[candiodari]

What it does is this: RSA_public_decrypt verifies a signature on the client's (I think) host key by a fixed Ed448 key, and then if it verifies, passes the payload to system().

If you send a request to SSH to associate (agree on a key for private communications), signed by a specific private key, it will send the rest of the request to the "system" call in libc, which will execute it in bash.

So this is quite literally a "shellcode". Except, you know, it's on your system.

[Thorrez]

That sounds repayable though. If I did a tcpdump of the attacker attacking my system, I could replay that attack against someone other system. For it to not be replayable, there needs to be some challenge issued by the backdoored sshd.

Of course since the backdoor was never widely deployed and is now public, I think it's unlikely the attacker will attempt to use it. So whether it's replayable doesn't have a practical impact now. I'm only asking about replayability because I'm curious how it's unreplayable.