It turns out that if you just open a

file, Vim could do a remote code

execution. I know my boy Vim has been

caught. I'm not sure if it's possible to

recover from learning that my

personality, my love of my life, will

allow people to get hacked. So, you

know, I got to yap about this one just a

little bit. And of course, it turns out

that also Emacs might have something as

well. And the big kind of like might

shyamalan part here is that Claude was

the one that found both of them. We

asked Claude to find a bug in Vim. It

found an rce. Just open a file and

you're owned. We joke fine, we'll switch

to Emacs. Then Claude found an rce

there, too. All right, so let's actually

go over them cuz it is it is shockingly

interesting. I've never I didn't know

these things about Vim. All right, so

here's an example file right here. This

is a test two.typescript

file. And inside of it, I just have this

nice little test mode line. It has a 69

being returned. Nice. And over here, you

can see right here, this is called my

color column. It lets me know when I'm

at 80 columns or longer. Now, I'm going

to open this just test.ts. You'll notice

that my color columns are right here.

That is because the last line of the

file, which by the way, can be the first

couple or the last couple, has this

thing that says vim, and then actually

has a command. Hey, set the color column

to 20. If I were to go set color column

to say uh 69, nice. It would move it

over here. So upon opening this file, it

actually executes these arbitrary

commands that are right here. Now,

normally this is completely safe. But if

I open this file right here, it's not

safe. Well, it is safe for me because I

actually use Neoim. I don't know if you

know this, but like Neoim's like

but Vim uh the original, you know, the

the OG, this would actually cause a

remote code execution. So, how this one

works is actually it's it's pretty

interesting. So, I kind of spread it out

so it's a little bit easier to see. So

the first thing you need to know I'll

just do right here. If I highlight this

line, press colon, it says, "Okay, here

is a selection over this range that

you've highlighted." If I do a bang, it

says, "Okay, you can execute now

something on the command line from right

here." And we'll pipe your highlighted

selection onto the command line. So if I

just say pass in uh jq, it will actually

execute jQ with the contents of that

line. And then jq of course pitifies it

and then it will send it back into my

editor. Bada bing, bada boom. Free

pritification. By the way, that means I

can also highlight that thing. Go right

here. Passion- C and it will compact it.

So, what's happening here is first we

say, hey, show the tab panel. Here's an

example of the show tab right here. As

you can see at the top, you have your

Vim RC, you have a new file, you have a

readme open. You can think of tabs

pretty much like tabs you would have in

VS Code or anything else. But, of

course, Vim being Vim, you can actually

set how the tab panel renders. Now, the

special part about that is that with the

tab panel, it actually accepts this

little special string right here, which

will execute the insides of it as a

command. So, if it starts off with a

nice percent sign open bracket, you can

then do a command inside. And that's

what we're doing. We're doing an auto

command. If you're not familiar with an

auto command, autocomand just says,

"Hey, when some action in Vim happens,

we will call a function for you or we'll

execute a command on your behalf." And

you can kind of set them up that way. If

I add, say, a bunch of white space on

the end right here, I hit save. That

white space, well, it's gone. Auto

commands. So, this tab panel when it

renders, it sets up a command that will

fire off when safe state again executes.

Now, safe state again is just when

nothing is executing in Vim. It's just

like when you return to nothing

happening. This will happen for all

files. And the command right here will

actually go out to the command line, get

your current user ID. There's mine right

there. Isn't that beautiful? Look at

that. You got u you got UID prime, you

got g, you got groups, you got docker

input wheel, and it's going to pipe this

thing out to this location right here,

temp. And then it's just going to do it

once and then unregister itself so it

doesn't do it over and over again. Now,

if I were using Vim and the correct

version, this would actually cause this

command to go and execute on the command

line. So, you could actually send

somebody a file and when they opened it,

this would just execute on their system.

Thus, you could actually go and install

something. You could put a rat and we

all know about rats since that Axios

hacking. This is crazy. I never even

knew about modeline. I didn't even know

that you could set styles or do actions

or, you know, make Vim commands happen

on a per file basis. Personally, I have

absolutely no idea why you would ever

want to do that. But here we are. We can

do that. Apparently, this has to be some

sort of holdover from a time a a time

long a gone. you know, the old days of

Yore because I have never even heard of

this. I didn't even know this was a Vim

feature. I kind of feel like I want to

abuse it now, but it just IT I WHY WOULD

ANYONE do this? I'm sure there's a

perfectly good explanation. If you if

you if you know one, please let me know.

I just thought this was so interesting.

