SECURITY ADVISORY: Blindly Running Macros Read from a File You Just Downloaded Considered Harmful
No duh.
I’m going to come clean right off the bat. The title of this post is my half-hearted attempt at clickbait: what you are about to read can’t reasonably be described as a security issue. It barely even qualifies as advice, in that the thing I intend to demonstrate you should NEVER DO is something you didn’t have any plans to do in the first place.
It’s really more of a fun curiosity, and yet another entry in my series of weird things you can do with macros.
As regular readers will be aware, in Vim a macro is just a series of keystrokes, and when you record one it is stored into an alphabetical register, from the same set of named registers that can be used for yank-and-put1.
As such, it’s possible to type a macro into a file, yank it, and play it back like a regular, recorded macro.
So, without further ado, here’s one I tapped out earlier:
9jyyjp3kg?GyG@0
To load the macro, type yW to yank it.
Then type @0 to play it back.
yf
Duryc
ivfhny
7wsdu"nly3y"NlyDd
7Tt?ww"Nljhh@n
If you don’t fancy typing that in by hand here’s a copy you can download. (0.25 KB)
The next step is to open this in a fresh copy of Vim, using -u NONE to ensure none of your PESKY user configuration messes up the usual behaviours and -N because this isn’t the 70s:
vim -Nu NONE insecure.txt
Then enter yW to yank the WORD on the first line.
And then DO NOT UNDER ANY CIRCUMSTANCES type @0 to run the macro you just yanked.
Okay fine, you want to live dangerously? Run it. The whole point of this post is to DEMONSTRATE something you shouldn’t do. If I just TELL you why you shouldn’t do it that’s a BORING LECTURE. The demonstration will be a lot more FUN if you actually do it.2
But before you do, take a look at the macro on the first line. What does it look like it does? Does it look… nefarious? I mean, it’s just a few characters, right? It surely can’t do much. I’m sure you can just ignore that stuff at the bottom of the file.
What’s that? I’ve made you nervous now and you actually don’t think you should run it after all? Fine, here’s a recording of me running it:
:set showcmd. This is merely to make it easier to see as I type in the other commands, and isn’t required for the macro to function.So what did the macro do? IT EXECUTED A SHELL COMMAND(!!!)
In this instance, it simply ran :!ls and listed the contents of my .vim directory (or if you ran it yourself, your Downloads folder), but it could very easily have done literally anything else. The possibilities are endless and terrifying!
If you’d like to understand how the macro ran :!ls3, then you might like to start by typing the commands from the first line, slowly.4
But the lesson, I hope, is clear.
Don’t Run Macros Read from Files You Just Downloaded from the Internet.5
Yes, that applies to Neovim users too. The only reason this particular macro doesn’t work in Neovim is because I wanted to use Q to obfuscate the fact that the macro is going to run command-line commands without having to include a colon in the file.
This is LITERALLY the only use for the Q command, and as such Neovim and Vim’s default.vim map it to something more useful instead. (“Playback the last-recorded register” and gq, respectively.)
-
Yes I know everyone else in the entire world even people-that-use-Vim call it copy-and-paste. I WILL MAKE FETCH HAPPEN. ↩︎
-
I promise nothing bad will actually happen, IN THIS ONE INSTANCE.6 ↩︎
-
When, I note, the file contains neither a colon, nor an exclamation point, not the text
ls. ↩︎ -
If you still can’t figure it out, hit me up on Mastodon or Bluesky or send me an email and I’ll GLEEFULLY walk you through it. ↩︎
-
Except, of course, ones you’ve downloaded from this site, which are as innocuous as a little baby lamb gambolling in the springtime sunshine. ↩︎
-
…and also for all the other macros from this site. See footnote №5.7 ↩︎
-
Don’t run ones from anywhere else though!!! ↩︎