An Oracle DB user which has been granted CREATE ANY DIRECTORY can use that system privilege to grant themselves the SYSDBA system privilege by creating a DIRECTORY pointing to the password file location on the OS and then overwriting it with a previously prepared known binary password file using UTL_FILE.PUT_RAW from within the DB. This paper will show how the issue can be exploited and most importantly how to secure against it.
You can download it from the following link: https://packetstormsecurity.com/files/download/70873/create_any_directory_to_sysdba.pdf
Source: https://packetstormsecurity.com/files/70873/create_any_directory_to_sysdba.pdf.html