CVE-2008-6065

Oracle Database Server <11g - Privilege Escalation

Title source: llm

Exploitation Summary

EIP tracks 1 public exploit for CVE-2008-6065. PoCs published by Paul M. Wright.

AI-analyzed exploit summary This exploit leverages the 'CREATE ANY DIRECTORY' privilege in Oracle Database to escalate privileges to SYSDBA by writing a malicious password file (PWDorcl.ora or orapworcl) using UTL_FILE. The payload contains a crafted Oracle password file that grants SYSDBA access.

Description

Oracle Database Server 10.1, 10.2, and 11g grants directory WRITE permissions for arbitrary pathnames that are aliased in a CREATE OR REPLACE DIRECTORY statement, which allows remote authenticated users with CREATE ANY DIRECTORY privileges to gain SYSDBA privileges by aliasing the pathname of the password directory, and then overwriting the password file through UTL_FILE operations, a related issue to CVE-2006-7141.

Exploits (1)

exploitdb WORKING POC VERIFIED

by Paul M. Wright · remotemultiple

https://www.exploit-db.com/exploits/32475

View Code ZIP pw:eip

This exploit leverages the 'CREATE ANY DIRECTORY' privilege in Oracle Database to escalate privileges to SYSDBA by writing a malicious password file (PWDorcl.ora or orapworcl) using UTL_FILE. The payload contains a crafted Oracle password file that grants SYSDBA access.

Classification

Working Poc 95%

Attack Type

Lpe

Complexity

Moderate

Reliability

Reliable

Target: Oracle Database 10.1, 10.2, 11g

Auth required

Prerequisites: CREATE ANY DIRECTORY privilege · Ability to execute PL/SQL

MITRE ATT&CK

T1068 - Exploitation for Privilege Escalation

devstral-2 · analyzed Feb 18, 2026 Full analysis →

References (5)

Core 5

Core References

Various Sources x_refsource_misc

http://www.oracleforensics.com/wordpress/wp-content/uploads/2008/10/create-any-directory-to-sysdba.pdf

Various Sources x_refsource_misc

http://www.oracleforensics.com/wordpress/index.php/2008/10/10/create-any-directory-to-sysdba/

Third Party Advisory, VDB Entry vdb-entry x_refsource_xf

https://exchange.xforce.ibmcloud.com/vulnerabilities/48814

Third Party Advisory, VDB Entry vdb-entry x_refsource_bid

http://www.securityfocus.com/bid/31738

Third Party Advisory, VDB Entry mailing-list x_refsource_bugtraq

http://www.securityfocus.com/archive/1/497286/100/0/threaded

Scores

EPSS 0.0604

EPSS Percentile 90.8%

Details

CWE

CWE-264

Status published

Products (3)

oracle/database_server 10.1

oracle/database_server 10.2

oracle/database_server 11

Published Feb 05, 2009

Tracked Since Feb 18, 2026