Google Web Designer Zip Slip Vulnerability Leading to Arbitrary File Write and Potential Privilege Escalation

A Zip Slip vulnerability has been identified in Google Web Designer, allowing for arbitrary file write and potential privilege escalation. The issue arises because the application improperly validates file paths when extracting ZIP archives, enabling attackers to exploit path traversal by including `../` sequences. This vulnerability can be exploited by crafting a malicious ZIP file that, when imported into Google Web Designer, writes to sensitive locations on the user's system. If Google Web Designer is run with elevated privileges, this could lead to more severe consequences, such as writing malicious DLLs into system directories for DLL hijacking.

Impact

Exploitation of this vulnerability allows for arbitrary file writing, with the potential for privilege escalation if Google Web Designer is run as an administrator.

Reproduction

To reproduce this vulnerability, create a ZIP file containing a payload that exploits the Zip Slip vulnerability by writing to a file in a sensitive location, such as `C:\Temp\evil.txt`. Import this ZIP file into Google Web Designer by selecting 'Add custom component' and choosing the crafted ZIP file. Once imported, the file `evil.txt` will be created in the `C:\Temp\` directory, demonstrating the application's failure to properly sanitize file paths during ZIP extraction. If Google Web Designer is running with elevated privileges, the vulnerability could be escalated by writing files into `C:\Program Files\Google\Google Web Designer\`, injecting DLLs into `C:\Windows\System32\` for DLL hijacking, or placing batch scripts into the Startup folder for persistence.