CVE-2021-31637

An attacker places a malicious shfolder.dll in the same directory as the UwAmp.exe installer. When a victim runs UwAmp.exe, the application attempts to load shfolder.dll and, because the DLL is missing from the expected system location, it loads the attacker-supplied DLL from the current directory [ref_id=1]. This allows the attacker to execute arbitrary code with the privileges of the user running UwAmp, leading to privilege escalation on Windows [ref_id=1].

The advisory identifies UwAmp.exe version 3.0.2 as the vulnerable binary [ref_id=1]. The specific code path is not detailed, but the vulnerability lies in the application's DLL loading behavior — it attempts to load shfolder.dll from the current directory rather than from a secure system path [ref_id=1].

The advisory does not include a patch or a fixed version. The recommended mitigation is to avoid loading DLLs from the current working directory [ref_id=1]. No official fix has been published for UwAmp as of the advisory date.

1. Use ProcMon to monitor file events. 2. Observe that shfolder.dll is missing from the current directory. 3. Place a malicious DLL named shfolder.dll in the same directory as the installer. 4. Run UwAmp.exe — the installer will load the malicious DLL, leading to arbitrary code execution and privilege escalation [ref_id=1].