[rwmj]

$500 isn't worth my time and I don't trust you'd pay up. But for anyone who wants to attempt to get him to pay up, here are three simple approaches:

(A1) In a POSIX constructor function in liblzma, set an alarm(2) for a few seconds later (once sshd has fully loaded).

(A2) In the alarm callback locate the original function that was patched using dlfcn, and mmap a page of modified code over the top that calls the exploit.

Or:

(B1) POSIX constructor function, call clone(2) to start a background thread.

(B2) In the background thread, sleep for a little, then patch the code as in A2 above.

Or:

(C1) POSIX constructor function that completely replaces the sshd process with a workalike that contains the exploit.

In A & B, for OSes (not Linux) that deny mmap, you'll need to find a struct or stack frame used by the function and work out how to adjust the data it uses or find a function pointer and exploit that.

[robertdfrench]

You may well be right about this! What I genuinely don't understand then, is why Jia Tan relied on ifunc rather than POSIX constructors. Seems like that would have been easier and more widely applicable, right?

[rwmj]

His team used ifunc because it made the attack less obvious if you are running sshd under strace. An alarm or clone system call in strace would stick out a mile, even if the code executing the syscall was obfuscated.

So it's clever to use ifunc, but not necessary for an attack to work.

Likely the existing toolkit they seem to have been using had primitives for this already, but as I said in the Veritasium video I appreciate that this was a very sophisticated attack executed by a smart team.