A roadmap to $50,000 at Pwn2Own Vehicle 2024: Dissecting QNX, and exp…

…loiting its vulnerabilities

static/Automotive Security Timeline.json

@@ -1452,6 +1452,22 @@
         "year": "2023"
       },
       "group":"event"
+    },{
+      "media": {
+        "caption": "<a href=\"https://github.com/bink3R/slides/blob/main/POC2023/Readme.md\">A roadmap to $50,000 at Pwn2Own Vehicle 2024: Dissecting QNX and exploiting its vulnerabilities</a>",
+        "credit": "<a href=\"\"></a>",
+        "url": "static/images/QNX_BMP_PWN.png"
+      },
+      "text": {
+        "headline":"360的Pwn2Own 汽车专项赛路线图",
+        "text": "在POC2023安全会议上,来自 360 两位安全研究员Yingjie Cao、Zhe Jing 分享了名为 “A roadmap to $50,000 at Pwn2Own Vehicle 2024: Dissecting QNX, and exploiting its vulnerabilities” 的议题,对QNX进行全面剖析，深入探讨其架构、设计和整体安全态势;分享了对使用 QNX 作为信息娱乐系统的完整攻击链，利用的两个漏洞如下。<br><br>1. BMP 图片解析库 libimg.so.1 中因整数溢出漏洞在 memcpy 时引起栈溢出,通过将返回地址覆盖为 libc 上的 system 的地址，实现了任意命令执行。<br> 2. 内核态与用户态之间的消息传递函数 ker_msg_sendv 存在条件竞争漏洞 double-fetch,有时则表现为 TOCTOU,成功利用后从普通权限提升到了 Root 权限。" 
+      },
+      "start_date": {
+        "month": "10",
+        "day": "2",
+        "year": "2023"
+      },
+      "group":"vulnerability"
     }
   ]
 }