amon.so: Hijacking System Calls For Hardening PHP - Debian Lenny And Squeeze
amon.so is a library that integrates with the PHP interpreter and intercepts and manipulates the system calls provided by libc6. It replace the execve() syscall with a custom function which does extra sanity checking in order to prevent that an attacker could execute arbitrary code on the system exploiting a vulnerability in a web-based application (such as a bugged cms). It's open-source software released under the terms of the GPL license and compatible with PHP running as a CGI process or Apache's DSO module. The official website is http://www.lucaercoli.it/
For this brand new project at the moment there aren't prebuilt packages, therefore to use it you must download the source code and compile it.
In order to install the compiler (gcc) with development libraries and header files, open a terminal and execute the following command:
apt-get install build-essential
The next step is to download source code so we can get the file using wget:
Now that you have everything you needed for installing the software, execute this command to generate the shared library file:
gcc -fPIC -shared -ldl -o amon.so amon.c
Finally move "amon.so" in the directory /lib:
mv ./amon.so /lib/
Installation is complete and all that remains is to load modules into Apache.
Depending on your configuration you must follow one of the following methods:
1)If your PHP is executed via mod_fcgid, open the wrapper that calls the PHP and insert the string "export LD_PRELOAD=amon.so" inside it. For instance:
#!/bin/sh export PHPRC=/etc/php5/cgi export LD_PRELOAD = amon.so exec /usr/lib/cgi-bin/php
After that reload apache2:
2) If the PHP interpreter works with Apache's suEXEC support, create a simple wrapper modifying your vhost configuration.
Add these directives:
ScriptAlias /php_amon/ "/usr/local/bin/" AddHandler php-script .php Action php-script /php_amon/php5-cgi
Create the file /usr/local/bin/php5-cgi and write in it:
#!/bin/sh export LD_PRELOAD=amon.so exec /path/of/the/real/php5 "[email protected]"
3) If you run PHP with libapache2-mod-php5, write in /etc/apache2/envvars the instruction
and reload the web service:
To check if the library is loaded, write in a file the following PHP code and call it with a web browser:
<?php phpinfo(); ?>
That's all, your PHP installation has been hardened and you're protected from any web-based backdoor (such as r57shell) and script kiddies! If an attacker tries to execute a command not allowed (such as /bin/bash), an alert will be generated and saved in the site's error log.This is the log format:
sh: command_name: command not found
These are the only commands that the webuser can execute:
If you want to add or delete some commands edit the variable "char * cmds " in the source code and recompile it.