CVE-2008-3984

Oracle Database <11.1.0.6 - Info Disclosure

Title source: llm

Exploitation Summary

EIP tracks 2 public exploits for CVE-2008-3984. PoCs published by sh2kerr, including Metasploit module auxiliary/sqli/oracle/lt_removeworkspace.

AI-analyzed exploit summary This exploit leverages SQL injection in Oracle 10g's SYS.LT.REMOVEWORKSPACE to grant DBA privileges to the SCOTT user and execute arbitrary OS commands via extproc. It copies msvcrt.dll to bypass extproc restrictions and creates a new OS user.

Description

Unspecified vulnerability in the Workspace Manager component in Oracle Database 9.2.0.8, 9.2.0.8DV, 10.1.0.5, 10.2.0.3, and 11.1.0.6 allows remote authenticated users to affect confidentiality and integrity, related to SYS.LT and WMSYS.LT, a different vulnerability than CVE-2008-3982 and CVE-2008-3983.

Exploits (2)

exploitdb WORKING POC VERIFIED

by sh2kerr · textlocalmultiple

https://www.exploit-db.com/exploits/7675

View Code ZIP pw:eip

This exploit leverages SQL injection in Oracle 10g's SYS.LT.REMOVEWORKSPACE to grant DBA privileges to the SCOTT user and execute arbitrary OS commands via extproc. It copies msvcrt.dll to bypass extproc restrictions and creates a new OS user.

Classification

Working Poc 100%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Oracle Database 10g (10.1.0.5.0)

Auth required

Prerequisites: Valid Oracle database credentials · Access to SYS.LT package · File system write permissions for DLL copying

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1505 - Server Software Component T1203 - Exploitation for Client Execution

devstral-2 · analyzed Feb 16, 2026 Full analysis →

metasploit WORKING POC

rubypoc

https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/sqli/oracle/lt_removeworkspace.rb

View Code ZIP pw:eip

This Metasploit module exploits a SQL injection vulnerability in Oracle DB's SYS.LT.REMOVEWORKSPACE procedure. It creates a malicious function and executes arbitrary SQL commands via base64-encoded payloads, granting elevated privileges to the attacker.

Classification

Working Poc 95%

Attack Type

Sqli

Complexity

Moderate

Reliability

Reliable

Target: Oracle Database (versions affected by CVE-2008-3984)

Auth required

Prerequisites: Execute privilege on SYS.LT package · Valid database credentials

MITRE ATT&CK

T1189 - Drive-by Compromise T1505 - Server Software Component

devstral-2 · analyzed Feb 16, 2026 Full analysis →

References (5)

Core 5

Core References

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/45887

Vendor Advisory x_refsource_confirm

http://www.oracle.com/technetwork/topics/security/cpuoct2008-100299.html

Permissions Required third-party-advisory x_refsource_secunia

http://secunia.com/advisories/32291

Third Party Advisory, VDB Entry vdb-entry x_refsource_sectrack

http://www.securitytracker.com/id?1021050

Not Applicable vdb-entry x_refsource_vupen

http://www.vupen.com/english/advisories/2008/2825

Scores

EPSS 0.4270

EPSS Percentile 98.5%

Details

Status published

Products (5)

oracle/database_10g 10.1.0.5

oracle/database_10g 10.2.0.3

oracle/database_11i 11.1.0.6

oracle/database_9i 9.2.0.8

oracle/database_9i 9.2.0.8dv

Published Oct 14, 2008

Tracked Since Feb 18, 2026