UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, it> will attempt to run anyFurther information:
InputManagerprovided by the user. Code within the input manager will run under wheel privileges. In combination with
diskutiland a wheel-writable setuid binary, this allows unprivileged users to gain root privileges.
Update: updated exploit (now fat binaries are used, thus exploit should work on a system without XCode and related developer tools; source code is provided to avoid the usual FUD about alleged 'root kits' and non-sense), release information, etc. KF worked hard on getting stuff up due to connectivity issues. He deserves a thumbs-up from everyone.