitchCTL : Flawed security makes it fun! http://snitchctl.smurfturf.net/

PM G4 DP 800 / 1.25gb / 120Gb+80Gb / CD/DVD±RW/RAM/DL
- The only APP Smurf

[ Reply to This | # ]