A fix for the Apache mod_dumpio module not dumping null bytes

Two weeks ago I wrote about my surprise in learning that the Apache mod_dumpio module does not dump null (i.e., zero) bytes. That shortcoming makes it difficult to analyze attacks that involve binary data such as Zip archives. That a module which claims to log all the data sent to or from an Apache web server does not actually do so is rather surprising and exasperating. Especially since the module has been around for at least nine years (earliest reference I could find was October 2006).

As recently as April 2015 someone with a Ph.D. posted on the SANS ISC forums that the Apache dumpio module could be used to log all data. It’s hard to believe that seemingly serious and highly credentialed security researchers have not noticed this module does not log all the data that passes through it. Or, for that matter, that no one else has noticed and fixed this problem in the decade since Jim Jagielski published this module.

I decided to fix this bug. Mostly because I wanted to see what the hackers were trying to upload to my server as a Zip archive in an attempt to exploit WordPress “revslider” plugin vulnerabilities. I intend to submit this updated mod_dumpio.c source code to the Apache project. In the meantime you can download it from here. If you want to install this under HomeBrew on Mac OS X send an email to krader@skepticism.us and I’ll provide guidance.

Update 2015-10-04: This Python program, error_log_data_extract, is what I use to extract and decode the data logged by the mod_dumpio module that I fixed to correctly handle null bytes. This makes it trivial to reconstruct the entire request of an attack including binary data such as Zip archives.

Published by

Kurtis Rader

I'm first and foremost a Secular Humanist and Atheist. To pay the bills I'm a software engineer. When not working I walk or play with my dogs, read lots of non-fiction (and some fiction), and watch lots of movies.

3 thoughts on “A fix for the Apache mod_dumpio module not dumping null bytes”

  1. I’m not sure if you received my last message in the email conversation we had, where I mentioned ModSecurity aka mod_security2. After reading your previous post about mod_dumio, I tested if ModSecurity logs the null bytes in audit logs. It not only logs them but allows to block requests if any part of a requests contains a null byte or any other byte sequence.

    1. Argh! I had somehow archived your message without reading it. ModSecurity looks very interesting and I’ll probably add it to my server sooner or later. I just skimmed their source code and it looks like they avoid the problem by using their own custom logging code rather than the ap_log_cerror() function and do their own encoding of the data they log. Which isn’t surprising since they also write to their own audit log rather than the Apache error log.

Comments are closed.