diff --git a/static/Automotive Security Timeline.json b/static/Automotive Security Timeline.json
index 18507c6..8afcd2a 100755
--- a/static/Automotive Security Timeline.json
+++ b/static/Automotive Security Timeline.json
@@ -1452,6 +1452,22 @@
"year": "2023"
},
"group":"event"
+ },{
+ "media": {
+ "caption": "A roadmap to $50,000 at Pwn2Own Vehicle 2024: Dissecting QNX and exploiting its vulnerabilities",
+ "credit": "",
+ "url": "static/images/QNX_BMP_PWN.png"
+ },
+ "text": {
+ "headline":"360的Pwn2Own 汽车专项赛路线图",
+ "text": "在POC2023安全会议上,来自 360 两位安全研究员Yingjie Cao、Zhe Jing 分享了名为 “A roadmap to $50,000 at Pwn2Own Vehicle 2024: Dissecting QNX, and exploiting its vulnerabilities” 的议题,对QNX进行全面剖析,深入探讨其架构、设计和整体安全态势;分享了对使用 QNX 作为信息娱乐系统的完整攻击链,利用的两个漏洞如下。
1. BMP 图片解析库 libimg.so.1 中因整数溢出漏洞在 memcpy 时引起栈溢出,通过将返回地址覆盖为 libc 上的 system 的地址,实现了任意命令执行。
2. 内核态与用户态之间的消息传递函数 ker_msg_sendv 存在条件竞争漏洞 double-fetch,有时则表现为 TOCTOU,成功利用后从普通权限提升到了 Root 权限。"
+ },
+ "start_date": {
+ "month": "10",
+ "day": "2",
+ "year": "2023"
+ },
+ "group":"vulnerability"
}
]
}