When a process executes a setuid executable, all existing rights to the task port are invalidated, to make sure unauthorized processes do not retain control of the process. Exception handlers however remain installed, and when some kind of hardware exception occurs, the exception handler can receive a new right to the task port as one of its arguments, and thus regain full control over the process. Interestingly, the code to reset the exception handlers (and hence thwart this attack) upon exec() of a setuid executable has been present in the kernel since OSX 10.3, but is disabled (#if 0) for unspecified reasons.
CVE Link
Exploit Platform
Exploit Type
Product Name