[0:00] It turns out that if you just open a file, Vim could do a remote code execution. I know my boy Vim has been caught. I'm not sure if it's possible to recover from learning that my personality, my love of my life, will allow people to get hacked. So, you know, I got to yap about this one just a little bit. And of course, it turns out that also Emacs might have something as well. And the big kind of like might shyamalan part here is that Claude was the one that found both of them. We asked Claude to find a bug in Vim. It [0:31] found an rce. Just open a file and you're owned. We joke fine, we'll switch to Emacs. Then Claude found an rce there, too. All right, so let's actually go over them cuz it is it is shockingly interesting. I've never I didn't know these things about Vim. All right, so here's an example file right here. This is a test two.typescript file. And inside of it, I just have this nice little test mode line. It has a 69 being returned. Nice. And over here, you can see right here, this is called my color column. It lets me know when I'm at 80 columns or longer. Now, I'm going [1:02] to open this just test.ts. You'll notice that my color columns are right here. That is because the last line of the file, which by the way, can be the first couple or the last couple, has this thing that says vim, and then actually has a command. Hey, set the color column to 20. If I were to go set color column to say uh 69, nice. It would move it over here. So upon opening this file, it actually executes these arbitrary commands that are right here. Now, normally this is completely safe. But if I open this file right here, it's not [1:33] safe. Well, it is safe for me because I actually use Neoim. I don't know if you know this, but like Neoim's like but Vim uh the original, you know, the the OG, this would actually cause a remote code execution. So, how this one works is actually it's it's pretty interesting. So, I kind of spread it out so it's a little bit easier to see. So the first thing you need to know I'll just do right here. If I highlight this line, press colon, it says, "Okay, here is a selection over this range that you've highlighted." If I do a bang, it says, "Okay, you can execute now [2:04] something on the command line from right here." And we'll pipe your highlighted selection onto the command line. So if I just say pass in uh jq, it will actually execute jQ with the contents of that line. And then jq of course pitifies it and then it will send it back into my editor. Bada bing, bada boom. Free pritification. By the way, that means I can also highlight that thing. Go right here. Passion- C and it will compact it. So, what's happening here is first we say, hey, show the tab panel. Here's an example of the show tab right here. As you can see at the top, you have your Vim RC, you have a new file, you have a [2:35] readme open. You can think of tabs pretty much like tabs you would have in VS Code or anything else. But, of course, Vim being Vim, you can actually set how the tab panel renders. Now, the special part about that is that with the tab panel, it actually accepts this little special string right here, which will execute the insides of it as a command. So, if it starts off with a nice percent sign open bracket, you can then do a command inside. And that's what we're doing. We're doing an auto command. If you're not familiar with an auto command, autocomand just says, "Hey, when some action in Vim happens, [3:06] we will call a function for you or we'll execute a command on your behalf." And you can kind of set them up that way. If I add, say, a bunch of white space on the end right here, I hit save. That white space, well, it's gone. Auto commands. So, this tab panel when it renders, it sets up a command that will fire off when safe state again executes. Now, safe state again is just when nothing is executing in Vim. It's just like when you return to nothing happening. This will happen for all files. And the command right here will actually go out to the command line, get your current user ID. There's mine right [3:37] there. Isn't that beautiful? Look at that. You got u you got UID prime, you got g, you got groups, you got docker input wheel, and it's going to pipe this thing out to this location right here, temp. And then it's just going to do it once and then unregister itself so it doesn't do it over and over again. Now, if I were using Vim and the correct version, this would actually cause this command to go and execute on the command line. So, you could actually send somebody a file and when they opened it, this would just execute on their system. Thus, you could actually go and install [4:07] something. You could put a rat and we all know about rats since that Axios hacking. This is crazy. I never even knew about modeline. I didn't even know that you could set styles or do actions or, you know, make Vim commands happen on a per file basis. Personally, I have absolutely no idea why you would ever want to do that. But here we are. We can do that. Apparently, this has to be some sort of holdover from a time a a time long a gone. you know, the old days of Yore because I have never even heard of [4:38] this. I didn't even know this was a Vim feature. I kind of feel like I want to abuse it now, but it just IT I WHY WOULD ANYONE do this? I'm sure there's a perfectly good explanation. If you if you if you know one, please let me know. I just thought this was so interesting. I thought you would find it interesting, too. I just think it's