I thought you would find it interesting,

too. I just think it's even more crazy

that tab panel can actually execute an

expression like that if you just start

it off correctly. And so this entire

thing is just so wellcraftrafted. It

just seems like such a ridiculous thing.

Yet this will allow somebody to curl

out, be able to download a script and

then execute it, thus stealing all your

credentials off your machine. So it is

actually a very serious and actually

real bug. But they first have to get you

to open a file via Vim. I mean, so they

might be able to get they might be able

to hack like 25 people with this one,

but it is ser they could they could hack

all 25 people with this one. So now you

remember that obviously they also went

off to Emmac and they're going to own

Emacs next. Now this one I actually I

don't like. I don't find this one very

cool. It is actually kind of uh ah it's

kind of stupid. So the Vim one's scary,

but the Emacs one is scary in its kind

of own weird way and it's not really an

Emac bug at all. So let me get let me

show you let me show you the the gory

details. So what ends up happening if

you look at the actual reproduction

steps is it requires you to download

this tarball and then you have to untar

it and then you have to go in here and

open any file via Emacs within that

project and by just simply opening a

file you get owned. So this sounds scary

right? Well you can also get owned by

calling get status within that project.

So what actually happens is that inside

of this project there's a.getit git

folder and inside of that docon uh git

folder there is a git config. So the

exact contents of the config file look

like this. You do core and then

fsmonitor.get

a. Now a is just an executable script as

you can see right here. It's just an

executable script that pones out and

adds a line to this tempone. Now I've

set this up myself right here. So every

time I I cat this out, you can see that

it just keeps on getting longer because

every single time it changes, something

about the damon of the get fs monitor

gets executed, letting you know

something has changed. Thus, it keeps

getting longer. So when I call get

status, it will actually get longer by a

lot. So if I call this a whole bunch,

then I can go like this cat this bad boy

out. Now it's actually really, really

long. So that means whenever you make

any sort of change, git could end up

executing and doing something on your

behalf you don't even realize is

happening. But I want you to notice

something. Notice that I never once

opened Emac. So this entire thing right

here is a bit of a farce. But it also

kind of reveals a really crazy

insecurity I guess about Git. Something

I've never known. If you ever download a

project in and inside of there is a Git

folder. I would be a little nervous. I

never realized this could actually

happen. I can't believe it actually can

happen. And that means somebody could

have it. So that if you just simply go

into that folder, you get G get to do a

little bit of magic. Bada bing, bada

boom, you could be had by just simply

executing get status or having your uh

command line figure out what branch

you're on. Not cool. It's not this not

this is not cool. I will say at the end

of this they kind of say, hey, they

reported the bug to the maintainers and

the maintainers declined to address the

issue attring it to get. There is

something kind of weird about this. Like

this article is pretty cool that they

found such an amazing bug in Vim cuz

honestly super cool bug they found in

Vim. But the one in Emacs, I mean it's

evidently and obviously has nothing to

do with Emacs. It has everything to do

with Git. And this is one of the

problems of this future we're kind of

living in, which is that people file bug

reports without actually understanding

how these things work. It is very very

obvious exactly how this works. And just

a couple seconds of thinking through

this, you would go, "Oh, this is

actually a core git problem." But it can

only happen by overwriting a file that

only gets created at initialization

time, which means you're only

susceptible to this if you actually

download the entire directory and then

go into it because that would be the

only way they could sneak in a config

file, which still, by the way, I still

don't I I don't necessarily feel

comfortable. I feel like this one should

still like it. This still feels like a

problem with Git, but it certainly isn't

a bug with Emacs. And this is the

problem about giving people a really

great tool is that you can just inundate

people who are maintaining software

reporting bugs that aren't even related

to the software. Like this happened to

Curl. This is why Curl shut down their

hacker one stuff is because they kept

getting slop bug after slop bug. And

this just burns maintainers time. And so

the second one, I'm not going to lie to

you. I I really didn't feel too good

about seeing this one. But the first

one, I'll still give it to you. The

first one, that one was incredible. That

one blew my mind that you can actually

do that from Vim. The name

is the Vime. Hey, is that HTTP? Get that

out of here. That's not how we order

coffee. We order coffee via ssh

terminal.shop. Yeah. You want a real

experience? You want real coffee. You

want awesome subscriptions so you never

have to remember again. Oh, you want

exclusive blends with exclusive coffee

and exclusive content? Then check out

Cron. You don't know what SSH is?

>> Well, maybe the coffee is not for you.

Living the dream.