The IP Multimedia Subsystem (IMS) facilitates telecom operators in delivering multimedia applications and voice traffic over IP transport. Proxy Call Session Control Function (P-CSCF) is the first node in IMS Platform (figure 1) to interact with the User Equipment (UE) when initiating a VoLTE call.
figure 1 – Placement of Proxy Call Session Control Function in IMS Platform
Identify and Compromise Proxy Call Session Control Function with VoLTE phone:
1) Initiate a call with VoLTE phone and simultaneously open phone’s terminal to list currently established sessions. It was possible to identify the IP address of serving P-CSCF node, connected on port 5060 (figure 2).
figure 2 – Identifying P-CSCF node connected on port 5060 (SIP protocol)
2) Management console of an application server and Proxy Call Session Control Function application (figure 3 & figure 4) were found by performing a service scan on identified IP address.
3) Application server, Oracle Glassfish, was found to be weakly configured and could be accessed using weak credentials (figure 5).
figure 5 – Access to Oracle Glassfish server using weak credentials
4) A reverse shell was triggered using a web shell and gained root access of the P-CSCF node (figure 6).
figure 6 – Gained root access to P-CSCF (IMS)
After gaining access to the IMS platform, Attacker can compromise other core telecom components in the network.
To prevent such attacks, telecom operators should ensure traffic segregation between user plane, control plane, and management plane. It is highly recommended to patch all the core network elements with the latest security patches released by the vendor. Also, develop and implement minimum security guidelines before integrating nodes in the network.
Hope you enjoyed reading, suggestions are always welcome.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.