UserNotificationCenter retains wheel privileges on execution time, and still has a UID associated with the current user. Because of this, it will attempt to run any
InputManagerprovided by the user. Code within the input manager will run under wheel privileges. In combination with
diskutiland a wheel-writable setuid binary, this allows unprivileged users to gain root privileges.
See the Month of Apple Bugs release and the exploit. This issue can be abused by fully unprivileged users and triggered via any of the so-called 'crashes' (ex. alleged 'denial of service'-only issues...).
A tribute to the Month of Browser Bugs, and specially Matt Miller, HD Moore and Skywing.