Long story short: If a cookie is valid (HMAC signature matches what you'd expect given the cookie contents and your secret key), Rails (Rails 2) or Rack middleware (Rails 3) will attempt to use Marshal.load(txt) on the cookie contents to populate your session hash. You might naively assume that this creates a map of strings into other strings, but surprise, Marshal.load(txt) can create arbitrary object payloads and, through a code path which the margins of this comment are just slightly too thin to contain, allow you to do remote code execution.

See: http://www.exploit-db.com/exploits/27527/

This can be done in an entirely automated fashion and requires no knowledge of the application other than the session's secret key.