Comments on amon.so: Hijacking System Calls For Hardening PHP - Debian Lenny And Squeeze
amon.so: Hijacking System Calls For Hardening PHP - Debian Lenny And Squeeze amon.so is a library that integrates with the PHP interpreter and intercepts and manipulates the system calls provided by libc6. It replace the execve() syscall with a custom function which does extra sanity checking in order to prevent that an attacker could execute arbitrary code on the system exploiting a vulnerability in a web-based application (such as a bugged cms). It's open-source software released under the terms of the GPL license and compatible with PHP running as a CGI process or Apache's DSO module.
13 Comment(s)
Comments
It's work with CentOS?
added to the file /etc/sysconfig/httpd
export LD_PRELOAD=amon.so
but nothing happens, and the phpinfo() can not see anything
This library isn't bound to one specific linux version, so it works also on centos.
Your php runs as module or cgi? Do you have copied the file amon.so into /lib?
What mean crash your vps?
Have you an error message?
I've been tested amon.so on various system and work properly.
This tutorial is great however the amon keeps crashing my VPS :(
Maybe because I'm testing it on OpenVZ ??
Hi
Here is my amon.c File:
http://paste.pocoo.org/show/393679/
I have no idea how long this will be online. If someone have the possibility please provide it on a permanent way.
The logging is very simple and ugly ;)
With the two variables the location and the name of the Logfile can be changed:
const char *acceptlog = "/var/log/amon/accept.log";
const char *rejectlog = "/var/log/amon/reject.log";
This will definitely slow down the code execution. I can not say how much, but every time the amon.so lib is used there is an extra disc write.
Don't forget to set the rights for the logging path. On an fastcgi environment every site logs with its own user so I use 777. If the Logfile is not writeable the complete amon lib does not work anymore!
Also do not forget do add lograotate for the logfiles!
yogg
Hi Yogg,
Thanks alot your solutions works just fine for me !
Regards,
Bob Davis
Found the problem.
amon.so works "recursive"
"/usr/bin/gm identify" uses "/usr/bin/gs".
The "LD_PRELOAD=amon.so" option is passed to all child processes. So always when an process uses the "execve" command to start a child process, it would be checked if this process is in the allowed list.
In my case I have allowed "/usr/bin/gs" and everything works :)
I also have now implemented a very simple logging mechanism that logs all commands and if they are accepted or rejected.
So its very easy for me to see if there should be more commands in the accept list.
yogg
Hi Yogg,
Is there any possibility for you to share this logging mechanism ? Would be very much appreciated !
Thanks !
Best Regards,
@yogg
How exactly did you implement the logging mechanism is there any chance for you to make this public ? If so would you mind pasting the difference and a little ex-plainer would appreciate it very much.
Kind Regards,
Hi
I use this lib on my new apache server.
It works really fine, but something is strange.
It seems that is not possible to execute "/usr/bin/gm identify /path/file" in the right way. If this command is executed there is no return value.
Without the extra lib the command works fine.
I have added a logging mechanism to see all commands. Also I have written an extra c file that uses the same command.
With the c file the " /usr/bin/gm identify /path/file" works without problems.
On php I get only 1 (for error) back :(
The command is used by Typo3 (4.5.2)
yogg
Good tips, I've written a PHP script to check all the additional security settings:
http://www.idontplaydarts.com/2011/02/hardening-and-securing-php-on-linux/
How to compile this in Debian 8 64 bit
command:gcc -fPIC -shared -ldl -o amon.so amon.c
send this or more errors:
/usr/include/x86_64-linux-gnu/bits/fcntl.h:40:5: error: unknown type name ‘__off_t’
-#define _FCNTL_H-#include <bits/fcntl.h>+#include <fcntl.h>