[AshamedCaptain]

It is weird to limit to "the same attack". Why does it even have to be the same attack? From the moment sshd loads your modified lib, you're literally running code with root privileges on the victim machine. You can literally run _any_ attack you wanted, with zero persistence. This is worse than a OpenSSH RCE.

Even in your own talk you basically admit this, so what are you doing here? If you think there's something here that everyone is missing but you don't, why not actually explain what it is?

[robertdfrench]

I don't have any secret information! Folks were giving me a hard time about claiming that ifunc is central to this attack, and I would genuinely find it valuable to know that Jia Tan could have (for example) performed this attack against a musl-based distro.