CVE-2006-3698

Oracle Database 10.1.0.5 - SQL Injection in Change Data Capture and Data Pump Metadata API

Title source: llm
STIX 2.1

Exploitation Summary

EIP tracks 3 public exploits for CVE-2006-3698. PoCs published by bunker, Joxean Koret.

AI-analyzed exploit summary This Perl script exploits CVE-2006-3698 in Oracle Database 10g by leveraging a cursor injection vulnerability in KUPW$WORKER.MAIN to grant or revoke DBA privileges without requiring CREATE PROCEDURE privileges. It uses DBMS_SQL to execute arbitrary SQL commands via a crafted cursor, bypassing standard authorization checks.

Description

Multiple unspecified vulnerabilities in Oracle Database 10.1.0.5 have unknown impact and attack vectors, aka Oracle Vuln# (1) DB01 for Change Data Capture (CDC) component and (2) DB03 for Data Pump Metadata API. NOTE: as of 20060719, Oracle has not disputed a claim by a reliable researcher that DB01 is related to multiple SQL injection vulnerabilities in SYS.DBMS_CDC_IMPDP using the (a) IMPORT_CHANGE_SET, (b) IMPORT_CHANGE_TABLE, (c) IMPORT_CHANGE_COLUMN, (d) IMPORT_SUBSCRIBER, (e) IMPORT_SUBSCRIBED_TABLE, (f) IMPORT_SUBSCRIBED_COLUMN, (g) VALIDATE_IMPORT, (h) VALIDATE_CHANGE_SET, (i) VALIDATE_CHANGE_TABLE, and (j) VALIDATE_SUBSCRIPTION procedures, and that DB03 is for SQL injection in the MAIN procedure for SYS.KUPW$WORKER.

Exploits (3)

exploitdb WORKING POC VERIFIED
by bunker · perlremotemultiple
https://www.exploit-db.com/exploits/3375

This Perl script exploits CVE-2006-3698 in Oracle Database 10g by leveraging a cursor injection vulnerability in KUPW$WORKER.MAIN to grant or revoke DBA privileges without requiring CREATE PROCEDURE privileges. It uses DBMS_SQL to execute arbitrary SQL commands via a crafted cursor, bypassing standard authorization checks.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Oracle Database 10g Enterprise Edition Release 10.1.0.3.0
Auth required
Prerequisites: Valid Oracle database credentials · Network access to the Oracle database · Oracle InstantClient with DBD::Oracle installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by bunker · perlremotemultiple
https://www.exploit-db.com/exploits/3358

This Perl script exploits CVE-2006-3698 in Oracle Database 10g by leveraging a SQL injection vulnerability in the KUPW$WORKER.MAIN function to grant or revoke DBA privileges to an unprivileged user. It creates a malicious function and triggers the vulnerability via a crafted SQL query.

Classification
Working Poc 100%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Oracle Database 10g Enterprise Edition Release 10.1.0.3.0
Auth required
Prerequisites: Valid Oracle database credentials · Network access to the Oracle database · Oracle InstantClient with DBD::Oracle installed
devstral-2 · analyzed Feb 18, 2026 Full analysis →
exploitdb WORKING POC VERIFIED
by Joxean Koret · textlocalmultiple
https://www.exploit-db.com/exploits/3178

This exploit leverages SQL injection in Oracle10g's KUPW$WORKER.MAIN function to grant DBA privileges to a user. It requires CREATE SESSION and CREATE PROCEDURE privileges to execute the malicious function.

Classification
Working Poc 95%
Attack Type
Sqli
Complexity
Moderate
Reliability
Reliable
Target: Oracle Database 10g R1 and R2 prior to CPU Oct 2006
Auth required
Prerequisites: CREATE SESSION privilege · CREATE PROCEDURE privilege
devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (18)

Core 18
Core References
Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack
http://securitytracker.com/id?1016529
Mailing List mailing-list x_refsource_fulldisc
http://lists.grok.org.uk/pipermail/full-disclosure/2006-July/047994.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/440439/100/0/threaded
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/27889
Patch vdb-entry x_refsource_bid
http://www.securityfocus.com/bid/19054
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/27897
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21165
Third Party Advisory, VDB Entry vendor-advisory x_refsource_hp
http://www.securityfocus.com/archive/1/440758/100/100/threaded
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2947
US Government Resource third-party-advisory x_refsource_cert
http://www.us-cert.gov/cas/techalerts/TA06-200A.html
Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq
http://www.securityfocus.com/archive/1/440440/100/0/threaded
Vendor Advisory third-party-advisory x_refsource_secunia
http://secunia.com/advisories/21111
Third Party Advisory, VDB Entry vdb-entry x_refsource_xf
https://exchange.xforce.ibmcloud.com/vulnerabilities/27888
Vendor Advisory vdb-entry x_refsource_vupen
http://www.vupen.com/english/advisories/2006/2863

Scores

EPSS 0.0640
EPSS Percentile 92.8%

Details

Status published
Products (1)
oracle/database_server 10.1.0.5
Published Jul 21, 2006
Tracked Since Feb 18, 2026