Ddos 
Image: João Domingos
Security researcher João Domingos has published a comprehensive breakdown of a full exploit chain affecting the FiberGateway GR241AG router, used by over 1.6 million households in Portugal. What began as a personal DNS configuration frustration led to root access, remote code execution via public WiFi, and ultimately—total device compromise.
Domingos’ journey began in 2020 with a simple goal: configure Pi-hole to filter DNS traffic. But the Meo-provided router locked down DNS settings. Instead of accepting defeat or buying new hardware, he went on a hacking odyssey: acquiring a second-hand GR241AG for €10, disassembling it, and ultimately achieving root access through the UART interface.
In one of the most cinematic moments of the research, Domingos describes how a nearby hard drive’s vibration unintentionally induced a fault injection during boot—dropping the device into a root shell:
“I was recovering files from an HDD disk, which was near the router. It seems that the HDD vibration did some kind of fault injection… When this occurred during boot, a segmentation fault would occur and the boot process would drop to a root shell.”
Using a USB drive, he dumped the router’s firmware and discovered cleartext admin credentials inside a library. This granted access to a restricted shell with new powers: firmware updates, DNS modifications, and traffic monitoring—even for public-facing MEO WiFi users.
The breakthrough came with the discovery of a parameter injection vulnerability in the tcpdump utility. With clever use of the -z and -G flags, Domingos crafted an exploit chain that allowed remote code execution without physical access—purely over the network.
Perhaps most concerning is the final step: full RCE through MEO WiFi, Meo’s default-enabled public network spanning Portugal.
By leveraging IPv6’s Neighbor Discovery Protocol (NDP), Domingos was able to identify the router’s internal IP address—even as it changed per reboot. Then, using the earlier tcpdump injection, he launched a reverse shell into the router:
“The full exploit chain would consist in the following: Connect to the MEO WiFi network, identify the IPv6 address by sending an ICMPv6 packet, SSH into the router, then exploit tcpdump to obtain a reverse shell.”
He even automated the process with Python scripts—one for the full exploit, and another to dump WPA2 keys from the private interface.
The implications of this exploit were vast:
- DNS hijacking
- Extraction of phone call history
- Network monitoring
- Local network device access
- WPA2 key theft
- Denial-of-service
All this, from within range of any public MEO WiFi signal.
Domingos responsibly disclosed the findings to Portugal’s Centro Nacional de Cibersegurança (CNCS), who contacted Meo’s CERT team. Within a week, remote RCE via MEO WiFi was mitigated. Other vulnerabilities were patched in the following months—though access was revoked, preventing further validation.
Donate