Capabilities are not interchangeable, nor are they all equal. This seems obvious, and yet not everyone agrees (apparently).
In this article about the six 0day exploits patched on June 7 2021, we have the following line:
Kevin Breen, director of cyber threat research at Immersive Labs, said elevation of privilege flaws are just as valuable to attackers as remote code execution bugs
This isn’t a direct quote, so I’ll assume that Khun BREEN said something less wrong. Because the fact of the matter is, that local privilege escalation (LPE) vulnerabilities (and the resulting capabilities) are more numerous than remote code execution (RCE) vulnerabilities for a given system. As a general rule of thumb this is true, although there are doubtless exceptions.
Even the list of vulnerabilities in this Microsoft patch show that the ration of RCE to LPE is unequal. There is only one (1) RCE to four (4) LPEs.
– CVE-2021-33742 , a remote code execution bug in a Windows HTML component.
– CVE-2021-31955 , an information disclosure bug in the Windows Kernel
– CVE-2021-31956 , an elevation of privilege flaw in Windows NTFS
– CVE-2021-33739 , an elevation of privilege flaw in the Microsoft Desktop Window Manager
– CVE-2021-31201 , an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider
– CVE-2021-31199 , an elevation of privilege flaw in the Microsoft Enhanced Cryptographic Provider
Although the ratio of 1:4 (RCE:LPE) is probably not the true ratio, it doesn’t feel wrong. Just as the value of gold is generally higher than silver, yet both are precious metals, so to is RCE more valuable than an LPE. All things being equal, of course.
I suspect that Khun BREEN is thinking only about how ransomware hackers operate, and for them an RCE is unnecessary. They typically gain access by using misconfigured systems, known credentials, or other basic techniques. Access agents for ransomware do not need RCE exploits, they’re perfectly profitable just attacking weak networks.
But what is true for ransomware is not true for hackers, because ransomware is not a good model for hacker operations (nation state or other).
It is almost always the case that: RCE is more valuable than LPE.