Jacob Bachmeyer wrote:
[...] The preliminary reports that it was an RCE backdoor that would
pass commands smuggled in public key material in SSH certificates to
system(3) (as root of course, since that is sshd's context at that
stage) are inconsistent with the slowdown that caused the backdoor to
be discovered. I doubt that SSH logins were using that code path, and
the SSH scanning botnets almost certainly are not presenting
certificates, yet it apparently (reports have been unclear on this
point) was the botnet scanning traffic that led to the discovery of
sshd wasting considerable CPU time in liblzma...
I am waiting for the proverbial other shoe to drop on that one.
I have been given
(<URL:https://www.openwall.com/lists/oss-security/2024/04/18/1>) a
satisfactory explanation for the inconsistency: OpenSSH sshd uses
exec(2) to reshuffle ASLR before accepting each connection, and the
backdoor blob's tampering with the dynamic linking process greatly
reduces the efficiency of ld.so on top of its own processing. The
observable wasted CPU time was the backdoor's excessively-complex
initialization, rather than any direct effect on sshd connection processing.
-- Jacob
