amon.so: Hijacking System Calls For Hardening PHP

amon.so: Hijacking System Calls For Hardening PHP - Debian Lenny And Squeeze

amon.so is a library that integrates with the PHP interpreter and intercepts and manipulates the system calls provided by libc6. It replace the execve() syscall with a custom function which does extra sanity checking in order to prevent that an attacker could execute arbitrary code on the system exploiting a vulnerability in a web-based application (such as a bugged cms). It's open-source software released under the terms of the GPL license and compatible with PHP running as a CGI process or Apache's DSO module. The official website is http://www.lucaercoli.it/

For this brand new project at the moment there aren't prebuilt packages, therefore to use it you must download the source code and compile it.

In order to install the compiler (gcc) with development libraries and header files, open a terminal and execute the following command:

apt-get install build-essential

The next step is to download source code so we can get the file using wget:

wget http://www.lucaercoli.it/amon/amon.c

Now that you have everything you needed for installing the software, execute this command to generate the shared library file:

gcc -fPIC -shared -ldl -o amon.so amon.c

Finally move "amon.so" in the directory /lib:

mv ./amon.so /lib/

Installation is complete and all that remains is to load modules into Apache.

Depending on your configuration you must follow one of the following methods:

1)If your PHP is executed via mod_fcgid, open the wrapper that calls the PHP and insert the string "export LD_PRELOAD=amon.so" inside it. For instance:

#!/bin/sh
export PHPRC=/etc/php5/cgi
export LD_PRELOAD = amon.so
exec /usr/lib/cgi-bin/php

After that reload apache2:

/etc/init.d/apache2 restart

2) If the PHP interpreter works with Apache's suEXEC support, create a simple wrapper modifying your vhost configuration.

Add these directives:

ScriptAlias /php_amon/ "/usr/local/bin/"
AddHandler php-script .php
Action php-script /php_amon/php5-cgi

Create the file /usr/local/bin/php5-cgi and write in it:

#!/bin/sh
export LD_PRELOAD=amon.so
exec /path/of/the/real/php5 "$@"

Reload apache2:

/etc/init.d/apache2 restart

3) If you run PHP with libapache2-mod-php5, write in /etc/apache2/envvars the instruction

export LD_PRELOAD=amon.so

and reload the web service:

/etc/init.d/apache2 restart

To check if the library is loaded, write in a file the following PHP code and call it with a web browser:

<?php
phpinfo();
?>

That's all, your PHP installation has been hardened and you're protected from any web-based backdoor (such as r57shell) and script kiddies! If an attacker tries to execute a command not allowed (such as /bin/bash), an alert will be generated and saved in the site's error log.This is the log format:

sh: command_name: command not found

These are the only commands that the webuser can execute:

"/usr/sbin/sendmail"
"/usr/lib/sendmail"
"/etc/alternatives/lib.sendmail"
"/usr/lib/sm.bin/sendmail"
"/usr/bin/mail"
"/bin/mv"
"/bin/rm"
"/usr/bin/unlink"
"/bin/rmdir"
"/bin/cp"
"/bin/date"
"/bin/bzip2"
"/bin/gunzip"
"/bin/gzip"
"/usr/bin/unzip"
"/bin/tar"
"/usr/bin/host"
"/usr/bin/file"
"/usr/bin/uptime"
"/bin/grep"
"/usr/bin/diff3"
"/bin/pwd"