even more crazy that tab panel can actually execute an expression like that if you just start it off correctly. And so this entire thing is just so wellcraftrafted. It just seems like such a ridiculous thing. Yet this will allow somebody to curl [5:10] out, be able to download a script and then execute it, thus stealing all your credentials off your machine. So it is actually a very serious and actually real bug. But they first have to get you to open a file via Vim. I mean, so they might be able to get they might be able to hack like 25 people with this one, but it is ser they could they could hack all 25 people with this one. So now you remember that obviously they also went off to Emmac and they're going to own Emacs next. Now this one I actually I don't like. I don't find this one very cool. It is actually kind of uh ah it's [5:42] kind of stupid. So the Vim one's scary, but the Emacs one is scary in its kind of own weird way and it's not really an Emac bug at all. So let me get let me show you let me show you the the gory details. So what ends up happening if you look at the actual reproduction steps is it requires you to download this tarball and then you have to untar it and then you have to go in here and open any file via Emacs within that project and by just simply opening a file you get owned. So this sounds scary right? Well you can also get owned by [6:14] calling get status within that project. So what actually happens is that inside of this project there's a.getit git folder and inside of that docon uh git folder there is a git config. So the exact contents of the config file look like this. You do core and then like this. You do core and then fsmonitor.get a. Now a is just an executable script as you can see right here. It's just an executable script that pones out and adds a line to this tempone. Now I've set this up myself right here. So every time I I cat this out, you can see that it just keeps on getting longer because [6:45] every single time it changes, something about the damon of the get fs monitor gets executed, letting you know something has changed. Thus, it keeps getting longer. So when I call get status, it will actually get longer by a lot. So if I call this a whole bunch, then I can go like this cat this bad boy out. Now it's actually really, really long. So that means whenever you make any sort of change, git could end up executing and doing something on your behalf you don't even realize is happening. But I want you to notice something. Notice that I never once opened Emac. So this entire thing right here is a bit of a farce. But it also [7:18] kind of reveals a really crazy insecurity I guess about Git. Something I've never known. If you ever download a project in and inside of there is a Git folder. I would be a little nervous. I never realized this could actually happen. I can't believe it actually can happen. And that means somebody could have it. So that if you just simply go into that folder, you get G get to do a little bit of magic. Bada bing, bada boom, you could be had by just simply executing get status or having your uh [7:48] command line figure out what branch you're on. Not cool. It's not this not this is not cool. I will say at the end of this they kind of say, hey, they reported the bug to the maintainers and the maintainers declined to address the issue attring it to get. There is something kind of weird about this. Like this article is pretty cool that they found such an amazing bug in Vim cuz honestly super cool bug they found in Vim. But the one in Emacs, I mean it's evidently and obviously has nothing to do with Emacs. It has everything to do with Git. And this is one of the problems of this future we're kind of [8:20] living in, which is that people file bug reports without actually understanding how these things work. It is very very obvious exactly how this works. And just a couple seconds of thinking through this, you would go, "Oh, this is actually a core git problem." But it can only happen by overwriting a file that only gets created at initialization time, which means you're only susceptible to this if you actually download the entire directory and then go into it because that would be the only way they could sneak in a config file, which still, by the way, I still [8:50] don't I I don't necessarily feel comfortable. I feel like this one should still like it. This still feels like a problem with Git, but it certainly isn't a bug with Emacs. And this is the problem about giving people a really great tool is that you can just inundate people who are maintaining software reporting bugs that aren't even related to the software. Like this happened to Curl. This is why Curl shut down their hacker one stuff is because they kept getting slop bug after slop bug. And this just burns maintainers time. And so the second one, I'm not going to lie to [9:22] you. I I really didn't feel too good about seeing this one. But the first one, I'll still give it to you. The first one, that one was incredible. That one blew my mind that you can actually do that from Vim. The name is the Vime. Hey, is that HTTP? Get that out of here. That's not how we order coffee. We order coffee via ssh terminal.shop. Yeah. You want a real experience? You want real coffee. You want awesome subscriptions so you never have to remember again. Oh, you want [9:52] exclusive blends with exclusive coffee and exclusive content? Then check out Cron. You don't know what SSH is? >> Well, maybe the coffee is not for you. Living the dream.