Research notes, exploit tools, and custom firmware config for the CenturyLink/Greenwave C4000XG router (Intel GRX500 SoC).
Full writeup: edz.art/lab-notes/greenwave-c4000xg-rooting
The C4000XG has a TR-069 command injection vulnerability that gives full root access from the WAN side with zero interaction. The default ACS connection uses plain HTTP with hardcoded QA credentials, and the IPPing diagnostic shells out via system() as uid 0 without sanitizing the Host parameter.
The automated exploit sends 4 TR-069 commands and gets a root shell in ~20 seconds.
tools/acs/
exploit.sh # Automated root exploit (WAN MITM → root SSH)
fake_acs.py # Minimal TR-069 ACS server for exploit delivery
c4000xg-config/ # prplWrt hardware enablement for C4000XG
centurylink_c4000xg.dts # Device tree source
files/etc/rc.local # WAN port (GPY111) init script
k3c.config # Kernel config
...
build/ # Custom kernel build system (Docker-based)
docs/ # Research notes
ROOT_EXPLOIT.md # Full exploit chain documentation
TR069_ACS_SETUP.md # ACS attack setup guide
HARDWARE_DIAGRAM.md # GRX500 SoC block diagram
C4000XG_MANAGEMENT_ANALYSIS.md # ISP management stack analysis
ZERO_CLICK_ANALYSIS.md # Zero-click attack surface
ATTACK_PLAN.md # Step-by-step attack methodology
OPENWRT_PORT_ASSESSMENT.md # Modern OpenWrt porting feasibility
PRPLWRT_INSTALL.md # prplWrt installation guide
| ID | Finding | Severity |
|---|---|---|
| CWE-78 | TR-069 IPPing command injection via system() |
Critical |
| CWE-319 | ACS connection over plain HTTP, no TLS | High |
| CWE-798 | Hardcoded ConnReq credentials (qacafe/qacafe123) |
High |
| CWE-295 | No certificate validation on ACS connection | High |
These findings were disclosed to the relevant parties prior to publication.
This research is published for educational and defensive security purposes.