Bitwarden encrypted .json import causes 'unknown software exception (0xe06d7363)'

[V4ler1an]

Overview

When attempting to import an encrypted .json Bitwarden export, the application crashes with error:

Steps to Reproduce

1. Install latest Win64 KeepassXE release (2.7.8) (or the portable version which also has the same error)
2. Choose 'Import File'
3. Select Bitwarden .json
4. Browse for the file
5. Enter the Bitwarden vault password

Expected Behavior

The Bitwarden vault export data to be imported to KeepassXC

Actual Behavior

Crash error and KeepassXC force closes.

Context

Tested with fresh Bitwarden encrypted .json export. Tested with free Win64 KeepassXC install. Tested with fresh KeepassXC portable download.

KeePassXC - Version 2.7.8
Revision: f6757d3

Qt 5.15.11
Debugging mode is disabled.

Operating system: Windows 11 Version 2009
CPU architecture: x86_64
Kernel: winnt 10.0.22621

Enabled extensions:

• Auto-Type
• Browser Integration
• Passkeys
• SSH Agent
• KeeShare
• YubiKey
• Quick Unlock

Cryptographic libraries:

• Botan 3.1.1

[droidmonkey]

Hmmmm, are you using any special features in Bitwarden that may be tripping this? We have well tested code for this stuff.

[V4ler1an]

Ahh, perhaps this is something you might not have tested yet. The only change I made about 6 months ago was to switch the KDF algorithm from PBKDF2 to the newer Argon2id Bitwarden introduced in Feb 2023 as it's recommended to be more secure and harder to brute force. Here are my settings if you want to test:

[droidmonkey]

Just implemented that in the last release and have tested it fully.

This is our Bitwarden test coverage: https://app.codecov.io/gh/keepassxreboot/keepassxc/blob/develop/src%2Fformat%2FBitwardenReader.cpp

[V4ler1an]

I really don't play around with the settings, pretty sure that's it.

[droidmonkey]

Highly unlikely since those are standard components that we use elsewhere in the code for years.

[droidmonkey]

According to this you may need to reinstall Visual Studio Redistribution packages and/or run a system scan sfc /scannow

https://www.howtoedge.com/fix-exception-error-code-0xe06d7363/

[V4ler1an]

Before I do that, i'll test using a Windows 11 VM I have.

[V4ler1an]

My VM is the same except it doesn't even show an error, the app just disappears the second I start the import after the file has been specified and the password entered. There isn't even a reference to the application error in the event viewer. I've tried:

• sfc /scannow
• Ran: DISM /Online /Cleanup-Image /RestoreHealth
• Installed: Visual C++ Redistributable for Visual Studio 2012 Update 4
• Booting in safe mode after disabling all non-microsoft services

[droidmonkey]

at this point the only way I can validate and troubleshoot this is if you can provide your bitwarden json file... which isn't recommended for obvious reasons. Recommend create a new bitwarden vault with the same argon2id settings and test to see if the issue persists. If it does, share that json file with the export password please.

[V4ler1an]

I also run a local Vaultwarden server to keep a backup. I thought I would try an export from that to see the results. It helped me realise the problem. The online vault defaults to exporting the .json encrypted with the account's key. This means it can only be re-imported back to the same account. Unlike the Bitwarden online vault, Vaultwarden gives the option to export the .json encrypted with a password.

When I created it this way it imported into KeePassXC.

So perhaps it would be better handling if KeePassXC gave a more informative error when it encounters an account encrypted .json. Also on my VM KeePass didn't even give an error, it just quit out. If you try to import an account encrypted .json into Vaultwarden, it tells you:

[droidmonkey]

Oh that's interesting, so the crash could be connected to failed decryption? I also find that unlikely since I ran into this problem (failed decryption) many times testing this code so failure paths were well tested at least then. We do provide a decent error message for failed decryption. We obviously cannot tell if that's because you mistyped your password or are using some other mechanism entirely.

Online bitwarden absolutely let's you export with a password, that is what I used for the test databases.

[V4ler1an]

It certainly looks that way. I can't seem to find a way to generate an online Bitwarden export .json that's only encrypted with a password. I think they deprecated that method not that long ago. Now it defaults to account key encryption only. I can generate it as .json with no encryption at all, that imports to KeePass ok when I leave the password field blank. The fact that KeePassXC has a password field for the .json format import may be a bit misleading now. Only Vaultwarden seems to offer the capability to generate that. Perhaps a little note on the import form about the distinction between these types would be helpful.

[droidmonkey]

If you provide a password for the unencrypted export it doesn't matter.

From a personal bitwarden test account (free version):

[V4ler1an]

Ok, it seems that out of the browser plugin, the desktop app and the web vault, only the latter offers the additional option of password encrypted .json.

[droidmonkey]

I replicated this crash with the "Account Restricted" export option. The crash occurs in the Botan library because an exception is thrown that isn't caught.